Define your agent’s environment once. Run it anywhere.

Envo packages secrets, agent skills, and runtime config into a portable encrypted pack. One command on any machine gets a working agent: secrets decrypted, skills on disk, doctor-verified.

$ curl -fsSL https://envo.sh/install | sh

Works with

Claude Code
Codex
Hermes
OpenCode
… or plain shell

Stop babysitting setup.

Coding agents are only useful after secrets are present, skills are installed, and the runtime is configured. Envo makes that one command, not the first hour.

With Envo

One encrypted pack

Push secrets, skills, and runtime config once. On any machine, envo up pulls the pack, decrypts it locally, runs doctor, and launches the agent.

Fresh machine
envo up myproject/prod
Secrets decrypted
Skills on disk
Doctor verified
Agent running

Without Envo

A pile of setup steps

Copy keys, patch config files, remember which tool needs which token, and hope the next machine matches the last one.

Your laptop
Manual .env
Copy tokens
Edit configs
Debug auth
Repeat later

The product starts where agents actually fail: the machine they wake up on.

From fresh box
to ready agent.

Set secrets, add skills, and push once from your machine. Then on any laptop, container, or CI box, one envo up pulls the pack, decrypts it locally, runs doctor, and launches your agent with the environment injected.

See the quickstart
envo up myproject/prod --run "claude"
Pulled pack myproject/prod (v12)
Decrypted 12 secrets locally (AES-256-GCM)
Installed skills: my-skill, deploy-helper
Runtime config written for claude-code
doctor — all checks passed
claude started with env injected
env: myproject/prod · pack: v12 · key: never leaves this machine

1

command from fresh box to running agent

0

plaintext secrets ever seen by the server

256

bit AES-GCM encryption, client-side

What Envo packs.

The parts that usually make agents stall before they start.

Encrypt

Secrets are encrypted with AES-256-GCM before they leave your machine. The registry only ever stores opaque ciphertext; keys stay with you.

How encryption works

Sync

Push the pack once, pull it anywhere. Secrets, skills, and runtime config move together, with version history.

See the golden path

Run

One envo up on any machine, container, or CI box pulls, decrypts, verifies, and launches your agent with the env injected.

Run an agent

Scope

Agent tokens are pull-only, per-environment, expiring, and revocable. Made for headless agents; no browser auth dance.

Review tokens

Start clean. Run safer. Repeat anywhere.

Envo turns setup into a command your team can run, review, and repeat.

Give agents a machine that is already ready.

Secrets, agent skills, and runtime config travel together in one encrypted pack. Push from your machine, pull anywhere, with version history.

set · add · push
$ envo secrets set OPENAI_API_KEY
$ envo skills add ./my-skill
$ envo push
✓ pack v3 pushed (encrypted)

Same setup.
Any target.

Machines give agents somewhere to run. Envo gives that place the secrets, skills, and checks required to do useful work.

Run targetReady
envo upenv: myproject/prod

Laptop

local shell

CI runner

ENVO_TOKEN

Sandbox

edge endpoint

$ ENVO_TOKEN=... envo up myproject/prod --run "codex"

✓ pulled pack v12, decrypted locally

✓ 12 secrets · 2 skills · doctor passed

✓ codex started with env injected

Pricing

Free on your own machines. Pay when you want the pack everywhere.

Free

$0

Local-only CLI. Everything you need on your own machines.

  • Encrypted packs
  • Pack and pull on your own machines
  • envo doctor
Install the CLI

Solo

$10/mo

Hosted encrypted sync. Push from one machine, pull from anywhere.

  • Hosted encrypted sync (push and pull from anywhere)
  • Unlimited projects and environments
  • Pack version history
  • Agent tokens
Start free

Sandbox credits

$5+ prepaid

Deploy environments as hosted sandbox endpoints, pay as you go.

  • Prepaid top-ups: $5, $20, $50
  • $1 per sandbox deploy
  • No floating usage — draws only from your prepaid balance
Top up credits
“The boring part of running agents is wiring up the machine first. Envo turns that into one command instead of a setup scavenger hunt.”

Why we built Envo

Get started

Ship your first encrypted pack.

Install the CLI, set a secret, add a skill, push. Any machine with a token can run your agent from there.

curl -fsSL https://envo.sh/install | shStart free

Start here

Try the CLI on one machine.

Set a secret, add a skill, push. Then run envo up anywhere and see exactly what your agent has before it starts.

Start freecurl -fsSL https://envo.sh/install | sh