ev access
Usage
Description
ev access manages who can read and write secrets for a project.
ev access
Lists all current team members and their roles:
ev access grant
Invites a user to the project. ev handles the key exchange automatically:
- ev fetches the invitee's public key from the ev server (they must have run
ev loginat least once) - ev seals the project key with their public key
- The sealed key is stored server-side — the invitee can now decrypt secrets
Use -r / --role to assign a specific role. The default is developer.
ev access revoke
Removes a user's access. After revocation, they can no longer pull secrets. Their previously cached project key remains valid until you run ev access rotate.
ev access rotate
Generates a new project key, re-encrypts all secrets, re-seals the key for all current members, and prints a passphrase that can be used by new members to join via ev init --passphrase.
Run this after revoking access to ensure the revoked member can no longer use a cached key.
Flags
ev access grant
| Flag | Short | Description |
|---|---|---|
--role | -r | Role to assign: viewer, developer, or admin (default: developer) |
Examples
List team members:
Grant access with the default developer role:
Grant access with a specific role:
Revoke access and rotate the key: