CLI commands
seekrit <command> [options]. Commands that touch secrets operate on the environment linked by
the nearest seekrit.json (see seekrit init).
Environment variables
| Variable | Purpose |
|---|---|
SEEKRIT_TOKEN | Service token (skt_…) used to authenticate. |
SEEKRIT_DEV_USER | Dev identity email (local API with AUTH_MODE=dev). |
SEEKRIT_API_URL | API base URL (overrides saved config). |
SEEKRIT_PASSPHRASE | Passphrase to unlock your private key non-interactively. |
Precedence: environment variables override values saved by seekrit login in
~/.config/seekrit/config.json.
Auth & identity
seekrit login
Persist credentials to the config file.
| Flag | Description |
|---|---|
--token <token> | Service token (skt_…). |
--dev-user <email> | Dev identity (local AUTH_MODE=dev). |
--api-url <url> | API base URL. |
seekrit whoami
Show the authenticated identity and the organizations it can access.
seekrit keys setup
Generate your P-256 keypair and upload your public key plus a passphrase-encrypted private key.
Run once per account. Honors SEEKRIT_PASSPHRASE, otherwise prompts.
Resources
seekrit org create
--name <name> --slug <slug> — create an organization (you become owner).
seekrit app create
--org <slug> --name <name> --slug <slug> — create an application in an org.
seekrit env create
--org <slug> --app <slug> --name <name> --slug <slug> — create an environment. Generates the
environment's data key locally and wraps it to your public key.
seekrit init
--org <slug> --app <slug> --env <slug> — write seekrit.json linking this directory to an
environment. Safe to commit (ids only).
Secrets
All operate on the linked environment.
| Command | Description |
|---|---|
seekrit secrets list | List secret names, versions, and update times (no values). |
seekrit secrets get <name> | Decrypt and print one value. |
seekrit secrets set <name> [value] | Encrypt and store a value. Reads stdin if value is omitted or -. |
seekrit secrets rm <name> | Delete a secret. |
Running & exporting
seekrit run -- <command…>
Run a command with all decrypted secrets injected into its environment. Everything after -- is
the command to execute.
seekrit run -- ./start-server
seekrit export
Print all decrypted secrets. --format <dotenv|json|shell> (default dotenv).
Access
seekrit grant
Grant the linked environment's key to a principal. Exactly one of:
| Flag | Description |
|---|---|
--user <email> | Grant to an org member (must have completed key setup). |
--token <tokenId> | Grant to a service token (skt_…). |
Service tokens
| Command | Description |
|---|---|
seekrit token create --name <name> [--grant] | Mint a token; prints it once. --grant also grants the linked environment. |
seekrit token list | List tokens with status and last-used time. |
seekrit token revoke <tokenId> | Revoke a token. |
Audit
seekrit audit
Print the org's audit trail. --limit <n> (default 50).