Quickstart
This walkthrough runs the whole stack on your machine and encrypts your first secret with the CLI. It uses local development auth (no Stytch project required).
seekrit runs entirely on your Cloudflare account in production, but every part runs locally for development — no cloud resources needed to try it.
Prerequisites
- Node.js ≥ 22 and pnpm ≥ 10
- A clone of the repository
1. Install and build
pnpm install
pnpm build
2. Start the API
The API is a Cloudflare Worker. In development it runs against a local D1 database and a local KV namespace.
cd apps/api
cp .dev.vars.example .dev.vars # enables AUTH_MODE=dev
pnpm db:migrate:local # apply migrations to the local D1
pnpm dev # http://localhost:8787
AUTH_MODE=dev lets you authenticate with a simple x-seekrit-dev-user header instead of a real
identity provider. It only works locally and is never enabled in production.
3. Encrypt a secret with the CLI
In a second terminal, from the repository root:
# Point the CLI at the local API as a dev user
alias seekrit="node $PWD/apps/cli/dist/index.js"
export SEEKRIT_PASSPHRASE=dev-only-passphrase
seekrit login --dev-user you@example.com --api-url http://localhost:8787
seekrit keys setup # generate your keypair (client-side)
seekrit org create --name "Acme" --slug acme
seekrit app create --org acme --name "Storefront" --slug storefront
seekrit env create --org acme --app storefront --name Production --slug production
seekrit init --org acme --app storefront --env production # writes seekrit.json
seekrit secrets set DATABASE_URL 'postgres://user:pass@host/db'
seekrit keys setup generates a P-256 keypair in the CLI and uploads only your public key and a
passphrase-encrypted copy of your private key. Setting SEEKRIT_PASSPHRASE avoids the
interactive prompt — omit it and you'll be asked.
4. Use your secrets
Inject decrypted secrets into any process, or print them:
seekrit run -- printenv DATABASE_URL
seekrit export --format dotenv
seekrit secrets list
Everything you just did was encrypted on your machine. The API only ever received ciphertext.
5. Try the web dashboard (optional)
cd apps/web
cp .env.example .env.local
pnpm dev # http://localhost:3000
Sign in with the dev identity form, set up your keys, and manage the same orgs and secrets in the browser. To enable Google/GitHub sign-in, see the Web dashboard guide.
Next steps
- Understand the encryption model
- Create service tokens for CI and containers
- Browse the CLI command reference