Skip to content

reoclo keyring

The CLI prefers OS-native credential stores for API keys. The keyring subcommands let you inspect what’s stored where and move tokens between the keyring and the config file.

reoclo keyring status
reoclo keyring migrate [options]
reoclo keyring export [options]

Reports which backend is in use, whether each profile’s token lives in the keyring or in the config file, and whether the keyring backend is healthy.

Terminal window
$ reoclo keyring status
backend: macos-keychain
healthy: yes
profiles:
default keyring (acme)
staging file (acme-staging)

Moves tokens from config.json into the OS keyring. Useful after upgrading from a version that stored tokens on disk, or after enabling keyring access on a previously headless machine.

Terminal window
reoclo keyring migrate
reoclo keyring migrate --profile staging # one profile only

After a successful migration, the CLI replaces the inline token in config.json with a token_ref pointer.

The reverse of migrate: moves tokens from the keyring back into config.json. Useful for moving a config to another machine, or for environments where the keyring has become unreliable.

Terminal window
reoclo keyring export
reoclo keyring export --profile staging
PlatformBackendNotes
macOSKeychain (security CLI)Always available.
LinuxSecret Service (secret-tool)Requires gnome-keyring, kwallet, or another libsecret backend.
WindowsCredential ManagerAlways available.

If no keyring is available, the CLI falls back to file storage automatically. Pass --keyring to reoclo login to fail loudly instead of silently falling back.