Operations

export

Export secrets in multiple formats. Uses the batch export endpoint for efficient retrieval (single round trip per project).

# Default: KEY=value format
sikkerkey export

# JSON
sikkerkey export --format json

# Dotenv (quoted values)
sikkerkey export --format dotenv > .env

# YAML
sikkerkey export --format yaml

# Single project only
sikkerkey export --project production --format json

Without --project, exports all secrets across all unlocked projects. Structured secrets are flattened: SECRETNAME_FIELDNAME=value.

Formats

Name Conversion

Secret names are converted to environment variable format:

• Uppercase
• Non-alphanumeric characters replaced with _
• Consecutive underscores collapsed
• Leading/trailing underscores trimmed

Examples: "Database Password" becomes DATABASE_PASSWORD. "api-key" becomes API_KEY. A structured secret "DB Creds" with field "password" becomes DB_CREDS_PASSWORD.

run

Inject secrets as environment variables and run a command. You must specify which secrets to inject -- either specific secrets with --secret or all accessible secrets with --all.

# Inject specific secrets
sikkerkey run --secret sk_db_password --secret sk_api_key -- node server.js

# Inject all secrets from a project
sikkerkey run --all --project production -- ./deploy.sh

# Inject all accessible secrets
sikkerkey run --all -- python app.py

How it Works

1. Fetches the specified secrets (or all with --all)
2. Converts each secret to environment variables (same naming as export)
3. Structured secrets expand to one variable per field
4. Starts the child process with the combined environment
5. Forwards SIGINT and SIGTERM to the child
6. Exits with the child's exit code

Watch Mode

Pass --watch to automatically restart the process when secrets change. The CLI polls for changes every 15 seconds.

# Restart when the secret rotates
sikkerkey run --watch --secret sk_db_password -- node server.js

# Watch all secrets in a project
sikkerkey run --watch --all --project production -- ./my-app

When a change is detected, the CLI sends SIGTERM to the child process, re-fetches the updated secrets, and restarts the process with the new environment variables. If the process exits on its own (crash), the CLI waits for the next secret change before restarting.

Dry Run

Preview what environment variables would be injected without running anything:

sikkerkey run --all --dry-run
sikkerkey run --all --dry-run --show-values
sikkerkey run --secret sk_db_password --dry-run --show-values

Flags

Examples

# Run a Node.js server with two specific secrets
sikkerkey run --secret sk_db_password --secret sk_stripe_key -- node server.js

# Run with prefixed variables (DB_CREDS_PASSWORD becomes MYAPP_DB_CREDS_PASSWORD)
sikkerkey run --all --prefix MYAPP_ -- python manage.py runserver

# Auto-restart on secret rotation
sikkerkey run --watch --all --project production -- ./my-app

# Preview what will be injected
sikkerkey run --all --project production --dry-run

list

List secrets, vaults, or projects.

# List all accessible secrets, grouped by project
sikkerkey list secrets

# List bootstrapped vaults on this machine (* = default)
sikkerkey list vaults

# List unlocked projects in the current vault (* = default)
sikkerkey list projects

secrets

Shows all secrets the machine has access to, grouped by project. Each entry shows the secret name and ID. Structured secrets are marked with [structured].

vaults

Shows all bootstrapped vault identities on this machine. The currently active vault is marked with *.

projects

Shows all unlocked projects in the current vault. The default project is marked with *. Shows the project ID and alias.