Download Secrets

Download secrets in various formats:

# As .env format (default)
kfl secrets download --project my-api --env production

# As JSON
kfl secrets download --project my-api --env production --format json

# As YAML
kfl secrets download --project my-api --env production --format yaml

# To a file
kfl secrets download --project my-api --env production --output .env

Format Examples

.env
JSON
YAML

DATABASE_URL=postgres://user:pass@host:5432/db
REDIS_URL=redis://localhost:6379
API_SECRET=sk_live_abc123

{
  "DATABASE_URL": "postgres://user:pass@host:5432/db",
  "REDIS_URL": "redis://localhost:6379",
  "API_SECRET": "sk_live_abc123"
}

DATABASE_URL: postgres://user:pass@host:5432/db
REDIS_URL: redis://localhost:6379
API_SECRET: sk_live_abc123

Runtime Injection

The most common way to use secrets is injecting them at runtime:

# Inject secrets into a command
kfl run --project my-api --env production -- npm run build

# Start a dev server with secrets
kfl run --project my-api --env development -- npm run dev

# Run a Docker build with secrets
kfl run --project my-api --env production -- docker build -t my-api .

# Quoting is preserved for argv-based tools
kfl run --project my-api --env production -- node -e 'console.log(process.env.API_SECRET)'

# Use an explicit shell when you need shell operators or $VAR expansion
kfl run --project my-api --env production -- sh -c 'echo $API_SECRET | wc -c'

How it works:

Fetches all secrets for the specified project/environment
Sets them as environment variables
Spawns the command as a child process
Secrets exist only in memory — never written to disk

Example: GitHub Actions

Store the KEYFLARE_API_KEY in GitHub repository as a secret. Then:

# .github/workflows/deploy.yml
name: Deploy

on:
  push:
    branches: [main]

jobs:
  deploy:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      
      - name: Install Keyflare CLI
        run: npm install -g @keyflare/cli
      
      - name: Deploy with secrets
        env:
          KEYFLARE_API_KEY: ${{ secrets.KEYFLARE_API_KEY }}
          KEYFLARE_API_URL: https://keyflare.your-account.workers.dev
        run: |
          kfl run --project my-api --env production -- npm run deploy

Docker

# Build with secrets
kfl run --project my-api --env production -- docker build -t my-api .

# Run with secrets
kfl run --project my-api --env production -- docker run my-api

Using Defaults

Set default project and environment in your config:

# ~/.config/keyflare/config.yaml
api_url: "https://keyflare.account.workers.dev"
project: "my-api"
environment: "development"

Then you can omit those flags:

# Uses defaults for runtime injection
kfl run -- npm run dev

Next Steps

API Keys

Create scoped keys for CI/CD and services.

Documentation Index

​Download Secrets

​Format Examples

​Runtime Injection

​Example: GitHub Actions

​Docker

​Using Defaults