Comparison

Sentroy vs Doppler

Doppler is a focused, polished secrets manager. Sentroy Env Vault is an open alternative bundled with the rest of the Sentroy platform — runtime env injection, CLI push/pull/diff, webhook-based invalidation. This page is an honest side-by-side so you can pick the right one — and a migration snippet if you decide to switch.

Quick comparison#

The five questions most teams care about when picking a secrets / config vendor.

 SentroyDoppler
Pricing modelFlat platform tier; secrets count not meteredPer-seat (Developer free → Team / Enterprise tiers)
Self-hostableYes — runs on your infra alongside the rest of SentroyNo — managed SaaS (self-host available on enterprise tier)
Open formatsStandard .env import/export; JSON/YAML/Docker formats on readStandard .env + JSON/YAML/Docker on read
Lock-inLow — .env import/export, public/private split is metadataLow — easy export, but per-seat billing scales with team
Bundled with other productsMail + storage + auth, one tenant, one access tokenSecrets-only; pair other services yourself

What is the same#

The places these two products meaningfully overlap.

  • Both let you centralize env per project / environment (dev, staging, prod).
  • Both support CLI push / pull / diff workflows.
  • Both ship an audit log of changes and rollbacks.
  • Both support webhook-based invalidation so deploys can pick up changes without a rebuild.
  • Both expose a server-side runtime fetch so values can change without redeploying.
  • Both support .env import on day one and re-export on the way out.

What is different#

Honest differences in both directions.

Where Sentroy is different

  • Bundled with mail, storage, and auth — one access token, one billing line, one company tenant.
  • No per-seat pricing — adding a developer to the team doesn't bump the bill.
  • Public/private split is first-class: useEnv() on the React side only ever sees the public bucket.
  • Self-hostable on the standard tier — Doppler reserves self-host for enterprise.
  • getEnv() server helper + useEnv() React hook ship in the same package.

Where Doppler is different

  • Mature integration catalog — GitHub Actions, Vercel, AWS Secrets Manager sync, Kubernetes operator, Terraform.
  • Service token rotation policies and IP allowlisting on higher tiers.
  • Branch-based config inheritance — useful for review apps and ephemeral environments.
  • SOC 2 Type II / ISO 27001 audited; some regulated buyers require this checkbox.
  • Longer track record as a dedicated secrets vendor — focused product surface.

When to pick Sentroy#

Concrete situations where Sentroy is the better call.

  • You already use Sentroy for mail / storage / auth — adding env to the same tenant is one less vendor to manage.
  • Your team is growing and per-seat secrets pricing is becoming a planning concern.
  • You want one helper (getEnv() / useEnv()) that handles server / client split without ceremony.
  • Self-hosting on commodity infra is a requirement and you don't want enterprise pricing for it.

When to stick with Doppler#

Cases where staying on Doppler is the right call.

  • You depend on the Doppler Kubernetes operator or one of their first-party integrations (Terraform, AWS SM sync) and the parity isn't there yet.
  • You need branch-based config inheritance for review apps as a turnkey feature.
  • Your compliance team requires a vendor with SOC 2 Type II as a published checkbox today.

Migration#

One operation, both SDKs side by side.

Read a secret at runtime from a Node.js server:

before.ts — Dopplerts
import "dopplersdk"
import { DopplerSDK } from "@dopplerhq/node-sdk"

const doppler = new DopplerSDK({
  accessToken: process.env.DOPPLER_TOKEN!,
})

const { value } = await doppler.secrets.get(
  "acme",      // project
  "prd",       // config
  "DATABASE_URL",
)

const db = connect(value.raw!)
after.ts — Sentroyts
import { getEnv } from "@sentroy-co/env-vault"

// One call returns the merged public + private env for this deploy.
// Bootstrap token comes from process.env.SENTROY_ENV_BOOTSTRAP at startup.
const env = await getEnv()

const db = connect(env.DATABASE_URL)

The Sentroy bootstrap token is set once per deploy. From then on, env-vault changes propagate via webhook invalidation — the next getEnv() call returns fresh values without a redeploy.

Previousvs AWS S3