API Quickstart
Envpilot's public REST API lets you read projects, variables, and shared accounts programmatically — no CLI or extension required. It's read-only in v1 and requires the Pro plan.
Create an API key#
Go to Organization Settings → API Keys to create an org-wide key, or Project Settings → API Keys for a key scoped to a single project.
- Click New API Key
- Choose a scope (see below)
- Copy the key — it's shown once, as
envpk_.... Envpilot only stores a hash of it; if you lose it, revoke it and create a new one.
Org-wide keys (scope = all projects) can only be created by the organization Owner. Project-scoped keys can be created by an Owner, Admin, or Team Lead.
Understand scope#
Every key has three independent scope dimensions:
- Projects —
all(every project in the org) or a specific list of projects - Environments —
all(development, staging, production) or a specific list - Resources — which resource types the key can read:
variables,accounts,projects
A request outside a key's scope behaves the same as if the resource didn't exist — you'll get a 404, never a 403. This is deliberate: see API Security for why.
Pull your first variables#
curl https://www.envpilot.dev/api/v1/projects/backend/variables?environment=production \
-H "Authorization: Bearer envpk_your_key_here"Response:
{
"environment": "production",
"variables": [
{
"key": "DATABASE_URL",
"value": "postgres://...",
"updatedAt": 1752192000000
},
{ "key": "API_SECRET", "value": "sk_live_...", "updatedAt": 1752192000000 }
]
}environment is required unless you pass metadata_only=true.
Filtering#
Exact keys — pull only the variables you name:
curl "https://www.envpilot.dev/api/v1/projects/backend/variables?environment=production&keys=DATABASE_URL,API_SECRET" \
-H "Authorization: Bearer envpk_your_key_here"Prefix match — useful for grabbing a related group, e.g. everything exposed to the client:
curl "https://www.envpilot.dev/api/v1/projects/backend/variables?environment=production&prefix=NEXT_PUBLIC_" \
-H "Authorization: Bearer envpk_your_key_here"Metadata only — list variable keys without decrypting any values (no vault round-trip, higher rate limit):
curl "https://www.envpilot.dev/api/v1/projects/backend/variables?metadata_only=true" \
-H "Authorization: Bearer envpk_your_key_here"dotenv output — get a ready-to-write .env file instead of JSON:
curl "https://www.envpilot.dev/api/v1/projects/backend/variables?environment=production&format=env" \
-H "Authorization: Bearer envpk_your_key_here"
# DATABASE_URL=postgres://...
# API_SECRET=sk_live_...Next steps#
- API Reference — every endpoint, filter, and error code
- MCP Server — connect an AI agent (Claude, Cursor) directly to your variables
- API Security — key model, scoping, revocation, and audit