CLI
The seekrit CLI links a directory to an environment and injects decrypted secrets into your
processes. It decrypts locally using the same keys as the web app — a service token's embedded
key, or your passphrase-unlocked private key.
For an exhaustive list of commands and flags, see the CLI reference.
Authentication
The CLI reads credentials from config or environment variables:
SEEKRIT_TOKEN— a service token (skt_…), for CI and machines.SEEKRIT_DEV_USER— a dev identity (local API withAUTH_MODE=dev).seekrit loginpersists these to~/.config/seekrit/config.json.
# machine / CI
export SEEKRIT_TOKEN=skt_...
export SEEKRIT_API_URL=https://api.your-seekrit.example
# or, for local development
seekrit login --dev-user you@example.com --api-url http://localhost:8787
Linking a project
seekrit init writes a seekrit.json in the current directory that pins the org, app, and
environment. Commit it — it contains only ids, no secrets.
seekrit init --org acme --app storefront --env production
Commands that operate on secrets (list, get, set, run, export) use the linked
environment from the nearest seekrit.json.
Using secrets
Run a command with secrets injected into its environment:
seekrit run -- ./start-server
seekrit run -- npm run dev
Export them in a format you can source or write to a file:
seekrit export --format dotenv > .env
seekrit export --format json
eval "$(seekrit export --format shell)"
Read or write individual secrets:
seekrit secrets list
seekrit secrets get STRIPE_KEY
seekrit secrets set DATABASE_URL 'postgres://…'
printf '%s' "$TOKEN" | seekrit secrets set GITHUB_TOKEN # from stdin
seekrit secrets rm OLD_KEY
Unlocking (users)
When authenticated as a user (not a service token), decryption needs your passphrase to unlock your private key. Set it non-interactively for scripts:
export SEEKRIT_PASSPHRASE='…'
Omit it and the CLI prompts. Service tokens don't need a passphrase — their key is in the token.
In CI and containers, prefer a service token granted only the environments it needs. It requires no passphrase and can be revoked independently. See Service tokens.
Building the CLI
From the monorepo, the CLI builds to a self-contained bundle:
pnpm --filter @seekrit/cli build
node apps/cli/dist/index.js --help