Documentation
Reach your project's secrets, commands, setup and files from anywhere — a device, CI, or an AI agent. Everything below is zero-knowledge: the server only ever returns ciphertext, and decryption happens on your side.
Quickstart
- Create an account and a project at devdrops.de, then add a few secrets.
- In Settings → API tokens, create a token (read-only by default).
- Use it from the CLI, the API, or an AI agent:
export DEVDROPS_TOKEN=ddp_… # one command → .env + setup + commands npx devdrops onboard <projectId>
How it works (zero-knowledge)
A random 256-bit Data Encryption Key (DEK) encrypts every secret and synced file (AES-256-GCM). The DEK is wrapped — never stored in plaintext — by your password, your recovery key, and each API token.
When you call the API with a token, the server returns the ciphertext plus the token-wrapped DEK. Your client unwraps the DEK with the token secret and decrypts locally. The devdrops server never sees a plaintext secret — not even during an API call. The CLI and MCP server do this for you automatically.
API tokens
Create tokens in Settings → API tokens. Each token is shown once and stored only as a hash. Two scopes:
- Read-only (default) — read secrets, commands, setup and files.
- Read & write — additionally create and rotate secrets.
Token format (pass it as a Bearer token):
Authorization: Bearer ddp_<uid>.<tokenId>.<secret>
REST API
Base URL:
https://europe-west1-devdrops-app.cloudfunctions.net/api
All requests need the Authorization header. Endpoints:
| GET | /v1/projects | List your projects. |
| GET | /v1/projects/:id | Project metadata + setup notes. |
| GET | /v1/projects/:id/secrets | Ciphertext + the token-wrapped DEK. |
| GET | /v1/projects/:id/commands | Saved commands. |
| GET | /v1/projects/:id/notes | Notes. |
| GET | /v1/vault | The token-wrapped DEK (unwrap once for read + write). |
| POST | /v1/projects/:id/secrets | Create/rotate a secret (write scope). Body: { key, environment?, ciphertext, iv } — encrypt client-side first. |
curl -H "Authorization: Bearer $DEVDROPS_TOKEN" \ https://europe-west1-devdrops-app.cloudfunctions.net/api/v1/projects
The /secrets response returns ciphertext — decrypt it with the token secret (PBKDF2-HMAC-SHA256 → AES-256-GCM). The easiest path is the CLI or MCP, which do it for you.
CLI
No install required — run it with npx.
# token access (CI / agents — zero-knowledge) npx devdrops token ddp_… # or set DEVDROPS_TOKEN npx devdrops onboard <id> # ⭐ .env + setup + commands npx devdrops projects npx devdrops secrets <id> --env production npx devdrops env <id> -o .env npx devdrops set-secret <id> KEY=VALUE # write token # folder sync (device auth) npx devdrops login npx devdrops init && npx devdrops watch npx devdrops clone <id> # full tree on a new box npx devdrops mount ./code # on-demand (Linux/macFUSE)
MCP server
Give Claude Code, Cursor and other MCP clients native access to a project's context. Decryption happens inside the MCP process — plaintext never leaves your machine.
Claude Code:
claude mcp add devdrops \ --env DEVDROPS_TOKEN=ddp_… \ -- npx -y devdrops-mcp
Cursor / generic mcp.json:
{
"mcpServers": {
"devdrops": {
"command": "npx",
"args": ["-y", "devdrops-mcp"],
"env": { "DEVDROPS_TOKEN": "ddp_…" }
}
}
}Tools: list_projects, get_project, get_context, get_secrets, get_commands, get_notes, set_secret.
Ready to give it a token?
Get started free