env0

Load environment variables directly from 1Password and never store secrets in .env files again.

Features

• Load environment variables directly from 1Password vaults
• Simple configuration using a .env0 file to declare required envs
• Easy integration with any command or script

Prerequisites

• 1Password CLI installed and configured

Installation

npm install env0

Usage

1. Create a .env0 file

In your project root, add a .env0 file (this can be commited in version control) with the environment variable names that should be loaded from 1Password:

# Shorthand assignment - loads TEST_ENV_VAR from 1Password
TEST_ENV_VAR

# Literal string assignment
LITERAL_VAR="my static value"

# Reference assignment - loads SOURCE_VAR from 1Password
RENAMED_VAR=SOURCE_VAR

You can also create a .env0.local file for local development overrides. This file should not be committed to version control:

# Override with a local value
DB_URL="postgres://localhost:5432/my_local_db"

2. Create secrets in 1Password

Create a 1Password vault and add the environment variables to it:

3. Run commands with env0

Use env0 to load environment variables into a sub process that runs the specified command.

# Basic usage
env0 --source op:your-vault-name -- your-command

# Use a custom env0 file
env0 --source op:your-vault-name --file "./env0.custom" -- your-command

# Alternatively, print environment variables for shell export
env0 --source op:your-vault-name --print

CLI Options

• -s, --source <platform:vault>: Specify the source in format platform:vault (e.g. op:secrets-staging)
• -f, --file <path>: Path to an env0 file (defaults to .env0 unless -e is used)
• -e, --entry <entries...>: Specify environment variable entries inline
• -p, --print: Print environment variables for shell export
• Any additional arguments are passed to the command being executed

How It Works

1. The CLI loads environment variables using either:
   • The env0 file specified by -f, --file, or
   • Inline entries specified via -e, --entry, or
   • Both sources when both -f and -e are both explicitly specified
2. If a .env0.local file exists in the same directory as the env0 file, it will be loaded and its values will override or extend the base configuration
3. For each entry, it processes the environment variable based on its type:
   • Shorthand (e.g., VAR): Fetches the corresponding item from the specified 1Password vault
   • Literal (e.g., VAR="value"): Uses the literal string value provided
   • Reference (e.g., VAR=SOURCE_VAR): Fetches the value from another 1Password item
4. Environment variables are loaded into the process
5. The specified command is executed with the loaded environment variables

Examples

# Run a command with environment variables from 1Password dev vault
env0 --source op:dev -- node app.js

# Run a command inside a shell (single quotes for shell interpolation)
env0 -s op:dev -e DB_URL -sh 'echo $DB_URL'

# Use specific environment variables without a env0 file
env0 --source op:dev --entry DB_URL --entry API_KEY -- node app.js

# Use literal and reference assignments inline
STAGE="dev" env0 -s op:dev -e DB_PASS=PROD_DB_PASS -- node app.js

# Combine env0 file with additional entries
env0 -s op:dev -f .env0 -e EXTRA_VAR1 -e EXTRA_VAR2 -- node app.js

# Export variables to your shell and run a command
eval $(env0 -s op:dev -p) && node app.js

License

MIT License

Contributors

• Daniel Grant