redenv/Docs

Service Tokens

Learn how to create and manage Service Tokens for secure application access to Redenv secrets.

Edit this page

Your Master Password is for you. Service Tokens are for your applications. They let apps decrypt secrets without ever seeing your password — and you can revoke them instantly if something goes wrong.

Info

How it works — Each Service Token contains its own encrypted copy of the Project Encryption Key (PEK). The token can decrypt secrets, but only for the project it was created for. See Encryption & Security for the full cryptographic details.

Anatomy of a Service Token#

A Service Token has two parts:

PartExamplePurpose
Token IDstk_uW0...Public identifier — safe to log, store in configs
Secret Keyredenv_sk_CrK...Decrypts the PEK — treat like a password

The Token ID identifies which encrypted PEK to fetch from Redis. The Secret Key derives a Token Key via PBKDF2, which decrypts the PEK, which decrypts your secrets.

Creating Tokens#

redenv token create -n my-app-production

Output:

Project Name:      redenv
Public Token ID:   stk_uW0...
Secret Token Key:  redenv_sk_CrK...

Error

The Secret Key is shown only once. Copy it immediately to your password manager or deployment environment. It cannot be recovered — if lost, create a new token and revoke the old one.

Listing Tokens#

redenv token list
NameDescriptionToken IDCreated At
testno thanksstk_yYt2HXRprwYgpvwv1/16/2026, 10:21:37 AM
appidkstk_g38OHzGnUOoiARfh1/16/2026, 5:02:41 PM

Only Token IDs are shown — Secret Keys are never stored and cannot be retrieved.

Revoking Tokens#

redenv token revoke tok_abc123

After revocation:

  • The token can no longer decrypt secrets
  • Applications using it will fail immediately
  • The token is removed from the project metadata

Info

Revocation is immediate and irreversible. Make sure you've updated all applications using the token before revoking.

Using Tokens in Applications#

Set these environment variables in your deployment platform:

.env.local
REDENV_TOKEN_ID=stk_uW0...
REDENV_TOKEN_KEY=redenv_sk_CrK...
UPSTASH_REDIS_URL=https://...
UPSTASH_REDIS_TOKEN=...

Then initialize the SDK:

lib/redenv.ts
import { Redenv } from "@redenv/client";

const redenv = new Redenv({
  project: "my-app",
  environment: "production",
  tokenId: process.env.REDENV_TOKEN_ID!,
  token: process.env.REDENV_TOKEN_KEY!,
  upstash: {
    url: process.env.UPSTASH_REDIS_URL!,
    token: process.env.UPSTASH_REDIS_TOKEN!,
  },
});

// Load and decrypt all secrets
const secrets = await redenv.load();
console.log(secrets.API_KEY);
lib/redenv.py
import os
from redenv import Redenv

client = Redenv({
    "project": "my-app",
    "environment": "production",
    "token_id": os.getenv("REDENV_TOKEN_ID"),
    "token": os.getenv("REDENV_TOKEN_KEY"),
    "upstash": {
        "url": os.getenv("UPSTASH_REDIS_URL"),
        "token": os.getenv("UPSTASH_REDIS_TOKEN")
    }
})

# Load and decrypt all secrets
secrets = await client.load()
print(secrets["API_KEY"])

Where to Store Tokens#

PlatformWhere to put token credentials
Local dev.env.local (gitignored)
GitHub ActionsRepository Secrets
VercelEnvironment Variables
Docker--env-file or secrets manager
AWSParameter Store or Secrets Manager (for the token, not the secrets themselves)

Info

Yes, you're storing Redenv tokens in another secrets system — but those systems only hold the token, not your actual secrets. Even if the token store is breached, the attacker still needs Upstash credentials to reach the encrypted data.

Why Tokens Matter#

  • No Master Password exposure — applications never see your password
  • Instantly revocable — disable access without changing any secrets
  • Auditable — see which tokens exist and when they were created
  • Scoped per project — a token for Project A cannot access Project B

Token Limits#

LimitValue
Max tokens per projectUnlimited
Token revocation speedInstant
Token key length256 characters (fixed)

Best Practices#

  1. One token per environment — separate tokens for dev, staging, and prod
  2. Rotate quarterly — create a new token, update deployments, revoke the old one
  3. Revoke immediately on leak — even if you're unsure, revoke first and ask questions later
  4. Name tokens descriptivelyprod-api-server is better than token-1
  5. Never commit tokens — use .gitignore and platform-level secrets