seekrit

CLI

The seekrit CLI links a directory to an environment and injects decrypted secrets into your processes. It decrypts locally using the same keys as the web app — a service token's embedded key, or your passphrase-unlocked private key.

For an exhaustive list of commands and flags, see the CLI reference.

Authentication

The CLI reads credentials from config or environment variables:

  • SEEKRIT_TOKEN — a service token (skt_…), for CI and machines.
  • SEEKRIT_DEV_USER — a dev identity (local API with AUTH_MODE=dev).
  • seekrit login persists these to ~/.config/seekrit/config.json.
# machine / CI
export SEEKRIT_TOKEN=skt_...
export SEEKRIT_API_URL=https://api.your-seekrit.example

# or, for local development
seekrit login --dev-user you@example.com --api-url http://localhost:8787

Linking a project

seekrit init writes a seekrit.json in the current directory that pins the org, app, and environment. Commit it — it contains only ids, no secrets.

seekrit init --org acme --app storefront --env production

Commands that operate on secrets (list, get, set, run, export) use the linked environment from the nearest seekrit.json.

Using secrets

Run a command with secrets injected into its environment:

seekrit run -- ./start-server
seekrit run -- npm run dev

Export them in a format you can source or write to a file:

seekrit export --format dotenv > .env
seekrit export --format json
eval "$(seekrit export --format shell)"

Read or write individual secrets:

seekrit secrets list
seekrit secrets get STRIPE_KEY
seekrit secrets set DATABASE_URL 'postgres://…'
printf '%s' "$TOKEN" | seekrit secrets set GITHUB_TOKEN   # from stdin
seekrit secrets rm OLD_KEY

Unlocking (users)

When authenticated as a user (not a service token), decryption needs your passphrase to unlock your private key. Set it non-interactively for scripts:

export SEEKRIT_PASSPHRASE='…'

Omit it and the CLI prompts. Service tokens don't need a passphrase — their key is in the token.

tip

In CI and containers, prefer a service token granted only the environments it needs. It requires no passphrase and can be revoked independently. See Service tokens.

Building the CLI

From the monorepo, the CLI builds to a self-contained bundle:

pnpm --filter @seekrit/cli build
node apps/cli/dist/index.js --help