reoclo keyring
The CLI prefers OS-native credential stores for API keys. The keyring subcommands let you inspect what’s stored where and move tokens between the keyring and the config file.
Subcommands
Section titled “Subcommands”reoclo keyring statusreoclo keyring migrate [options]reoclo keyring export [options]status
Section titled “status”Reports which backend is in use, whether each profile’s token lives in the keyring or in the config file, and whether the keyring backend is healthy.
$ reoclo keyring statusbackend: macos-keychainhealthy: yesprofiles: default keyring (acme) staging file (acme-staging)migrate
Section titled “migrate”Moves tokens from config.json into the OS keyring. Useful after upgrading from a version that stored tokens on disk, or after enabling keyring access on a previously headless machine.
reoclo keyring migratereoclo keyring migrate --profile staging # one profile onlyAfter a successful migration, the CLI replaces the inline token in config.json with a token_ref pointer.
export
Section titled “export”The reverse of migrate: moves tokens from the keyring back into config.json. Useful for moving a config to another machine, or for environments where the keyring has become unreliable.
reoclo keyring exportreoclo keyring export --profile stagingBackends
Section titled “Backends”| Platform | Backend | Notes |
|---|---|---|
| macOS | Keychain (security CLI) | Always available. |
| Linux | Secret Service (secret-tool) | Requires gnome-keyring, kwallet, or another libsecret backend. |
| Windows | Credential Manager | Always available. |
If no keyring is available, the CLI falls back to file storage automatically. Pass --keyring to reoclo login to fail loudly instead of silently falling back.
Related
Section titled “Related”reoclo login— choose where to store the token at loginreoclo profile— manage profile metadata