Documentation

Reach your project's secrets, commands, setup and files from anywhere — a device, CI, or an AI agent. Everything below is zero-knowledge: the server only ever returns ciphertext, and decryption happens on your side.

Quickstart

  1. Create an account and a project at devdrops.de, then add a few secrets.
  2. In Settings → API tokens, create a token (read-only by default).
  3. Use it from the CLI, the API, or an AI agent:
export DEVDROPS_TOKEN=ddp_…

# one command → .env + setup + commands
npx devdrops onboard <projectId>

How it works (zero-knowledge)

A random 256-bit Data Encryption Key (DEK) encrypts every secret and synced file (AES-256-GCM). The DEK is wrapped — never stored in plaintext — by your password, your recovery key, and each API token.

When you call the API with a token, the server returns the ciphertext plus the token-wrapped DEK. Your client unwraps the DEK with the token secret and decrypts locally. The devdrops server never sees a plaintext secret — not even during an API call. The CLI and MCP server do this for you automatically.

API tokens

Create tokens in Settings → API tokens. Each token is shown once and stored only as a hash. Two scopes:

  • Read-only (default) — read secrets, commands, setup and files.
  • Read & write — additionally create and rotate secrets.

Token format (pass it as a Bearer token):

Authorization: Bearer ddp_<uid>.<tokenId>.<secret>

REST API

Base URL:

https://europe-west1-devdrops-app.cloudfunctions.net/api

All requests need the Authorization header. Endpoints:

GET/v1/projectsList your projects.
GET/v1/projects/:idProject metadata + setup notes.
GET/v1/projects/:id/secretsCiphertext + the token-wrapped DEK.
GET/v1/projects/:id/commandsSaved commands.
GET/v1/projects/:id/notesNotes.
GET/v1/vaultThe token-wrapped DEK (unwrap once for read + write).
POST/v1/projects/:id/secretsCreate/rotate a secret (write scope). Body: { key, environment?, ciphertext, iv } — encrypt client-side first.
curl -H "Authorization: Bearer $DEVDROPS_TOKEN" \
  https://europe-west1-devdrops-app.cloudfunctions.net/api/v1/projects

The /secrets response returns ciphertext — decrypt it with the token secret (PBKDF2-HMAC-SHA256 → AES-256-GCM). The easiest path is the CLI or MCP, which do it for you.

CLI

No install required — run it with npx.

# token access (CI / agents — zero-knowledge)
npx devdrops token ddp_…              # or set DEVDROPS_TOKEN
npx devdrops onboard <id>             # ⭐ .env + setup + commands
npx devdrops projects
npx devdrops secrets <id> --env production
npx devdrops env <id> -o .env
npx devdrops set-secret <id> KEY=VALUE   # write token

# folder sync (device auth)
npx devdrops login
npx devdrops init  &&  npx devdrops watch
npx devdrops clone <id>               # full tree on a new box
npx devdrops mount ./code             # on-demand (Linux/macFUSE)

MCP server

Give Claude Code, Cursor and other MCP clients native access to a project's context. Decryption happens inside the MCP process — plaintext never leaves your machine.

Claude Code:

claude mcp add devdrops \
  --env DEVDROPS_TOKEN=ddp_… \
  -- npx -y devdrops-mcp

Cursor / generic mcp.json:

{
  "mcpServers": {
    "devdrops": {
      "command": "npx",
      "args": ["-y", "devdrops-mcp"],
      "env": { "DEVDROPS_TOKEN": "ddp_…" }
    }
  }
}

Tools: list_projects, get_project, get_context, get_secrets, get_commands, get_notes, set_secret.

Ready to give it a token?

Get started free