CLI
The seekrit CLI injects a decrypted, layered environment into your processes. It decrypts
locally using the same keys as the web app — a service token's embedded key, or your
passphrase-unlocked private key. At runtime a service token selects the org, app, and
environment, so seekrit run needs nothing else.
For an exhaustive list of commands and flags, see the CLI reference.
Authentication
The CLI reads credentials from config or environment variables:
SEEKRIT_TOKEN— a service token (skt_…), for CI and machines.SEEKRIT_DEV_USER— a dev identity (local API withAUTH_MODE=dev).seekrit loginpersists these to~/.config/seekrit/config.json.
# machine / CI
export SEEKRIT_TOKEN=skt_...
export SEEKRIT_API_URL=https://api.your-seekrit.example
# or, for local development
seekrit login --dev-user you@example.com --api-url http://localhost:8787
Linking a project
seekrit init writes a seekrit.json naming the default org and app for management commands. It
is environment-independent — it never pins an environment — so it's safe to commit and behaves
the same everywhere.
seekrit init --org acme --app storefront
The environment is chosen at runtime by the service token (or the --env flag when you run
commands interactively).
Running with a service token
This is the primary path: the token carries its org, app, and environment.
export SEEKRIT_TOKEN=skt_...
seekrit run -- ./start-server # resolves & injects; no flags needed
seekrit export --format dotenv > .env
The resolved environment is layered, lowest precedence first:
group secrets < app-env secrets < .env file < process env
Add --explain to see where each variable came from, and --with <group>=<slug> to swap a single
group's slice for one run (see Environments & groups).
Running interactively (as a user)
Without a token, target the environment explicitly:
seekrit run --app storefront --env production -- npm run dev
seekrit export --app storefront --env production --format shell
Reading & writing individual secrets
Every secrets command targets an environment with --env plus --app (or --group); --org
comes from seekrit.json or a lone org.
seekrit secrets list --app storefront --env production
seekrit secrets get STRIPE_KEY --app storefront --env production
seekrit secrets set DATABASE_URL 'postgres://…' --app storefront --env production
printf '%s' "$TOKEN" | seekrit secrets set GITHUB_TOKEN --app storefront --env production
seekrit secrets rm OLD_KEY --group common --env production # a group's secret
Unlocking (users)
When authenticated as a user (not a service token), decryption needs your passphrase to unlock your private key. Set it non-interactively for scripts:
export SEEKRIT_PASSPHRASE='…'
Omit it and the CLI prompts. Service tokens don't need a passphrase — their key is in the token.
In CI and containers, prefer a service token granted only the environments it needs. It requires no passphrase and can be revoked independently. See Service tokens.
Building the CLI
From the monorepo, the CLI builds to a self-contained bundle:
pnpm --filter @seekrit/cli build
node apps/cli/dist/index.js --help