CLI · Requires Node.js 18+

Get Keyra

Bring Keyra to your terminal. Push, pull, and share secrets without leaving your workflow.

Keyra CLI

The core tool. Push, pull, and share secrets directly from your terminal.

npm install -g keyra-cli

Requires Node.js 18+

Works on macOS, Linux, Windows

AES-256-GCM client-side encryption

Zero plaintext on server

Push & pull .env files

One-time encrypted share links

Git Guardian pre-commit hook

Breach scan via HaveIBeenPwned

Validate .env against vault (CI/CD ready)

Per-project password support

Getting Started

Install

npm install -g keyra-cli

Authenticate

keyra-cli login --api-url https://keyra.dev

Opens your browser for device-code authentication, then prompts you to create an encryption passphrase. This passphrase encrypts all your secrets locally — remember it.

Link a project

keyra-cli init

Run inside your project directory. Prompts for a project name (defaults to the folder name). If a .env file exists, offers to import its variables into the vault.

Push your secrets

keyra-cli push

Reads .env from the current directory, encrypts each variable with your passphrase (AES-256-GCM), and uploads the ciphertext to your vault.

Pull anywhere

keyra-cli pull

Downloads encrypted variables from the vault, decrypts them locally, and writes them to .env. Use --file to specify a different output file (e.g. keyra-cli pull --file .env.production).

All Commands

Command	Flags	Description
keyra-cli login	--api-url <url>	Authenticate via browser with device-code flow. Defaults to https://keyra.dev.
keyra-cli logout	—	Clear stored credentials from ~/.keyra/config.json.
keyra-cli init	—	Link the current directory to a Keyra project and optionally import an existing .env.
keyra-cli push	—	Encrypt and upload your local .env to the vault.
keyra-cli pull	-f, --file <name>	Download and decrypt vault variables to a local .env file. Defaults to .env.
keyra-cli share	—	Create a one-time encrypted share link for your .env. Outputs a link and a separate decryption key.
keyra-cli validate	—	Check that your local .env has all the variables defined in the vault. Exits with code 1 on missing keys — CI/CD ready.
keyra-cli status	—	Show the current project name, vault variable count, and diff between local and vault keys.
keyra-cli list	—	List all your projects with variable counts and last-synced dates. Alias: ls.
keyra-cli guard	—	Install a Git pre-commit hook that blocks accidental .env file commits.
keyra-cli scan	-f, --file <path> \| --project <id>	Check secrets against the HaveIBeenPwned breach database. Scans a local .env file or a vault project.

Don't have an account yet?