Features
Secret Promotion
Copy secrets from one environment to another. Useful for preparing a release — promote from development to staging to production with a single command.
CLI Usage
Promote all secrets
secr promote --from development --to stagingDry run
Preview what would be promoted without making any changes:
secr promote --from development --to staging --dry-runOverwrite existing secrets
By default, secrets that already exist in the target environment are skipped. Use --overwrite to update them:
secr promote --from staging --to production --overwritePromote specific keys
Pass a comma-separated list of keys to promote only a subset:
secr promote --from development --to staging \
--keys DATABASE_URL,REDIS_URL,API_KEYOptions
| Option | Type | Required | Description |
|---|---|---|---|
| --from | string | Yes | Source environment to copy secrets from |
| --to | string | Yes | Target environment to copy secrets to |
| --keys | string | No | Comma-separated list of keys to promote (default: all) |
| --overwrite | flag | No | Overwrite secrets that already exist in the target |
| --dry-run | flag | No | Preview changes without applying them |
API Usage
Endpoint
POST /secrets/:orgSlug/:projectSlug/promoteRequest body
request.json
{
"fromEnv": "development",
"toEnv": "staging",
"keys": ["DATABASE_URL", "REDIS_URL"],
"overwrite": false
}| Option | Type | Required | Description |
|---|---|---|---|
| fromEnv | string | Yes | Source environment name |
| toEnv | string | Yes | Target environment name |
| keys | string[] | No | Specific keys to promote (default: all) |
| overwrite | boolean | false | Whether to overwrite existing secrets |
Response
response.json
{
"promoted": 2,
"created": 1,
"updated": 1,
"skipped": 0
}Errors
| Status | Reason |
|---|---|
| 400 | Source and target environments are the same |
| 403 | Viewer role or no access to the project |
| 404 | Organization, project, or environment not found |
How It Works
- Resolves source and target environments, checks RBAC permissions
- Fetches all active secrets from the source environment (filtered by keys if specified)
- For each secret:
- Key does not exist in target → create
- Key exists and
overwriteis false → skip - Key exists and
overwriteis true → update
- An audit log entry is written with the action
secret.promote
Secrets are transferred at the encryption layer and are not decrypted or re-encrypted during promotion.
Streamline your deployments
secr promote --from staging --to production