Tene is a local-first, encrypted secret management CLI. It stores your API keys, tokens, and credentials in an encrypted SQLite vault on your device. No server, no signup, no cloud dependency.

How does Claude Code auto-detection work?

When you run tene init, it generates a CLAUDE.md file in your project root. Claude Code reads this file automatically and learns how to use tene to retrieve secrets.

Yes, Tene is 100% free and open source under the MIT license. All local features — encryption, runtime injection, multi-environment, AI editor rules — are free forever with no limits.

Will there be team features?

Team sync and collaboration features are being designed. The goal is encrypted team sync without a central server. Join the waitlist at tene.sh to get notified when it launches.

How are my secrets encrypted?

Tene uses XChaCha20-Poly1305 encryption with 256-bit keys derived from your master password via Argon2id. Each secret gets a unique 192-bit nonce.

Does Tene work offline?

Tene is 100% offline. It makes zero network calls. Your secrets are encrypted and stored locally in a SQLite database.

Is Doppler a bad product?

No. Doppler is a well-engineered cloud secret manager with a strong dashboard, audit logs, RBAC, and integrations. It is a good fit for teams with compliance requirements and a budget for per-seat tools.

Why move off it as a solo developer?

Three reasons: the per-user pricing does not scale for one person with many hobby projects; the cloud account adds a dependency; and Doppler has no built-in story for AI coding agents reading .env.

Would you recommend it for teams?

Yes, if the team already values a dashboard + audit logs + RBAC and has the budget. For small teams that just want secrets out of .env, a local vault with optional team-sync layer is usually enough.

Why I stopped using Doppler

I used Doppler for about a year

I run a handful of side projects: a Stripe-connected SaaS, a scraper for personal use, a couple of experimental tools, an old blog. Each has its own small set of API keys.

I used Doppler for a year because it solved the immediate problem: .env files got out of hand. Different values per environment, values I rotated and forgot to rotate, values I accidentally committed once and panicked over.

Doppler was better. The dashboard was clean, the CLI was solid, doppler run worked. I was happy.

What changed

Two things happened within a few months.

AI coding agents became my default interface. Cursor, then Claude Code, then Windsurf. I spent more time inside an agent's context window than inside my own editor. And every time I opened one, it read my .env or whatever env-like file existed at the root. Doppler injected secrets via doppler run, but I still had .env.development and .env.local sitting on disk for fallback, tooling that did not know about Doppler, VS Code extensions, etc.

Plaintext on disk meant plaintext in the LLM context. Not Doppler's fault — Doppler doesn't ship with an agent-rules story because that is not its category.

The per-seat pricing math stopped working. I am one person. Doppler's Free tier has workspace limits, and once I exceeded them (adding my hobby stuff and a couple of client projects) the next tier was Team at $21/user/month. For one user with seven workspaces, that was $21/month for what was mostly local-dev secret management.

Not bad value for a team. A lot of money for a solo developer who just wants .env to not be a liability.

What I moved to

Same KEY, different value per environment. tene env create dev / prod, tene set DATABASE_URL different-per-env, then tene run --env prod -- ... — The multi-environment feature I thought I would miss when leaving Doppler. tene ships it out of the box.

A local-first encrypted vault — in my case, tene. The trade I made:

Gained: AI-editor rule files (CLAUDE.md, .cursor/rules, .windsurfrules, GEMINI.md, AGENTS.md) generated by tene init. The agent now structurally knows to use tene run -- instead of reading env files.
Gained: $0 cost at any scale of hobby project count.
Gained: runs offline, no account, no "cloud is slow today" moments.
Lost: the Doppler web dashboard. For a solo developer this turned out to be a feature I used for maybe one minute per week.
Lost: Doppler's audit log. I have not needed it as a solo dev.
Lost: Doppler's k8s operator + cloud integrations. I do not self-host anything complex, so this was not a loss I felt.

The honest comparison

If you are a team of 10 engineers, a PM who needs dashboard access, and a compliance program that requires audit logs, Doppler is probably still the right answer. A local-first vault does not ship those features.

If you are a solo developer, or a pre-revenue team where $21 per user per month per tool adds up faster than you think, and the actual pain is "my plaintext .env is read by AI agents" — a local-first vault wins.

The boundary is roughly:

Situation	Best fit
Solo developer with hobby projects	Local vault (tene, etc.)
2-3 person early-stage team	Local vault + optional E2E team sync
10+ person team, compliance needs	Doppler or Infisical
Enterprise with dynamic secrets, PKI, audit	HashiCorp Vault

Migration was a weekend afternoon

For each project:

cd project
doppler secrets download --no-file --format env > .env
tene init
tene import .env
rm .env
# update CI to use TENE_MASTER_PASSWORD instead of DOPPLER_TOKEN

Doppler stayed available the whole time, which is the nice thing about cloud products — I could have rolled back by reversing any project individually.

After a week of both products running in parallel, I cancelled the Doppler subscription. No surprises, no "oh I forgot about that one value in production." The migration path is short because the abstraction is the same: both tools set env vars on a child process.

What I do not miss about Doppler

The dashboard login flow. Small friction, adds up.
Waiting for the CLI to talk to the cloud when I am on an airplane.
The workspace limit math.
The vague worry of "is my Doppler account compromised? do I need to rotate things just in case?"

What I do miss about Doppler

Honestly, the polish. The dashboard is beautiful, the CLI error messages are top-tier, the docs are first-class.
A single place to see what secrets exist across every project. With a local vault you see per-project only.
The k8s operator if I needed it. I did not.

The verdict

This is not a "tene is better than Doppler" article. It is "Doppler and a local vault solve different halves of the problem, and I weighted the local-first half more."

If you are a team paying Doppler and it works for you: great, stay. If you are a solo developer paying Doppler because it was the best option in 2024 and you have not reconsidered since AI coding agents took over your workflow: worth a weekend afternoon to reconsider.

Good products live side by side for different use cases.