Getting Started

Up and running in 2 minutes

Install the CLI, create your account, and start managing secrets securely. No infrastructure to set up — secr handles encryption, access control, and audit logging for you.

1

Create your account

Sign up for a free account. You'll get an organization and can invite your team later.

Create Free Account
2

Install the CLI

Homebrew (macOS / Linux)
brew tap secr-dev/secr
brew install secr
npm
npm install -g @secr/cli

Verify the installation:

secr --version
3

Log in

Authenticate the CLI with your secr account. This opens your browser to complete the login.

secr login

For CI/CD or headless environments, use a token instead:

secr login --token secr_tok_...
4

Create your first project

Run secr init in your project directory. It creates a project on secr with default environments (development, staging, production) and links your local directory.

cd my-app
secr init

This creates a .secr.json file in your project. Commit this file — it contains no secrets, just your org, project, and default environment.

5

Add your secrets

Set individual secrets or import an existing .env file. Secrets are encrypted with AES-256-GCM before storage.

Set secrets individually
secr set DATABASE_URL=postgres://...
secr set STRIPE_KEY=sk_live_...
secr set --env production API_KEY=sk_prod_...
Import from an existing .env file
secr set --from-env .env
6

Use your secrets

Option A: Inject at runtime (recommended)

Run your app with secr run. Secrets are injected as environment variables without ever touching disk.

secr run "npm start"
secr run "node server.js"
secr run --env staging "npm start"

Option B: Pull to a file

Export secrets in .env format for tools that need a file:

secr pull --format dotenv > .env.local
secr pull --format json

What's next?

Invite your team

Add members with role-based access from the dashboard.

Set up CI/CD

Inject secrets in GitHub Actions, Vercel, or Netlify.

Enable secret scanning

Detect leaked secrets and install a pre-commit guard.

Promote between environments

Copy secrets from dev to staging to production.

Define required keys

Use templates to catch missing secrets before deploy.

Explore the CLI

Full command reference for power users.

Enterprise-grade security by default

  • AES-256-GCM encryption — every secret is encrypted at rest with a unique project key
  • Role-based access control — owner, admin, developer, and viewer roles with environment-level scoping
  • Full audit trail — every read, write, and delete is logged with who, when, and from where
  • Key rotation — rotate your project encryption key at any time with zero downtime

Ready to go?

npm i -g @secr/cli

secr login

secr init

Create Free AccountBack to Docs