Team Management
Inviting a Team Member
Use ev access grant to invite someone. They must have run ev login at least once so their public key is registered with the ev server.
ev performs an automatic key exchange:
- ev fetches Alice's public key (Curve25519) from the ev server
- ev seals the project key with Alice's public key using
crypto_box_seal - The sealed key is stored server-side
- Alice can now run
ev pull— her client fetches the sealed key, decrypts it with her private key, and uses the project key to decrypt secrets
No out-of-band communication is needed when both parties have already logged in.
Inviting Without an Account
If Alice has not yet logged in, you can generate a passphrase:
Share the passphrase with Alice. She runs:
The passphrase encodes the project key and can only be used once.
Roles
| Role | View secrets | Push | Pull | Create environments | Grant / revoke | Rotate key |
|---|---|---|---|---|---|---|
| Viewer | Yes | No | Yes | No | No | No |
| Developer | Yes | Yes | Yes | Yes | No | No |
| Admin | Yes | Yes | Yes | Yes | Yes | Yes |
Assign a role when granting access:
The default role is developer.
List current members and their roles:
Revoking Access
Revocation removes the user's sealed project key from the server. They can no longer pull secrets after their local session expires. However, if they cached the project key locally before revocation, they could still decrypt any previously pulled ciphertext.
To fully invalidate a revoked member's access, rotate the project key immediately after revoking:
Key Rotation
ev access rotate does the following:
- Generates a new project encryption key
- Re-encrypts all secret values with the new key
- Re-seals the new key for every current team member (excluding revoked members)
- Outputs a one-time passphrase for onboarding new members offline
Rotation is the only way to revoke access for someone who may have cached secrets locally. It is also good practice to rotate after any team member departure.