CLI Overview
Install and configure the SikkerKey command-line interface.
The SikkerKey CLI is a single-binary tool for reading, exporting, and injecting secrets from the command line. It authenticates using the same Ed25519 machine identity as the SDKs and is read-only by design: secrets are created and rotated in the dashboard.
Installation
npm (recommended)
npm install -g sikkerkey
Works on Linux, macOS, and Windows. Downloads the correct prebuilt binary for your platform automatically.
Or run without installing:
npx sikkerkey
Verify
sikkerkey version
Build from source
If you prefer to build from source, the CLI is a Go module with stdlib-only imports:
cd cli
go build -o sikkerkey .
Move the resulting sikkerkey binary onto your PATH (/usr/local/bin on Linux / macOS, or any directory listed in your PATH on Windows).
Prerequisites
The CLI requires a bootstrapped machine identity. Run the bootstrap command from the dashboard (Machines > + Validate) to register your machine and create the identity at ~/.sikkerkey/vaults/{vaultId}/.
First-Time Setup
After bootstrapping, you can read secrets right away. Access is determined by the grants on your machine in the dashboard, and the CLI resolves them live on every call.
If this machine is registered with only one vault, the CLI auto-selects it and no connect step is needed. Run connect only when more than one vault is bootstrapped:
# List vaults this machine knows about
sikkerkey connect --list
# Select which one to use (alias optional)
sikkerkey connect vault_abc123 --alias prod
Then read a secret, or list what you can access:
sikkerkey get sk_a1b2c3d4e5
sikkerkey list secrets
If your projects are grouped into applications, scope subsequent commands to one with sikkerkey set application (see Setup Commands):
sikkerkey set application app_a1b2c3d4e5
Command Categories
| Category | Commands |
|---|---|
| Setup | connect, set application |
| Config | rename, delete |
| Secrets | get |
| Operations | export, run, list |
| Agent | agent start, agent install, agent configure, agent list, agent stop, agent remove, agent test |
| Info | whoami, status, completion, version |
Run sikkerkey <command> --help for details on any command.
Configuration
The CLI keeps its configuration locally, in two places. Both are local-only and never affect SikkerKey or other machines:
~/.sikkerkey/cli_global.jsonholds the default vault, vault aliases, and the per-vault application scope set withset application.~/.sikkerkey/vaults/{vaultId}/holds the machine identity (identity.json) and Ed25519 private key (private.pem) written by bootstrap.
Project and secret access is not stored locally; the CLI resolves grants live from SikkerKey on every call.
Shell Completion
# Bash
eval "$(sikkerkey completion bash)"
# Zsh
eval "$(sikkerkey completion zsh)"
# Fish
sikkerkey completion fish > ~/.config/fish/completions/sikkerkey.fish
Project and Application Scope
--project <name|id> scopes a single invocation to one project. It is accepted by export and run:
sikkerkey export --project production --format json
sikkerkey run --all --project production -- ./my-app
For a persistent scope, set an active application with sikkerkey set application <id>. list, export, and run --all then limit to that application's projects until you clear it with sikkerkey set application none. An explicit --project always overrides the application scope. get takes a secret ID directly and is not project-scoped.