Skip to Content
CLI reference

CLI reference

The shush CLI ships as the binary for @shushsecrets/inject. It wraps the runtime API for use from the shell and from CI.

Install

bun add -g @shushsecrets/inject
# or: npm install -g @shushsecrets/inject

Global flags

These flags are accepted by every command that talks to the API.

FlagFalls back to
--api-key=<k>$SHUSH_API_KEY, then ~/.config/shush/credentials.json
--env=<env>$SHUSH_ENV, then dev
--base-url=<u>$SHUSH_API_URL, then the credentials file

Valid environments are dev, staging, preview, prod.

shush login

shush login [--base-url=…]

Starts a device-code flow against the API. Opens a short user code in your browser; on confirmation, an API key is written to ~/.config/shush/credentials.json. This is the recommended way to authenticate from a workstation — no need to copy-paste keys.

shush export

shush export [--env=…] [--format=dotenv|shell|json] [--api-key=…]

Fetches the current secrets for an environment and writes them to stdout.

  • --format=dotenv (default) — KEY="value" lines.
  • --format=shellexport KEY="value" lines, ready for eval.
  • --format=json — a sorted JSON object.
eval "$(shush export --format=shell --env=prod)"

shush pull

shush pull --env=<env> [--out=.env.<env>] [--api-key=…]

Same as export --format=dotenv but writes to a file. Defaults the path to .env.<env>. --env is required (no implicit fallback to dev — it would clobber the wrong file).

shush import

shush import <file> --env=<env> --project=<id> \
  [--strategy=create_only|upsert|overwrite]

Reads a .env-formatted file and pushes the entries into an environment. Requires --project=<id> (or $SHUSH_PROJECT_ID).

Strategies:

  • create_only — only insert missing keys.
  • upsert — insert or update (default).
  • overwrite — replace; keys not in the file are deleted.

Empty / unparseable files are reported as a no-op.

shush run

shush run [--env=…] [--api-key=…] -- <command> [args…]

Fetches secrets, then spawns <command> with them merged into its environment. Existing env vars are preserved (the SDK won’t override what the shell already set). The child’s exit code is propagated; signals are forwarded.

shush run --env=prod -- node server.js
shush run --env=staging -- pnpm start

shush check

shush check [--env=…] [--api-key=…]

Verifies the API key has access to an environment and prints the list of keys it would inject. Useful in CI as a pre-deploy gate.

Source

The full CLI source lives in packages/inject/src/cli.ts.

Last updated on
QuickstartNode SDK