reoclo secrets
reoclo secrets projects lsreoclo secrets ls [options]reoclo secrets get [options] <key>reoclo secrets set [options] <key>reoclo secrets rm [options] <key>reoclo secrets import [options]Every subcommand except projects ls operates on a single secret project. Pass --project <name> to select it, by name or by id.
secrets requires a signed-in session — run reoclo login first. Automation keys (rca_) are rejected with exit code 4: they are for reoclo run, which injects values without ever exposing them. If you export REOCLO_AUTOMATION_KEY in your shell it takes precedence over your stored session, and secrets will refuse to run.
projects ls
Section titled “projects ls”Lists the secret projects you can see.
$ reoclo secrets projects lsID NAME019ee15f-0907-7442-8377-4afdc2791059 payments-production019f1fa9-73d7-7281-bb85-fb61e87ac8a6 payments-stagingLists the keys in a project with their current version number. Values are never returned.
$ reoclo secrets ls --project payments-productionKEY VERSIONDATABASE_URL 3STRIPE_API_KEY 1WEBHOOK_SECRET 2get <key>
Section titled “get <key>”Reveals a single value and writes it to stdout with no trailing formatting, so it composes with other tools.
reoclo secrets get DATABASE_URL --project payments-productionEvery reveal is written to the audit log before the value is returned. Avoid echo-ing the result in CI — assign it, or prefer reoclo run, which never exposes the value at all.
set <key>
Section titled “set <key>”Creates a secret, or adds a new version to an existing one. Previous versions are retained and can be rolled back to from the dashboard.
reoclo secrets set STRIPE_API_KEY --project payments-production --value 'sk_live_...'reoclo secrets set TLS_CERT --project payments-production --from-file cert.pemecho -n 'hunter2' | reoclo secrets set DB_PASSWORD --project payments-production| Flag | Description |
|---|---|
--project <name> | Target project, by name or id. Required. |
--value <value> | The value, inline. |
--from-file <path> | Read the value from a file. |
Prefer --from-file or stdin over --value: an inline value appears in your shell history and in the process table. Both --from-file and stdin strip exactly one trailing newline, so a file written by an editor round-trips byte-for-byte.
rm <key>
Section titled “rm <key>”Deletes a secret and all of its versions.
reoclo secrets rm OLD_TOKEN --project payments-productionSecrets that are kept in sync from 1Password or Bitwarden are read-only; detach them in the dashboard first. See Importing and syncing secrets.
import
Section titled “import”Bulk-imports secrets from another manager into a project. This runs on your machine and drives the provider’s own CLI, so that CLI must be installed and signed in — the value never passes through Reoclo’s servers on its way in.
reoclo secrets import --from onepassword --project payments-production --dry-runreoclo secrets import --from onepassword --project payments-production --op-vault Engineeringreoclo secrets import --from bitwarden --project payments-production --skip-existing| Flag | Description |
|---|---|
--from <source> | onepassword or bitwarden. Required. |
--project <name> | Target project, by name or id. Required. |
--op-vault <id|name> | Limit a 1Password import to one vault. |
--bws-project <id|name> | Limit a Bitwarden import to one Secrets Manager project. |
--skip-existing | Skip keys that already exist instead of failing. |
--dry-run | Print the plan and write nothing. |
Requirements per source:
| Source | Needs | Authenticated by |
|---|---|---|
onepassword | the op CLI on your PATH | your existing op sign-in |
bitwarden | the bws CLI on your PATH | BWS_ACCESS_TOKEN in your environment |
Keys are derived from the source entry as ITEMTITLE_FIELDLABEL, uppercased, with every run of non-alphanumeric characters collapsed to _. Colliding keys get a _2, _3 suffix. One-time-password fields, note fields, and empty values are skipped.
The import stops before writing anything if the source contains duplicate keys, or — unless you pass --skip-existing — if any key already exists in the target project. Values are written in batches; if a batch fails partway, the message tells you how many landed, and re-running with --skip-existing resumes.
For a browser-based import that takes a pasted token instead of a local CLI, see Importing and syncing secrets.
Exit codes
Section titled “Exit codes”| Code | Meaning |
|---|---|
| 0 | Success |
| 1 | Network or server-side error |
| 2 | Bad arguments (e.g. set with no value, file, or stdin) |
| 3 | Authentication failure, or no access to the project |
| 4 | Attempted with an automation key, or a provider token is missing |
| 5 | Project or key not found |
Related
Section titled “Related”reoclo run— inject granted secrets into a command- Secrets Manager — projects, versions, and access
reoclo env— an application’s own environment variables