seekrit

Quickstart

This walkthrough runs the whole stack on your machine and encrypts your first secret with the CLI. It uses local development auth (no Stytch project required).

note

seekrit runs entirely on your Cloudflare account in production, but every part runs locally for development — no cloud resources needed to try it.

Prerequisites

  • Node.js ≥ 22 and pnpm ≥ 10
  • A clone of the repository

1. Install and build

pnpm install
pnpm build

2. Start the API

The API is a Cloudflare Worker. In development it runs against a local D1 database and a local KV namespace.

cd apps/api
cp .dev.vars.example .dev.vars   # enables AUTH_MODE=dev
pnpm db:migrate:local            # apply migrations to the local D1
pnpm dev                         # http://localhost:8787

AUTH_MODE=dev lets you authenticate with a simple x-seekrit-dev-user header instead of a real identity provider. It only works locally and is never enabled in production.

3. Encrypt a secret with the CLI

In a second terminal, from the repository root:

# Point the CLI at the local API as a dev user
alias seekrit="node $PWD/apps/cli/dist/index.js"
export SEEKRIT_PASSPHRASE=dev-only-passphrase

seekrit login --dev-user you@example.com --api-url http://localhost:8787
seekrit keys setup                 # generate your keypair (client-side)

seekrit org create --name "Acme" --slug acme
seekrit app create --org acme --name "Storefront" --slug storefront
seekrit env create --org acme --app storefront --name Production --slug production

seekrit init --org acme --app storefront --env production   # writes seekrit.json
seekrit secrets set DATABASE_URL 'postgres://user:pass@host/db'
tip

seekrit keys setup generates a P-256 keypair in the CLI and uploads only your public key and a passphrase-encrypted copy of your private key. Setting SEEKRIT_PASSPHRASE avoids the interactive prompt — omit it and you'll be asked.

4. Use your secrets

Inject decrypted secrets into any process, or print them:

seekrit run -- printenv DATABASE_URL
seekrit export --format dotenv
seekrit secrets list

Everything you just did was encrypted on your machine. The API only ever received ciphertext.

5. Try the web dashboard (optional)

cd apps/web
cp .env.example .env.local
pnpm dev            # http://localhost:3000

Sign in with the dev identity form, set up your keys, and manage the same orgs and secrets in the browser. To enable Google/GitHub sign-in, see the Web dashboard guide.

Next steps