EdgeVault serves your configuration from 300+ cities in under 10 ms, keeps one strongly-consistent source of truth per workspace, and never lets your secrets travel in plaintext. MIT at the core.
# real commands — @edgevault/cli $ edgevault run -- node server.js edgevault: injected 14 values [server] ready on :8787 $ curl -s cdn.edgevault.io/v1/flags/checkout-v2 \ -H "authorization: Bearer $EDGEVAULT_API_KEY" | jq -r .content {"enabled":true,"rollout":0.25} # 6 ms, L1
| stat | value | where |
|---|---|---|
| p99 edge read | <10 ms | in-memory L1 over KV |
| cities serving reads | 300+ | Cloudflare network |
| consistency at the core | strong | one Durable Object per workspace |
| plaintext lifetime | microseconds | api worker boundary only |
| telemetry phoning home | 0 | policy, enforced in CI |
Box scores don't editorialize. Neither do we.
Every write lands in a Durable Object dedicated to your workspace — one ordered history of revisions, promotions, and activity. The resolved value is written through to KV at the edge, where reads come off an in-memory L1 in single-digit milliseconds. Strong consistency where you decide; eventual consistency where you read.
Each secret gets its own AES-GCM-256 data key, wrapped by a workspace key derived via HKDF from a master key that lives in Secrets Store. Decryption happens inside the API boundary; plaintext exists for microseconds, inside one worker, then it's gone. The edge serves ciphertext-resolved config only — a popped CDN node has nothing to give up.
| per-secret DEK | AES-GCM-256 |
| workspace KEK | HKDF from MASTER_KEK |
| plaintext scope | api worker, transient |
| delivery plane | cannot decrypt |
// real code — @edgevault/sdk (signatures verified) import { EdgeVault } from '@edgevault/sdk' import { useFlag } from '@edgevault/sdk/react' const edgevault = new EdgeVault({ apiKey: EDGE_KEY }) export function Checkout() { const { enabled } = useFlag(edgevault, 'checkout-v2') if (enabled) return <CheckoutV2 /> // 25% of traffic, EU first return <CheckoutClassic /> }
Percentage rollouts, environment scoping, and instant propagation over the same edge path as your config. Typed SDK with React bindings; live updates over WebSocket when you want them, plain reads when you don't.
Semantic search across every key. Risk checks before a promotion ships. A changelog that explains itself — every revision attributed and summarized. And the whole control plane speaks MCP, so your agents operate EdgeVault with the same authz as your humans.
Find "the timeout we raised during the incident" without remembering the key name.
Promotions get reviewed before they ship — diffs scored, blast radius named.
Your agents read, write, and promote with the same authz as your humans.
The core is MIT-licensed and self-hostable on your own Cloudflare account — same workers, same Durable Objects, no crippled community edition. No telemetry phones home. Paid tiers add the managed control plane, SSO/SAML and SCIM — and that's what you pay for, plainly.
| tier | what it is |
|---|---|
| Free | managed edge, generous read allowance |
| Pro | usage-based: edge reads + monthly active users |
| Team | adds extended audit retention |
| Enterprise | SSO/SAML, SCIM, advanced RBAC (sales-led) |
Start on the managed edge in two minutes, or clone the repo and own the whole stack.