CLI Overview

Install and configure the SikkerKey command-line interface.

The SikkerKey CLI is a single-binary tool for reading, exporting, and injecting secrets from the command line. It authenticates using the same Ed25519 machine identity as the SDKs and is read-only by design: secrets are created and rotated in the dashboard.

Installation

npm install -g sikkerkey

Works on Linux, macOS, and Windows. Downloads the correct prebuilt binary for your platform automatically.

Or run without installing:

npx sikkerkey

Verify

sikkerkey version

Build from source

If you prefer to build from source, the CLI is a Go module with stdlib-only imports:

cd cli
go build -o sikkerkey .

Move the resulting sikkerkey binary onto your PATH (/usr/local/bin on Linux / macOS, or any directory listed in your PATH on Windows).

Prerequisites

The CLI requires a bootstrapped machine identity. Run the bootstrap command from the dashboard (Machines > + Validate) to register your machine and create the identity at ~/.sikkerkey/vaults/{vaultId}/.

First-Time Setup

After bootstrapping, you can read secrets right away. Access is determined by the grants on your machine in the dashboard, and the CLI resolves them live on every call.

If this machine is registered with only one vault, the CLI auto-selects it and no connect step is needed. Run connect only when more than one vault is bootstrapped:

# List vaults this machine knows about
sikkerkey connect --list

# Select which one to use (alias optional)
sikkerkey connect vault_abc123 --alias prod

Then read a secret, or list what you can access:

sikkerkey get sk_a1b2c3d4e5
sikkerkey list secrets

If your projects are grouped into applications, scope subsequent commands to one with sikkerkey set application (see Setup Commands):

sikkerkey set application app_a1b2c3d4e5

Command Categories

CategoryCommands
Setupconnect, set application
Configrename, delete
Secretsget
Operationsexport, run, list
Agentagent start, agent install, agent configure, agent list, agent stop, agent remove, agent test
Infowhoami, status, completion, version

Run sikkerkey <command> --help for details on any command.

Configuration

The CLI keeps its configuration locally, in two places. Both are local-only and never affect SikkerKey or other machines:

  • ~/.sikkerkey/cli_global.json holds the default vault, vault aliases, and the per-vault application scope set with set application.
  • ~/.sikkerkey/vaults/{vaultId}/ holds the machine identity (identity.json) and Ed25519 private key (private.pem) written by bootstrap.

Project and secret access is not stored locally; the CLI resolves grants live from SikkerKey on every call.

Shell Completion

# Bash
eval "$(sikkerkey completion bash)"

# Zsh
eval "$(sikkerkey completion zsh)"

# Fish
sikkerkey completion fish > ~/.config/fish/completions/sikkerkey.fish

Project and Application Scope

--project <name|id> scopes a single invocation to one project. It is accepted by export and run:

sikkerkey export --project production --format json
sikkerkey run --all --project production -- ./my-app

For a persistent scope, set an active application with sikkerkey set application <id>. list, export, and run --all then limit to that application's projects until you clear it with sikkerkey set application none. An explicit --project always overrides the application scope. get takes a secret ID directly and is not project-scoped.