Desktop-First .env and Secrets Management for Developers | Ghostable

 Stop passing around .env files.

 Desktop-First .env and Secrets Management for Developers
==========================================================

 Most secrets tools are built for storage and pipelines. Ghostable is built for the daily work of managing environments: reviewing variables, fixing bad config, validating changes, checking history, and shipping the right environment. Use the desktop app for day-to-day work. Use the CLI when the job belongs in CI, scripts, or deploy hooks.

 [ Download Desktop for macOS ](https://ghostable.dev/desktop/download) [ Sign up ](https://ghostable.dev/register)

 Variables

 Activity

 Validation

 Deploy Tokens

 Settings

   Ghostable › Apollo › production

   Search by key

 Table Grouped

 Key Value Version Updated

 APP\_DEBUG true 1 1 min ago

 APP\_ENV local 1 1 min ago

 APP\_FAKER\_LOCALE en\_US 1 1 min ago

 APP\_FALLBACK\_LOCALE en 1 1 min ago

 APP\_KEY •••••• 1 1 min ago

 APP\_LOCALE en 1 1 min ago

 APP\_MAINTENANCE\_DRIVER file 1 1 min ago

 APP\_NAME Ghostable 1 1 min ago

 APP\_URL https://ghostable.dev 1 1 min ago

 AWS\_ACCESS\_KEY\_ID •••••• 1 1 min ago

 AWS\_BUCKET app-assets 1 1 min ago

 AWS\_DEFAULT\_REGION us-east-1 1 1 min ago

 AWS\_SECRET\_ACCESS\_KEY •••••• 1 1 min ago

 AWS\_USE\_PATH\_STYLE\_ENDPOINT false 1 1 min ago

 BCRYPT\_ROUNDS 12 1 1 min ago

 BROADCAST\_CONNECTION log 1 1 min ago

 CACHE\_STORE database 1 1 min ago

 DB\_CONNECTION sqlite 1 1 min ago

 FILESYSTEM\_DISK local 1 1 min ago

 GHOSTABLE\_API https://ghostable.test/api/v2 1 1 min ago

 GHOSTABLE\_KEYCHAIN\_PROFILE •••••• 1 1 min ago

 LOG\_CHANNEL stack 1 1 min ago

 LOG\_DEPRECATIONS\_CHANNEL null 1 1 min ago

 LOG\_LEVEL debug 1 1 min ago

 LOG\_STACK single 1 1 min ago

 Info Validation History

Variable

Review and edit the selected environment variable.

 Key    APP\_ENV

Value

 local

Current value stored for this environment variable.

Suggested Values

Common values for this variable.

local

staging

production

testing

Details

 Version 1

 Updated Mar 19, 2026 at 4:01 PM

 Updated By will@ghostable.dev

 Status Active

  Insight

Framework guidance for this variable and recent validation context stays attached to the active environment value.

   Most secrets tools solve storage. The daily work is still a mess.
-------------------------------------------------------------------

 The painful part is not where secrets live. It is everything around them: figuring out what changed, keeping staging from drifting, validating config before deploys, and not turning every env edit into a terminal ritual. Ghostable is built for that reality. A CI dashboard is great for delivery. A terminal is great for automation. Day-to-day environment management deserves its own workspace.

 Can someone share the Google Maps API key? Gotta debug this map thing locally real quick.

 Just hardcoding the Twilio key in the code for 5 mins to test SMS. I'll revert before commit.

 Which deploy actually picked up the new SENTRY\_DSN? The errors are still grouped under the old project.

 Did anyone update QUEUE\_CONNECTION? Jobs are stuck on sync again after the deploy.

 ![Overwhelmed developer illustration](https://ghostable.dev/images/illustrations/walter-head-explode.png) ![](https://ghostable.dev/images/illustrations/walter-eyes.png)

  When was the last time we rotated the Stripe key? Seeing a bunch of 401s in prod logs all of a sudden.

 Production needs the mail token rotated before tonight. Who actually has access to do that?

   What gets easier with Ghostable
---------------------------------

 ###  Find the variable. Fix the variable. Move on.

 Browse organizations, projects, and environments in one place. Search by key, switch between table and grouped views, inspect metadata, and import or export .env files without hunting through dashboards, repos, and old messages.

 Key    STRIPE\_SECRET\_KEY

Value

 sk_live_demo_7b9x2k4qf3m8n1p

 Current value stored for this environment variable.

 Details

 Version 7

 Updated Feb 23, 2026

 Updated By will@ghostable.dev

 Status Active

  ###  Catch bad config before it becomes a staging-only mystery.

 Run validation against the same Ghostable schema files your project already uses. Define global rules, add environment-specific overrides, and catch missing keys, broken values, and bad assumptions before they reach a deploy.

APP_DEBUG

2 rules

 Remove Key

boolean

−

+

in:false

−

+

QUEUE_CONNECTION

1 rule

 Remove Key

in:sync,database,redis

−

+

  ###  Know what changed before you start guessing.

 Review organization, project, and environment activity. Open a variable, inspect its history, and restore an older value when something looks off instead of turning config management into archaeology.

 Version 2 Current

By will@ghostable.dev

 Updated | Mar 18, 2026 at 4:22 PM

  Restore

    sk\_live\_mock\_4f9x2m8q7p1v6k3d

Version 1

By james@ghostable.dev

 Created | Feb 23, 2026 at 10:51 AM

  Restore

    ••••••••

  ###  Keep automation in its lane.

 Issue deploy tokens from the desktop app when CI needs access. Use the CLI when the work belongs in scripts, pipelines, or non-macOS workflows. Humans get a UI. Automation gets credentials and commands.

Token Details

 Token ID tok\_01jq8t2qv3x9m4z7c6

Secrets

Deploy Seed

 Copy

 MmJNeE9pQ2hMek5qWTR5VmxCSGRqQnRNVEE9

Environment Variables

 Copy All

DEPLOY_TOKEN=tok_01jq8t2qv3x9m4z7c6

DEPLOY_TARGET=production-web

DEPLOY_SEED=MmJNeE9pQ2hMek5qWTR5VmxCSGRqQn...

   Zero-knowledge, without the theater.
--------------------------------------

 Ghostable encrypts environment data on trusted clients before it is stored. Linked devices handle human access. Deploy tokens handle automation. Plaintext values and private keys stay with the client that actually needs them.

####  Trusted Client (Human Access)

 Plaintext values and private keys stay on the trusted client. This is where humans review and manage environment data.

 Key    DB\_PASSWORD

Value

 q7M2x9Lp4Rk8Vn3D|

####  Encrypted Sync / Storage

 Data is encrypted at the edge before it is stored or synced. Ghostable only sees encrypted data, not plaintext values.

 v14

 REDIS_URL

 XChaCha20-Poly1305

 5bcf17aa42d0f98e61c3b27d11f43e7a8c2b741ec8139f42e0aa71d54b2d88ca06e31fb714ab69cd0e5a74c9f6ab31e4f80a2f5a47bc19d27cbfe12a2a7f05bc91d43c7a6e52bb1caa7fd403f6a12b8e0d4f7a86cc31a4ef1bd9c25a56b3ff12

 v27

 STRIPE_SECRET_KEY

 XChaCha20-Poly1305

 c8139f42e0aa71d54b2d88ca06e31fb714ab69cd5bcf17aa42d0f98e61c3b27d7f4a90c2b1d64e18c8aa5d72f9231ab4dfe11847c75f61a29f6cb820d0f14a2f3ae1bc77d94f8a23c0bd116f2e8c491ab77fd0034c512fa89e16bb7f52cda1e4

 v19

 DATABASE_PASSWORD

 XChaCha20-Poly1305

 7f4a90c2b1d64e18c8aa5d72f9231ab4dfe11847c75f61a29f6cb820d0f14a2f0e5a74c9f6ab31e4f80a2f5a47bc19d2b1fa84ce9d13a7617cbfe12a2a7f05bcd91e5f43cafe8b7236cb3d49a8ff2c7e14ab69cd5bcf17aa42d0f98e61c3b27d

####  Scoped Automation Access

 Automation uses scoped deploy tokens and limited machine access instead of broad human-style access.

    Ghostable CLI  Scoped token session

 $ ghostable env validate --env production

✅ Environment file passed validation.

 $ ghostable env deploy

✔ Bundle fetched.

✅ Wrote 24 keys → /Users/developer/Projects/app/.env

Ghostable 👻 deployed (local).

 $ |

   Frequently asked questions
----------------------------

    Why not just keep environment variables in my CI/CD platform?      Because deployment platforms are good at last-mile delivery, not day-to-day environment management. Ghostable gives your team a place to review, validate, edit, and track config before it gets handed off to automation.

    Do I need the CLI?      No. Use the desktop app for daily work. Use the CLI for scripting, CI, deploy hooks, and non-macOS workflows.

    Does Ghostable work with my stack?      Yes. Ghostable fits environment-driven workflows across Laravel, Node, Python, Ruby, Go, and similar stacks.

    Can I bring my existing .env files?      Yes. Ghostable supports importing a local .env file and exporting an environment back to a local file.

    Can I validate config before deploy?      Yes. Ghostable uses shared `.ghostable` schema files so the same rules can be used across desktop workflows and CLI-based automation.

    How does Ghostable stay zero-knowledge?      Environment data is encrypted before it leaves a trusted client. Human access is tied to linked devices, and automation uses scoped deploy tokens.

 ![Ghostable Desktop icon](https://ghostable.dev/images/desktop/icon.png) Stop babysitting .env files
-----------------------------

 Download Ghostable Desktop for macOS and manage environment configuration where it actually happens: in the hands-on work of reviewing, editing, validating, and tracking changes. Create an account, bring in your environments, and keep CI and the terminal for automation, not for day-to-day env management.

 [ Download Desktop for macOS ](https://ghostable.dev/desktop/download) [ Sign up ](https://ghostable.dev/register)