Environment Snapshots
Snapshots capture the exact state of all secrets in an environment at a point in time. Use them for safe deployments, disaster recovery, or auditing.
When to Use Snapshots
| Scenario | Why |
|---|---|
| Before a deployment | Roll back all secrets if something goes wrong |
| Before bulk changes | Safety net when updating many secrets at once |
| Compliance audits | Prove what values were live at a specific time |
| Environment cloning | Capture state before modifying a copied environment |
Creating a Snapshot
CLI
envshed snapshot create --name "Before v2.1 deploy"
Options:
| Flag | Description |
|---|---|
-n, --name <name> | Optional human-friendly name |
-d, --desc <description> | Optional description |
-o, --org <slug> | Organization slug |
-p, --project <slug> | Project slug |
-e, --env <slug> | Environment slug |
API
curl -X POST https://app.envshed.com/api/v1/snapshots/my-org/my-project/production \
-H "Authorization: Bearer $ENVSHED_TOKEN" \
-H "Content-Type: application/json" \
-d '{"name": "Before v2.1 deploy"}'
Listing Snapshots
CLI
envshed snapshot list
API
curl https://app.envshed.com/api/v1/snapshots/my-org/my-project/production \
-H "Authorization: Bearer $ENVSHED_TOKEN"
Response:
{
"snapshots": [
{
"id": "uuid-1",
"name": "Before v2.1 deploy",
"description": null,
"createdBy": "user-uuid",
"createdAt": "2026-02-19T11:00:00Z"
}
]
}
Restoring from a Snapshot
Restoring overwrites every secret in the environment with the value it had when the snapshot was taken. Each restored secret gets a new version entry with change type rolled_back.
CLI
envshed snapshot restore <snapshot-id>
API
curl -X POST https://app.envshed.com/api/v1/snapshots/my-org/my-project/production/restore \
-H "Authorization: Bearer $ENVSHED_TOKEN" \
-H "Content-Type: application/json" \
-d '{"snapshotId": "uuid-1"}'
How Snapshots Work Internally
A snapshot stores a JSON mapping of each secret key to its version record ID at the time of creation. When restoring, the system:
- Looks up each version record by ID
- Updates the current secret with that version's encrypted value
- Creates a new version record (type:
rolled_back) for each restored secret - Records the restore in the audit log
This means:
- Snapshots reference specific version records, not raw values
- Restoring is non-destructive — it creates new versions rather than rewriting history
- If a secret was deleted after the snapshot, it will be skipped during restore