release

dotMage 2.0 — teams, same product, same license

July 3, 2026

dotMage started as a solo tool — one person, many machines. Then the obvious happened: people brought it to work and shared one master password between colleagues. That works until someone leaves. 2.0 makes the team a first-class citizen: each member has their own password wrapping the shared vault key, the server enforces roles, and offboarding is one command instead of a prayer. Solo users: your workflow is byte-for-byte unchanged — and everything stays AGPL, there is no "enterprise edition".

Highlights

Your own password, a shared vault

# owner
$ dmage user invite kolya --role editor
  dmage_uinv_eyJp...        # one-time token, send privately

# kolya, on his machine
$ dmage auth --invite dmage_uinv_eyJp...
  ✓ Joined as 'kolya' (editor). Key cached.
  your password is yours alone — nobody else on the team knows it

The invitation carries the vault key sealed with a key that lives only inside the token — the server stores a blob it cannot open. One-time use, 24-hour TTL.

Roles the server actually enforces

owner manages people, rotates keys, deletes; editor pushes and pulls; viewer reads. The audit log now names people, not just devices. Honest limit, documented in the threat model: roles are authorization, not cryptography — every member holds the vault key.

Offboarding that actually works

$ dmage user rm kolya
  ✓ removed 'kolya' (1 device(s) revoked)
  Rotate the Account Key now (recommended)? [Y/n]

Wraps deleted, devices revoked, and the chained key rotation (from 1.4) makes their cached key useless for anything pushed afterwards. The docs spell out the two things software can't do for you: rotate the secret values they saw, and destroy pre-rotation backups.

Migrating from a shared password

Been sharing one master password with a colleague? The docs now have a step-by-step runbook: invite them properly, rotate the key, change your password — the shared password dies completely.

Solo users

Nothing changes. The server defaults to DOTMAGE_MODE=solo where team endpoints don't even exist, your output is identical, and your account silently became a "team of one" during migration — ready if you ever need it.

Changelog

Added

Security

Downloads

Binaries and SHA256SUMS: github.com/dotMage/dotmage/releases/tag/v2.0.0

dmage upgrade               # self-update
brew upgrade dotmage        # Homebrew
◂ All posts