seekrit

CLI commands

seekrit <command> [options]. Commands that touch secrets operate on the environment linked by the nearest seekrit.json (see seekrit init).

Environment variables

VariablePurpose
SEEKRIT_TOKENService token (skt_…) used to authenticate.
SEEKRIT_DEV_USERDev identity email (local API with AUTH_MODE=dev).
SEEKRIT_API_URLAPI base URL (overrides saved config).
SEEKRIT_PASSPHRASEPassphrase to unlock your private key non-interactively.

Precedence: environment variables override values saved by seekrit login in ~/.config/seekrit/config.json.

Auth & identity

seekrit login

Persist credentials to the config file.

FlagDescription
--token <token>Service token (skt_…).
--dev-user <email>Dev identity (local AUTH_MODE=dev).
--api-url <url>API base URL.

seekrit whoami

Show the authenticated identity and the organizations it can access.

seekrit keys setup

Generate your P-256 keypair and upload your public key plus a passphrase-encrypted private key. Run once per account. Honors SEEKRIT_PASSPHRASE, otherwise prompts.

Resources

seekrit org create

--name <name> --slug <slug> — create an organization (you become owner).

seekrit app create

--org <slug> --name <name> --slug <slug> — create an application in an org.

seekrit env create

--org <slug> --app <slug> --name <name> --slug <slug> — create an environment. Generates the environment's data key locally and wraps it to your public key.

seekrit init

--org <slug> --app <slug> --env <slug> — write seekrit.json linking this directory to an environment. Safe to commit (ids only).

Secrets

All operate on the linked environment.

CommandDescription
seekrit secrets listList secret names, versions, and update times (no values).
seekrit secrets get <name>Decrypt and print one value.
seekrit secrets set <name> [value]Encrypt and store a value. Reads stdin if value is omitted or -.
seekrit secrets rm <name>Delete a secret.

Running & exporting

seekrit run -- <command…>

Run a command with all decrypted secrets injected into its environment. Everything after -- is the command to execute.

seekrit run -- ./start-server

seekrit export

Print all decrypted secrets. --format <dotenv|json|shell> (default dotenv).

Access

seekrit grant

Grant the linked environment's key to a principal. Exactly one of:

FlagDescription
--user <email>Grant to an org member (must have completed key setup).
--token <tokenId>Grant to a service token (skt_…).

Service tokens

CommandDescription
seekrit token create --name <name> [--grant]Mint a token; prints it once. --grant also grants the linked environment.
seekrit token listList tokens with status and last-used time.
seekrit token revoke <tokenId>Revoke a token.

Audit

seekrit audit

Print the org's audit trail. --limit <n> (default 50).