// docs

API Quickstart

Create an API key and pull your first environment variable over REST in under a minute.

API Quickstart

Envpilot's public REST API lets you read projects, variables, and shared accounts programmatically — no CLI or extension required. It's read-only in v1 and requires the Pro plan.

Create an API key#

Go to Organization Settings → API Keys to create an org-wide key, or Project Settings → API Keys for a key scoped to a single project.

  1. Click New API Key
  2. Choose a scope (see below)
  3. Copy the key — it's shown once, as envpk_.... Envpilot only stores a hash of it; if you lose it, revoke it and create a new one.

Org-wide keys (scope = all projects) can only be created by the organization Owner. Project-scoped keys can be created by an Owner, Admin, or Team Lead.

Understand scope#

Every key has three independent scope dimensions:

  • Projectsall (every project in the org) or a specific list of projects
  • Environmentsall (development, staging, production) or a specific list
  • Resources — which resource types the key can read: variables, accounts, projects

A request outside a key's scope behaves the same as if the resource didn't exist — you'll get a 404, never a 403. This is deliberate: see API Security for why.

Pull your first variables#

terminal
curl https://www.envpilot.dev/api/v1/projects/backend/variables?environment=production \
  -H "Authorization: Bearer envpk_your_key_here"

Response:

json
{
  "environment": "production",
  "variables": [
    {
      "key": "DATABASE_URL",
      "value": "postgres://...",
      "updatedAt": 1752192000000
    },
    { "key": "API_SECRET", "value": "sk_live_...", "updatedAt": 1752192000000 }
  ]
}

environment is required unless you pass metadata_only=true.

Filtering#

Exact keys — pull only the variables you name:

terminal
curl "https://www.envpilot.dev/api/v1/projects/backend/variables?environment=production&keys=DATABASE_URL,API_SECRET" \
  -H "Authorization: Bearer envpk_your_key_here"

Prefix match — useful for grabbing a related group, e.g. everything exposed to the client:

terminal
curl "https://www.envpilot.dev/api/v1/projects/backend/variables?environment=production&prefix=NEXT_PUBLIC_" \
  -H "Authorization: Bearer envpk_your_key_here"

Metadata only — list variable keys without decrypting any values (no vault round-trip, higher rate limit):

terminal
curl "https://www.envpilot.dev/api/v1/projects/backend/variables?metadata_only=true" \
  -H "Authorization: Bearer envpk_your_key_here"

dotenv output — get a ready-to-write .env file instead of JSON:

terminal
curl "https://www.envpilot.dev/api/v1/projects/backend/variables?environment=production&format=env" \
  -H "Authorization: Bearer envpk_your_key_here"
# DATABASE_URL=postgres://...
# API_SECRET=sk_live_...

Next steps#

  • API Reference — every endpoint, filter, and error code
  • MCP Server — connect an AI agent (Claude, Cursor) directly to your variables
  • API Security — key model, scoping, revocation, and audit