Skip to content

reoclo secrets

reoclo secrets projects ls
reoclo secrets ls [options]
reoclo secrets get [options] <key>
reoclo secrets set [options] <key>
reoclo secrets rm [options] <key>
reoclo secrets import [options]

Every subcommand except projects ls operates on a single secret project. Pass --project <name> to select it, by name or by id.

secrets requires a signed-in session — run reoclo login first. Automation keys (rca_) are rejected with exit code 4: they are for reoclo run, which injects values without ever exposing them. If you export REOCLO_AUTOMATION_KEY in your shell it takes precedence over your stored session, and secrets will refuse to run.

Lists the secret projects you can see.

Terminal window
$ reoclo secrets projects ls
ID NAME
019ee15f-0907-7442-8377-4afdc2791059 payments-production
019f1fa9-73d7-7281-bb85-fb61e87ac8a6 payments-staging

Lists the keys in a project with their current version number. Values are never returned.

Terminal window
$ reoclo secrets ls --project payments-production
KEY VERSION
DATABASE_URL 3
STRIPE_API_KEY 1
WEBHOOK_SECRET 2

Reveals a single value and writes it to stdout with no trailing formatting, so it composes with other tools.

Terminal window
reoclo secrets get DATABASE_URL --project payments-production

Every reveal is written to the audit log before the value is returned. Avoid echo-ing the result in CI — assign it, or prefer reoclo run, which never exposes the value at all.

Creates a secret, or adds a new version to an existing one. Previous versions are retained and can be rolled back to from the dashboard.

Terminal window
reoclo secrets set STRIPE_API_KEY --project payments-production --value 'sk_live_...'
reoclo secrets set TLS_CERT --project payments-production --from-file cert.pem
echo -n 'hunter2' | reoclo secrets set DB_PASSWORD --project payments-production
FlagDescription
--project <name>Target project, by name or id. Required.
--value <value>The value, inline.
--from-file <path>Read the value from a file.

Prefer --from-file or stdin over --value: an inline value appears in your shell history and in the process table. Both --from-file and stdin strip exactly one trailing newline, so a file written by an editor round-trips byte-for-byte.

Deletes a secret and all of its versions.

Terminal window
reoclo secrets rm OLD_TOKEN --project payments-production

Secrets that are kept in sync from 1Password or Bitwarden are read-only; detach them in the dashboard first. See Importing and syncing secrets.

Bulk-imports secrets from another manager into a project. This runs on your machine and drives the provider’s own CLI, so that CLI must be installed and signed in — the value never passes through Reoclo’s servers on its way in.

Terminal window
reoclo secrets import --from onepassword --project payments-production --dry-run
reoclo secrets import --from onepassword --project payments-production --op-vault Engineering
reoclo secrets import --from bitwarden --project payments-production --skip-existing
FlagDescription
--from <source>onepassword or bitwarden. Required.
--project <name>Target project, by name or id. Required.
--op-vault <id|name>Limit a 1Password import to one vault.
--bws-project <id|name>Limit a Bitwarden import to one Secrets Manager project.
--skip-existingSkip keys that already exist instead of failing.
--dry-runPrint the plan and write nothing.

Requirements per source:

SourceNeedsAuthenticated by
onepasswordthe op CLI on your PATHyour existing op sign-in
bitwardenthe bws CLI on your PATHBWS_ACCESS_TOKEN in your environment

Keys are derived from the source entry as ITEMTITLE_FIELDLABEL, uppercased, with every run of non-alphanumeric characters collapsed to _. Colliding keys get a _2, _3 suffix. One-time-password fields, note fields, and empty values are skipped.

The import stops before writing anything if the source contains duplicate keys, or — unless you pass --skip-existing — if any key already exists in the target project. Values are written in batches; if a batch fails partway, the message tells you how many landed, and re-running with --skip-existing resumes.

For a browser-based import that takes a pasted token instead of a local CLI, see Importing and syncing secrets.

CodeMeaning
0Success
1Network or server-side error
2Bad arguments (e.g. set with no value, file, or stdin)
3Authentication failure, or no access to the project
4Attempted with an automation key, or a provider token is missing
5Project or key not found