TL;DR
- dotenv — free, zero setup, works everywhere. Your team syncs secrets by hand (Slack, email, 1Password).
- Doppler — paid secrets manager. Central dashboard, audit logs, automatic injection into CI and deployment platforms.
- Upgrade when syncing secrets manually becomes a risk or a burden — usually around 3–5 engineers or when you have a second production environment.
What dotenv gives you
dotenv is a single-purpose library: it reads a .env file and merges values into process.env. There is no server, no dashboard, no account. Every developer keeps their own .env.local, a .env.example in the repo documents what variables exist, and secrets are shared out-of-band.
Cost: Free.
Setup time: 5 minutes.
Works with: Node.js, Python, Ruby, Go — any runtime that reads environment variables.
What Doppler gives you
Doppler is a secrets manager built for teams. Secrets live in Doppler's encrypted vault, not in files on developers' machines. The Doppler CLI injects the correct secrets at runtime, so your code never reads a file — it just reads process.env as normal.
- Central dashboard — one place to view, edit, and share all secrets across environments
- Access control — granular permissions per project and per environment
- Audit logs — see who accessed or changed a secret and when
- Automatic sync — integrations with Vercel, GitHub Actions, Kubernetes, AWS, and more
- Secret rotation — webhook triggers to auto-rotate secrets on a schedule
Cost: Free for up to 5 users; Team plan ~$7/user/month.
Setup time: 30–60 minutes for first project.
Side-by-side comparison
| Feature | dotenv | Doppler |
|---|---|---|
| Cost | Free | Free / $7 per user |
| Setup | 5 min | 30–60 min |
| Central dashboard | No | Yes |
| Audit logs | No | Yes |
| Access control | File system only | Per-user, per-env |
| CI/CD sync | Manual | Automatic |
| Secret rotation | Manual | Webhook-triggered |
| Self-hostable | N/A (local file) | No (SaaS only) |
When to stay with dotenv
- Solo project or team of 1–2 where you trust each other completely
- Open-source project with no real secrets (just API stubs)
- Budget is zero — Doppler's free tier is limited to 5 users
- Simple deployment with no secret sprawl across multiple CI systems
When to move to Doppler (or an alternative)
- 3+ engineers who all need access to production secrets
- Compliance requirements need an audit trail of who accessed what
- You have leaked a secret once and want it to never happen again
- Multiple deployment targets (Vercel + Railway + GitHub Actions) that all need the same secrets
- Onboarding a new developer currently takes 30+ minutes of "send them the .env"
Doppler alternatives worth considering
- Infisical — open-source, self-hostable, similar feature set to Doppler. Free tier is more generous. Good if you want data sovereignty.
- HashiCorp Vault — enterprise-grade, extremely flexible, but significant operational overhead. Best for large teams with dedicated platform engineers.
- AWS Secrets Manager / Parameter Store — natural fit if you're all-in on AWS. Per-secret pricing can add up.
- 1Password Secrets Automation — good if your team already uses 1Password as a password manager.
Migration path: dotenv → Doppler
- Create a Doppler project and import your existing
.envvalues via the dashboard or CLI (doppler secrets upload .env). - Install the Doppler CLI and replace
node server.jswithdoppler run -- node server.js. - Connect Doppler to Vercel / GitHub Actions via the Doppler dashboard integrations.
- Delete
.envfiles from developer machines — they're no longer needed.