redenv/Docs

Overview

A lightweight, zero-knowledge JavaScript client for Redenv.

Edit this page

The @redenv/client is a powerful JavaScript/TypeScript SDK for securely fetching and managing secrets from Redenv in any server-side application.

Key Features#

Zero-Knowledge

All cryptographic operations happen locally. Your secrets are never exposed—not even to Redenv's backend.

High-Performance Caching

Built-in stale-while-revalidate cache serves secrets instantly with automatic background refresh.

Smart Secrets

Type-safe access with casting, validation, scoping, and automatic reference expansion.

Universal Runtime

Works in Node.js, Deno, Bun, and edge environments like Vercel and Cloudflare.

What You Can Do#

import { Redenv } from "@redenv/client";

const redenv = new Redenv({
  project: "my-app",
  tokenId: process.env.REDENV_TOKEN_ID!,
  token: process.env.REDENV_TOKEN_KEY!,
  upstash: {
    url: process.env.UPSTASH_REDIS_URL!,
    token: process.env.UPSTASH_REDIS_TOKEN!,
  },
});

// Load and cache secrets
const secrets = await redenv.load();

// Direct access (auto-populates process.env)
console.log(process.env.API_KEY);

// Smart type casting
const port = secrets.get("PORT", 3000).toInt();
const debug = secrets.get("DEBUG").toBool();

// Fail-fast validation
secrets.require("DATABASE_URL", "STRIPE_KEY");

// Scoped configuration
const awsConfig = secrets.scope("AWS_");

// Time travel
const previousValue = await redenv.getVersion("API_KEY", 1, "index");

// Dynamic updates
await redenv.set("FEATURE_FLAG", "enabled");

How It Works#

Secret Loading Lifecycle

Security Model#

The SDK implements a zero-knowledge architecture:

  1. Service Token authenticates your application
  2. Encrypted PEK is fetched from Redis and decrypted locally
  3. Secrets are decrypted client-side using the PEK
  4. Redis never sees unencrypted data

Info

Your Master Password is never sent to any server. Only the CLI knows it. Applications use Service Tokens, which are derived keys that can decrypt the Project Encryption Key (PEK).

Runtime Compatibility#

RuntimeStatus
Node.js 18+ Fully supported
Deno Fully supported
Bun Fully supported
Vercel Edge Fully supported
Cloudflare Workers Fully supported
Browser Not supported