Your teammate joins. They need the .env. You send it over Slack. It sits in Slack's database forever. One month later the team doubles, now three different versions of the file exist, and nobody's sure which is current.
Below are the five common ways teams share .env, ranked from worst to best for real engineering teams in 2026.
Option 5 — Slack / email (worst)
Cost: $0 · Security: terrible · Scaling: impossible
Every Slack workspace retains messages. Every email lives in multiple inboxes. Once shared, the file exists on devices you'll never audit. Rotation becomes mandatory every time anyone leaves the team.
Use only if: one-off, throwaway secrets (e.g., sending a test-mode Stripe key to a contractor for one hour).
If you must: encrypt the file first with a passphrase, send passphrase over a different channel (SMS, voice).
Option 4 — Shared password manager (1Password / Bitwarden)
Cost: $3–8/user/month · Security: good · Scaling: OK for < 20 people
Paste the .env as a secure note in a shared vault. Every team member has a copy; revoking access removes it. Works surprisingly well for small teams.
Pros: low friction, works today, audit-friendly.
Cons: manual sync — when a key changes you still have to DM everyone. No runtime integration with your app.
Option 3 — Host dashboard (Vercel / Railway / Fly)
Cost: $0 (bundled with hosting) · Security: good · Scaling: OK for one project
Set env vars in the dashboard; the host injects them at runtime. No local file to share — devs run against staging/local DBs only.
Best for solo devs and two-person teams. Gets clunky once you have multiple projects sharing keys or multiple environments per project.
Option 2 — 1Password Secrets Automation
Cost: $12+/user/month · Security: excellent · Scaling: great
If your team already pays for 1Password, Secrets Automation lets you reference vault entries in CI/CD and local dev via a CLI:
# 1Password CLI
op run --env-file=".env" -- npm run devZero-friction for existing 1Password users. The passphrase lives in your macOS keychain / Touch ID.
Option 1 — Dedicated secret manager (Doppler / Infisical)
Cost: $0–7/user/month · Security: excellent · Scaling: unlimited
These tools are purpose-built for the job: a web UI to edit secrets, a CLI to pull them into local dev, and SDKs for runtime injection. Both have generous free tiers that handle most small teams.
Doppler
Easiest onboarding. Native integrations with Vercel, Netlify, Railway, Kubernetes. Free for < 3 team members; paid plans start at $7/user/month. Affiliate link: doppler.com.
Infisical
Open-source, self-hostable. Same feature set as Doppler but you control the server. Better for privacy-conscious teams or self-hosted Kubernetes setups.
Decision matrix
| Team size | Best choice | Why |
|---|---|---|
| 1 person | Host dashboard + .env.local | Simplest |
| 2–5 people | 1Password shared vault | You already pay for it |
| 5–20 people | Doppler or Infisical | Scales, audit-friendly |
| 20+ / regulated | Doppler + Hashicorp Vault | Audit + dynamic secrets |
Before you share anything
Always do these three things:
- Run a leak check — catches the obvious stuff (AWS, Stripe live, GitHub tokens).
- Generate a safe
.env.examplein the browser — commit this, not the real file. - Diff against the last known good file with the .env diff checker — catch drift before it spreads.
TL;DR
- Never share
.envfiles in plain text over Slack / email. - 2–5 devs: shared password manager.
- 5+ devs: dedicated secret manager (Doppler / Infisical).
- Always run the leak checker before sharing.