About the Project

What Inspired Us

During team projects and hackathons, we constantly faced the same frustrating problem: sharing environment variables. Whether it was database credentials, API keys, or configuration secrets, we'd resort to sending .env files through Slack, email, or even copying them manually. This led to:

Security risks: Secrets accidentally committed to Git
Inconsistencies: Different team members using outdated or incorrect values
Friction: New developers couldn't start working until someone manually shared files
Version control nightmares: .env files scattered across repositories

We realized that every team faces this problem, yet most solutions are either too complex (enterprise secret managers) or too simple (just share files). We wanted to build something in between—a solution that's secure enough for real projects but simple enough to set up in minutes.

What We Learned

Building Secret Env Manager was an incredible learning journey:

Backend Development

FastAPI: Built our first production-ready REST API, learning about async endpoints, dependency injection, and automatic API documentation
Authentication: Implemented token-based sessions with expiration, understanding the security implications of stateless vs stateful authentication
API Design: Created intuitive REST endpoints that follow best practices for resource management

CLI Development

Click Framework: Built a user-friendly command-line interface with proper argument parsing and help text
Subprocess Management: Learned how to securely inject environment variables into child processes without exposing them in process lists
User Experience: Designed a CLI that feels natural—developers can use it without reading extensive documentation

Security & Architecture

Zero-trust principles: Ensured secrets never touch developer machines, only fetched at runtime
Access control: Implemented project-based permissions so team leaders can manage who sees what
Storage design: Used JSON file storage for rapid prototyping, but architected it to be easily replaceable with a database

Full-Stack Integration

Client-server communication: Learned how to design APIs that work seamlessly with CLI tools
Error handling: Built robust error messages that guide users when something goes wrong
Developer workflow: Understood how to integrate with existing development processes without breaking them

How We Built It

We took a full-stack approach, building both the server and CLI from scratch:

Phase 1: Server Foundation

We started with a FastAPI server that could:

Register and authenticate users
Store projects and manage team membership
Accept environment file uploads
Serve environment variables securely

We chose JSON file storage for simplicity during the hackathon, but designed the code to be easily migrated to a database later.

Phase 2: CLI Tool

Next, we built a CLI using Click that:

Authenticates users with email
Lists projects they have access to
Fetches secrets at runtime
Injects them into any command execution

The key innovation was runtime injection—secrets are fetched fresh from the server every time a command runs, never stored locally.

Phase 3: Integration & Polish

Finally, we:

Added comprehensive error handling
Created demo scripts and documentation
Tested the complete workflow end-to-end
Ensured the developer experience was smooth

Challenges We Faced

Challenge 1: Runtime Environment Variable Injection

Problem: How do we inject secrets into a process without storing them locally or exposing them in command history?

Solution: We use Python's subprocess with environment variable dictionaries. The CLI fetches secrets from the server, creates an environment dict, and passes it directly to the subprocess—never writing to disk or showing in terminal history.

Challenge 2: Authentication Without Passwords

Problem: We wanted simple email-based auth for a hackathon prototype, but still needed security.

Solution: We implemented token-based sessions with 24-hour expiration. Users register with email, and the server generates secure tokens. The CLI stores tokens in a secure config file with restricted permissions (600).

Challenge 3: Making It Work With Any Language

Problem: Different developers use Python, Node.js, Java, etc. How do we make secrets available to all of them?

Solution: Environment variables are universal! By injecting them at the OS level via subprocess, any language can access them through standard environment variable APIs (os.getenv(), process.env, etc.).

Challenge 4: User Experience

Problem: We wanted it to be simple enough that developers could use it without training.

Solution: We designed the CLI with intuitive commands like secret-cli run PROJECT_ID -- npm start. The -- separator makes it clear where the command starts, and the workflow mirrors how developers already work.

Challenge 5: Security vs. Simplicity

Problem: Balancing security best practices with hackathon time constraints.

Solution: We implemented core security features (token auth, access control, no local storage) while keeping the architecture simple. We documented future enhancements (encryption, audit logs, web UI) to show we understand production requirements.