Secrets are key-value pairs stored per environment. Both keys and values are encrypted at rest with AES-256-GCM.
Set Secrets
Single Secret
kfl secrets set DATABASE_URL=postgres://user:pass@host:5432/db \
--project my-api \
--env production
Multiple Secrets
kfl secrets set \
DATABASE_URL=postgres://... \
REDIS_URL=redis://... \
API_SECRET=sk_live_... \
--project my-api \
--env production
Upload from .env File
Upload an entire .env file. This is a full override — all existing secrets are replaced.
kfl secrets upload .env.production --project my-api --env production
Upload replaces ALL secrets in the target environment. You’ll be prompted to confirm.
.env file:
# Comments are ignored
DATABASE_URL=postgres://user:pass@host:5432/db
REDIS_URL=redis://localhost:6379
# Multiline values with quotes
PRIVATE_KEY="-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEA...
-----END RSA PRIVATE KEY-----"
Get Secrets
Single Secret
kfl secrets get DATABASE_URL --project my-api --env production
# postgres://user:pass@host:5432/db
All Secrets (List)
kfl secrets list --project my-api --env production
KEY VALUE
DATABASE_URL ****
REDIS_URL ****
API_SECRET ****
STRIPE_KEY ****
Delete Secrets
kfl secrets delete OLD_KEY --project my-api --env production
Using Defaults
Set default project and environment in your config:
# ~/.config/keyflare/config.yaml
api_url: "https://keyflare.account.workers.dev"
project: "my-api"
environment: "development"
# Uses defaults from config
kfl secrets set DATABASE_URL=postgres://...
# Uses defaults for runtime injection
kfl run -- npm run dev
Next Steps
Using Secrets
Inject Secrets into runtimes.
API Keys
Create scoped keys for CI/CD and services.
