CipherStashDocs

Team onboarding

Invite team members and set up per-developer device-based access to CipherStash, with traceable client keys you can grant and revoke individually.

Every developer on your team gets their own device and client key when they initialize CipherStash. This means every encrypt, decrypt, and secret access operation is traceable to a specific developer.

How team access works

When a developer runs npx stash init, CipherStash creates:

  • A device tied to that developer's user account and device
  • A client key associated with the device, used for cryptographic operations
  • Automatic access to the default keyset in your workspace

No credentials are shared between developers. Each person has their own identity, and access can be granted or revoked individually.

Adding a team member

Invite them to your organization

In the CipherStash Dashboard, navigate to Members in the organization sidebar.

Add the new team member's email address. They will receive an invitation to create a CipherStash account (or join with an existing one).

Grant workspace access

Once they accept the invitation, grant them access to the relevant workspace(s) in Settings for your workspace.

Developer runs init

The new team member runs the init command on their device:

npx stash init

This authenticates them via the browser, creates their unique device and client key, and grants access to the default keyset.

They are now ready to develop locally with full CipherStash functionality — no environment variables needed.

Managing team access

Viewing active client keys

Navigate to Clients in the Dashboard to see all active client keys, including device-backed client keys created by npx stash init. Each client key shows which developer and device it belongs to.

Revoking a developer's access

To remove a developer's access:

  1. Remove their client key from keyset access in the Dashboard
  2. Remove them from the workspace
  3. Optionally, remove them from the organization

Revoked client keys can no longer perform encrypt, decrypt, or secret operations.

Multiple devices

If a developer works on more than one device (e.g., a laptop and a desktop), they run npx stash init on each device. Each device gets its own device identity and client key. This is by design — you can revoke access per device without affecting their other devices.

Relationship to production

Team devices are for local development only. Production environments use separate application client keys configured with environment variables.

This separation ensures that:

  • Developer credentials never appear in production infrastructure
  • Production access is controlled independently from developer access
  • Revoking a developer's device does not affect production systems

Next steps

Going to production

Transition from local device-based auth to production environment variables for CI/CD and hosting platforms

Bundling

Configure webpack, esbuild, Next.js, and SST to exclude the native @cipherstash/stack module from bundling, plus fixes for Linux deployment failures.

On this page

How team access worksAdding a team memberInvite them to your organizationGrant workspace accessDeveloper runs initManaging team accessViewing active client keysRevoking a developer's accessMultiple devicesRelationship to productionNext steps