Skip to main content
Enkryptify uses a hierarchy to organize secrets. Understanding this hierarchy is key to setting up your workspace effectively.

The hierarchy

Workspace
└── Team
    └── Project
        └── Environment
            └── Secret (key → value)

Workspace

A workspace represents your organization. It’s the top-level container for everything in Enkryptify: teams, projects, members, and settings. Each workspace has a unique URL slug (e.g. app.enkryptify.com/acme-corp). Every user in your organization belongs to the same workspace and is assigned a role that determines what they can do.

Team

Teams are organizational groups within a workspace. Use them to mirror your company structure, for example: “Backend”, “Frontend”, “Infrastructure” or “Data”. Teams contain projects and are used as a scoping boundary for access control. You can restrict a member’s access to specific teams so they only see the projects relevant to their work.

Project

A project represents a single application, service, or repository. It contains environments and secrets. Each project belongs to a team and has its own URL slug. Examples: api-service, web-app, marketing-site.

Environment

An environment is a deployment context within a project — typically development, staging, and production. Each environment has its own data encryption key (DEK). This means secrets in one environment are cryptographically isolated from secrets in another, even within the same project. Environments are also the level at which syncs map to external providers (e.g. your Enkryptify “production” environment maps to your Vercel “Production” environment).

Secret

A secret is a key-value pair that has a different value per environment. For example, a DATABASE_URL secret might have:
EnvironmentValue
developmentpostgresql://localhost:5432/dev
stagingpostgresql://staging-db:5432/app
productionpostgresql://prod-db:5432/app
Secret names can contain letters (A-Z, a-z), numbers (0-9), underscores, and hyphens.

Personal overrides

Any team member can set a personal override for a secret value in a specific environment. This replaces the shared value with a personal one — only for that user. This is useful for local development where you might need your own database or API key. Personal overrides don’t affect syncs or other team members. See Personal Overrides for details.

Access control

Access is controlled at two levels:
  1. Role — determines what actions a user can perform (Admin, Developer, or Member)
  2. Scope — determines which teams, projects, and environments a user can access
This lets you give a developer full secret management permissions but only for the projects they work on. See Roles and Permissions for the full breakdown.

Syncs

Syncs push secrets from Enkryptify to external providers like GitHub, Vercel, or AWS Secrets Manager. Syncs are one-way — Enkryptify is the single source of truth. When you create or update a secret, the change is automatically pushed to all configured syncs for that environment. See Syncs Overview for details.