Skip to Content
ConceptsSecrets & privacy

Secrets & privacy

cnfgr syncs your configuration, never your secrets. This is a hard rule, not a setting.

Never synced

The following are never sent to cnfgr’s cloud or to your other devices:

  • .env files
  • API keys, tokens, and credentials
  • OAuth tokens or any authentication state

How secrets are handled

Configuration often references a secret (for example, an MCP server that needs an API key). cnfgr handles this with placeholders:

  1. Scrubbing. Before anything syncs, secret values are stripped out and replaced with a placeholder reference such as ${secret:<id>}.
  2. Sync. Only the placeholder travels with your configuration.
  3. Re-hydration. On each of your own devices, the placeholder is resolved from that device’s local secret store when the config is written to a tool.

This means a synced MCP server definition or settings file is portable and safe to store, while the actual secret never leaves the device it was entered on.

Encryption

Configuration state is encrypted at rest. The sync server is a relay and store — it does not decrypt or interpret your data.

Telemetry

Telemetry is opt-in. cnfgr does not collect usage data unless you choose to share it.

A note on hooks

Hook scripts are intentionally not synced. Synchronising executable hooks across machines is a security risk, so it is out of scope.

Projects & identityAgents