Team sync (Pro Plus)

Pro Plus. Settings → Pro Plus → Team sync — share connection profiles + saved queries with teammates. Everything is end-to-end encrypted client-side; the licence server only stores ciphertext.

What gets synced

Kind	What it includes
Connections	Connection profile JSON, including credentials. Encrypted client-side.
Saved queries	Per-connection query bookmarks

Two kinds, two sync slots. Both go through the same passphrase- derived key.

How it works

Pick a passphrase (Diceware-style suggestion offered, same as .qenc). The passphrase is the only secret — losing it means losing access to the synced data + needing a fresh upload.
Push — encrypts your local state with AES-256-GCM under the passphrase + uploads the ciphertext to https://license.quay.uncle-z.com/v1/sync/<kind>. The licence server stores it as opaque bytes.
Pull — fetches the ciphertext, decrypts locally with the passphrase, merges into your local state.

The licence server never sees the plaintext. Even if the storage is compromised, the attacker has only ciphertext + Argon2id-protected key derivation.

Workspaces

Pro Plus also surfaces a workspaces concept — a workspace is a named set of connections + queries that get synced as a bundle. A team typically maintains:

quay-team workspace with shared dev / staging connections
Each member also has their own personal workspace for one-off bookmarks

Switch workspaces in the rail header (⌘⇧W). Each workspace has its own passphrase + sync slots.

Sync passphrase distribution

Quay doesn’t try to solve “how does the team agree on a passphrase”. That’s a 1Password / Bitwarden / shared-vault problem outside Quay’s scope. The recommended workflow:

One team member generates a strong passphrase (the suggested 6-word string is fine)
Drops it into the team’s password manager under “Quay team-sync key”
Each member adds the passphrase to their Quay copy + pulls

Passphrase rotation: change the passphrase locally, push (uploads new ciphertext), tell the team. Old passphrases stop decrypting the new ciphertext as soon as the new push lands. There’s no “key revocation” — anyone with the old passphrase + a copy of old ciphertext from before the rotation can still decrypt that older copy.

Conflict resolution

Two members both modified their local copy + pushed. Last-write-wins on the server side; the loser sees a “diverged from server” warning on next pull and gets a side-by-side merge dialog with per-row choices.

Diverged frequently? That usually means the team’s passphrase is getting passed around without the team coordinating around when to push. Workspaces help — split into multiple narrower workspaces so two members aren’t both editing the same connection list.

Limits

Passphrase loss = data loss. No recovery path. The licence server cannot decrypt without the passphrase. Treat it like any other E2E-encrypted system.
No real-time sync. Push / pull are explicit actions. No background polling. (We’ve avoided this on purpose — silently overwriting a teammate’s local edit because Quay polled is the exact failure mode the manual approach prevents.)
One workspace at a time per session. Switching workspaces closes all open sessions in the previous workspace. By design — workspaces represent different security domains.

Compared to Git / shared vaults

vs sharing connection JSON via Git: Git doesn’t encrypt credentials by default. You’d need git-crypt or 1Password references; that’s basically what this is, just integrated.
vs 1Password “share connection” features: 1Password is per-credential. Quay’s sync is per-workspace — a logical grouping of credentials + queries — which matches how teams actually use the data.
vs centralised database admin tools (Tableau / Metabase / retool): those store credentials server-side (often in plaintext or with a server-side key). Quay’s E2E encryption avoids that trust escalation.