redenv/Docs

Overview

A lightweight, zero-knowledge Python client for Redenv.

Edit this page

The redenv Python SDK is a powerful client for securely fetching and managing secrets from Redenv in any Python application.

Key Features#

Zero-Knowledge

All cryptographic operations happen locally. Your secrets are never exposed—not even to Redenv's backend.

High-Performance Caching

Built-in stale-while-revalidate cache serves secrets instantly with automatic background refresh.

Async and Sync Support

Choose between async (Redenv) for modern async apps or sync (RedenvSync) for scripts and legacy applications.

Smart Secrets

Type-safe access with casting, validation, scoping, and automatic reference expansion.

What You Can Do#

app.py
import asyncio
from redenv import Redenv

redenv = Redenv({
    "project": "my-app",
    "token_id": "stk_...",
    "token": "redenv_sk_...",
    "upstash": {
        "url": "https://your-redis.upstash.io",
        "token": "AXxx...",
    },
})

async def main():
    # Load and cache secrets
    secrets = await redenv.load()

    # Direct access (auto-populates os.environ)
    print(os.environ["API_KEY"])

    # Smart type casting
    port = secrets.get("PORT", 3000, cast=int)
    debug = secrets.get("DEBUG", cast=bool)

    # Fail-fast validation
    secrets.require("DATABASE_URL", "STRIPE_KEY")

    # Scoped configuration
    aws_config = secrets.scope("AWS_")

    # Time travel
    previous_value = await redenv.get_version("API_KEY", 1, "index")

    # Dynamic updates
    await redenv.set("FEATURE_FLAG", "enabled")

asyncio.run(main())
script.py
from redenv import RedenvSync

redenv = RedenvSync({
    "project": "my-app",
    "token_id": "stk_...",
    "token": "redenv_sk_...",
    "upstash": {
        "url": "https://your-redis.upstash.io",
        "token": "AXxx...",
    },
})

# Load and cache secrets
secrets = redenv.load()

# Direct access (auto-populates os.environ)
print(os.environ["API_KEY"])

# Smart type casting
port = secrets.get("PORT", 3000, cast=int)
debug = secrets.get("DEBUG", cast=bool)

# Fail-fast validation
secrets.require("DATABASE_URL", "STRIPE_KEY")

# Scoped configuration
aws_config = secrets.scope("AWS_")

# Time travel
previous_value = redenv.get_version("API_KEY", 1, "index")

# Dynamic updates
redenv.set("FEATURE_FLAG", "enabled")

Security Model#

The SDK implements a zero-knowledge architecture:

  1. Service Token authenticates your application
  2. Encrypted PEK is fetched from Redis and decrypted locally
  3. Secrets are decrypted client-side using the PEK
  4. Redis never sees unencrypted data

Info

Your Master Password is never sent to any server. Only the CLI knows it. Applications use Service Tokens, which are derived keys that can decrypt the Project Encryption Key (PEK).

Runtime Compatibility#

RuntimeStatus
Python 3.8+ Fully supported
asyncio Fully supported
sync Fully supported
Django Fully supported
FastAPI Fully supported
Flask Fully supported