Skip to content
Go to file

Latest commit


Git stats


Failed to load latest commit information.
Latest commit message
Commit time


This library contains EnvKey's core cross-platform fetching, decryption, verification, web of trust, redundancy, and caching logic. It accepts an ENVKEY generated by the EnvKey App and returns decrypted configuration for a specific app environment as json.

It is used by EnvKey's various Client Libraries, including envkey-source for bash, envkey-ruby for Ruby and Rails, envkey-python for Python, envkey-node for Node.js, and envkeygo for Go.

If you want to build an EnvKey library in a language that isn't yet officially supported, build some other type of integration, or simply play around with EnvKey on the command line, envkey-fetch is the library for you. If you just want to integrate EnvKey with your project, check out one of the aforementioned higher level libraries.


envkey-fetch compiles into a simple static binary with no dependencies, which makes installation a simple matter of fetching the right binary for your platform and putting it in your PATH. An script is available to simplify this, as well as a homebrew tap..

Install via bash:

curl -s | bash

Install manually:

Find the release for your platform and architecture, and stick the appropriate binary somewhere in your PATH (or wherever you like really).

Install from source:

With Go installed, clone the project into your GOPATH. cd into the directory and run go get and go build.

Cross-compile from source:

To compile cross-platform binaries, make sure Go is installed, then install goreleaser - follow instructions in the docs to do so.

Then to cross-compile, run:


Binaries for each platform will be output to the dist folder.


envkey-fetch YOUR-ENVKEY [flags]

This will either write your the app environment's configuration associated with your ENVKEY as json to stdout or write an error message beginning with error: to stdout.

Example json output


Example error output

error: ENVKEY invalid


    --cache                   cache encrypted config as a local backup (default is false)
    --cache-dir string        cache directory (default is $HOME/.envkey/cache)
    --client-name string      calling client library name (default is none)
    --client-version string   calling client library version (default is none)
-h, --help                    help for envkey-fetch
    --retries uint8           number of times to retry requests on failure (default 3)
    --retryBackoff float      retry backoff factor: {retryBackoff} * (2 ^ {retries - 1}) (default 1)
    --timeout float           timeout in seconds for http requests (default 10)
    --verbose                 print verbose output (default is false)
-v, --version                 prints the version

x509 error / ca-certificates

On a stripped down OS like Alpine Linux, you may get an x509: certificate signed by unknown authority error when envkey-fetch attempts to load your config. envkey-fetch tries to handle this by including its own set of trusted CAs via gocertifi, but if you're getting this error anyway, you can fix it by ensuring that the ca-certificates dependency is installed. On Alpine you'll want to run:

apk add --no-cache ca-certificates

Further Reading

For more on EnvKey in general:

Read the docs.

Read the integration quickstart.

Read the security and cryptography overview.

Need help? Have questions, feedback, or ideas?

Post an issue or email us:


Core EnvKey fetch/decryption/verification logic. Give it an ENVKEY, get back decrypted config as json. Compiles static cross platform binaries that can be easily built upon.





No packages published
You can’t perform that action at this time.