Tene is a local-first, encrypted secret management CLI. It stores your API keys, tokens, and credentials in an encrypted SQLite vault on your device. No server, no signup, no cloud dependency.

How does Claude Code auto-detection work?

When you run tene init, it generates a CLAUDE.md file in your project root. Claude Code reads this file automatically and learns how to use tene to retrieve secrets.

Yes, Tene is 100% free and open source under the MIT license. All local features — encryption, runtime injection, multi-environment, AI editor rules — are free forever with no limits.

Will there be team features?

Team sync and collaboration features are being designed. The goal is encrypted team sync without a central server. Join the waitlist at tene.sh to get notified when it launches.

How are my secrets encrypted?

Tene uses XChaCha20-Poly1305 encryption with 256-bit keys derived from your master password via Argon2id. Each secret gets a unique 192-bit nonce.

Does Tene work offline?

Tene is 100% offline. It makes zero network calls. Your secrets are encrypted and stored locally in a SQLite database.

Can I run both for a week to compare?

Yes. tene is local-first and doesn't touch Doppler; nothing breaks. Export Doppler secrets as a .env, import into tene, and run both in parallel until you're confident.

What happens to my Doppler audit log?

It stays in Doppler. If you need a historical record, keep your Doppler account on a free tier as a read-only archive. tene Pro will add an encrypted audit log in a future release.

Does tene have team features?

The CLI is local-first and free forever. Optional E2E encrypted team sync is available at app.tene.sh (Pro). Server-side, only ciphertext is stored.

How is tene different for AI agents?

tene generates rule files for five AI editors (CLAUDE.md, .cursor/rules/tene.mdc, .windsurfrules, GEMINI.md, AGENTS.md) that teach the agent to call `tene run --` instead of reading `.env`. Doppler does not ship any AI-editor integration.

Comparison

tene vs Doppler

Doppler is cloud-based and proprietary. tene is local-first and MIT. Same developer workflow, very different ops story.

Star on GitHub

Doppler is a well-engineered cloud secret manager aimed at teams that want a central dashboard and granular access controls. tene is a different product for a different audience: a local-first CLI for individual developers and small teams who want zero infrastructure, zero signup, and AI-editor safety out of the box.

If you already pay for Doppler and need SOC 2, dashboards, and audit logs on a managed service, stay on Doppler. If you want your secrets to live on your own machine, cost $0, and stay out of AI context windows, tene is the answer.

When Doppler is the right answer

Large teams with strong compliance requirements (SOC 2, audit logs, access controls) will find Doppler's managed service a better fit. The dashboard, RBAC, and integrations ecosystem (CI, k8s, dynamic envs) are genuinely strong. If you already have a Doppler contract and engineers trained on it, the switching cost is not worth it for a single-developer workflow.

Side-by-side

Feature-by-feature comparison. Every row is sourced from the official docs of each product — if you find something stale, open an issue.

Dimension	tene	Doppler
Hosting	Local-first (your machine)	Cloud (Doppler servers)
Price	$0 (MIT, unlimited secrets)	$21 / user / month (Team); Free tier has workplace limits
AI-editor integration	Auto-generates CLAUDE.md, .cursor/rules, .windsurfrules, GEMINI.md, AGENTS.md	Not AI-aware
Secrets reach AI context	No (runtime env injection only)	Depends on how you inject — `doppler run` also injects, but the dashboard is a separate attack surface
Vendor lock-in	Zero — SQLite vault is portable	Requires Doppler account + sync; migration off requires `doppler secrets download`
Open source	Yes (MIT)	No (proprietary SaaS)
Offline	100% offline	Requires network for CLI (caching available, but online is the happy path)
Team sync	Optional E2E encrypted sync via app.tene.sh (Pro)	Core product — strong team features
Dashboard UI	CLI only (dashboard coming via Cloud Pro)	Full web dashboard with access controls
Audit log	Local CLI history + optional cloud audit on Pro	Comprehensive audit log (enterprise plan)

When tene is the right answer

Individual developers, early-stage startups, and open-source maintainers often don't need $250/month per seat for a secret manager. They need: encryption at rest, AI-editor safety, multi-environment support, and a runtime that injects secrets without writing them to disk. That's exactly tene's scope.

The decision tree: if your team has a compliance team, pick Doppler. If your team is you (or you + a few collaborators), pick tene.

What you give up by moving to tene

There is no web dashboard (yet — it's being designed for Pro). There is no native k8s operator. Audit logs are local CLI history on the free tier. If those are dealbreakers, Doppler is the better pick. For the majority of developer-workstation + CI workflows, tene's encrypted vault + `tene run --` covers the actual daily needs without an account to manage.

Migrate from Doppler to tene

Export from Doppler as a .env, then import into a tene vault. Doppler stays available the whole time, so you can roll back freely.

Export Doppler secrets as .env

$ doppler secrets download --no-file --format env > .env

Install tene

$ curl -sSfL https://tene.sh/install.sh | sh

3
Initialize a local vault
```
$ tene init
```
4
Import the .env
```
$ tene import .env
```
5
Delete the plaintext .env
```
$ rm .env
```
6
Run your app through tene
```
$ tene run -- npm start
```

After migration: Run both side-by-side for a week to validate. Once you are confident, revoke the Doppler tokens and cancel the subscription.

FAQ

Can I run both for a week to compare?: Yes. tene is local-first and doesn't touch Doppler; nothing breaks. Export Doppler secrets as a .env, import into tene, and run both in parallel until you're confident.
What happens to my Doppler audit log?: It stays in Doppler. If you need a historical record, keep your Doppler account on a free tier as a read-only archive. tene Pro will add an encrypted audit log in a future release.
Does tene have team features?: The CLI is local-first and free forever. Optional E2E encrypted team sync is available at app.tene.sh (Pro). Server-side, only ciphertext is stored.
How is tene different for AI agents?: tene generates rule files for five AI editors (CLAUDE.md, .cursor/rules/tene.mdc, .windsurfrules, GEMINI.md, AGENTS.md) that teach the agent to call `tene run --` instead of reading `.env`. Doppler does not ship any AI-editor integration.

Other comparisons

See how tene compares against every other major secret manager.