Why I stopped using Doppler

I used Doppler for about a year

I run a handful of side projects. A Stripe-connected SaaS. A scraper for personal use. A few experiments. An old blog. Each one has its own small set of API keys.

Doppler fixed my immediate pain. My .env files had grown messy. Different values per environment. Keys I rotated and forgot to rotate. One key I once committed by accident and panicked over.

Doppler was better. The dashboard looked clean. The CLI was solid. doppler run just worked. I was happy for a year.

What changed

Two things shifted within a few months.

AI coding agents became my main editor. First Cursor. Then Claude Code. Then Windsurf. I spent more time inside an agent's context than inside a plain editor. And every time I opened one, it read my .env file. Or .env.development. Or .env.local. Doppler injected secrets through doppler run, but I still had env files on disk for fallback, for tooling that did not know about Doppler, for VS Code extensions.

Plaintext on disk meant plaintext in the LLM context. That is not Doppler's fault. Doppler does not ship agent rules because that is not its job.

The per-seat pricing stopped adding up. I am one person. The Free tier has workspace limits. Once I crossed them — adding hobby work and a few client projects — the next tier was Team at $21/user/month. For one user with seven workspaces, that was $21/month for what was mostly local-dev secret storage.

Fine value for a team. A lot of money for a solo dev who just wants a safer .env.

What I moved to

Same KEY, different value per environment. tene env create dev / prod, tene set DATABASE_URL different-per-env, then tene run --env prod -- ... — The multi-environment feature I thought I would miss when leaving Doppler. tene ships it out of the box.

A local-first encrypted vault. In my case, tene. Here is the trade I made:

Gained: AI-editor rule files (CLAUDE.md, .cursor/rules, .windsurfrules, GEMINI.md, AGENTS.md) created by tene init. The agent now knows to use tene run -- instead of reading env files.
Gained: $0 cost no matter how many side projects I add.
Gained: it runs offline. No account. No "cloud is slow today" delays.
Lost: the Doppler web dashboard. As a solo dev, I used it maybe a minute per week.
Lost: Doppler's audit log. I have not needed it.
Lost: Doppler's k8s operator and cloud integrations. I do not self-host anything complex, so I did not feel this loss.

The honest comparison

If you run a team of 10 engineers, with a PM who needs dashboard access, and you have compliance rules that require audit logs, Doppler is probably still the right answer. A local-first vault does not ship those features.

If you are a solo developer, or a pre-revenue team where $21 per user per tool stacks up faster than you expect, and your real pain is "my plaintext .env is read by AI agents" — a local-first vault wins.

The line is roughly:

Situation	Best fit
Solo developer with hobby projects	Local vault (tene, etc.)
2-3 person early-stage team	Local vault + optional E2E team sync
10+ person team, compliance needs	Doppler or Infisical
Enterprise with dynamic secrets, PKI, audit	HashiCorp Vault

Migration was a weekend afternoon

For each project:

cd project
doppler secrets download --no-file --format env > .env
tene init
tene import .env
rm .env
# update CI to use TENE_MASTER_PASSWORD instead of DOPPLER_TOKEN

Doppler stayed live the whole time. That is the nice thing about cloud products — I could roll back any single project by reversing the steps.

After a week with both tools running side by side, I cancelled my Doppler plan. No surprises. No "wait, I forgot a value in production." The path is short because the abstraction is the same — both tools set env vars on a child process.

What I do not miss about Doppler

The dashboard login flow. Small friction. It adds up.
Waiting for the CLI to talk to the cloud while on an airplane.
Doing workspace-limit math.
The vague worry of "is my Doppler account safe? Should I rotate keys just in case?"

What I do miss about Doppler

The polish, honestly. The dashboard is pretty. The CLI errors are excellent. The docs are first-class.
One place to see every secret across every project. With a local vault, you only see one project at a time.
The k8s operator if I ever needed it. I did not.

The verdict

This is not a "tene beats Doppler" piece. It is "Doppler and a local vault solve different halves of the problem, and I weighted the local-first half more."

If you are a team paying for Doppler and it works for you — stay. If you are a solo dev paying for Doppler because it was the best option in 2024, and you have not rethought it since AI coding agents took over your day — it is worth a weekend afternoon to look again.

Good products live side by side for different jobs.

FAQ

Is Doppler a bad product?

No. Doppler is a well-engineered cloud secret manager with a strong dashboard, audit logs, RBAC, and integrations. It is a good fit for teams with compliance requirements and a budget for per-seat tools.

Why move off it as a solo developer?

Three reasons: the per-user pricing does not scale for one person with many hobby projects; the cloud account adds a dependency; and Doppler has no built-in story for AI coding agents reading .env.

Would you recommend it for teams?

Yes, if the team already values a dashboard + audit logs + RBAC and has the budget. For small teams that just want secrets out of .env, a local vault with optional team-sync layer is usually enough.