Skip to Content
Quickstart

Quickstart

Get shush running and push your first secret in a few minutes. This guide assumes you have access to a shush instance (hosted or self-hosted — see Self-host to stand one up).

1. Install the CLI

The shush CLI ships as part of @shushsecrets/inject:

bun add -g @shushsecrets/inject
# or
npm install -g @shushsecrets/inject

You can also run it ad-hoc with npx @shushsecrets/inject / bunx @shushsecrets/inject.

2. Log in

shush login

shush login starts a device-code flow against the API (https://api.shush.local by default). It opens a short user code in your browser, you confirm in the dashboard, and credentials are written to ~/.config/shush/credentials.json.

Point at a different deployment with --base-url=… or by setting SHUSH_API_URL.

3. Push a secret

If you already have a .env file you want to seed an environment with:

shush import .env.staging \
  --env=staging \
  --project=<project-id> \
  --strategy=upsert

Strategies:

  • create_only — only insert missing keys; ignore conflicts.
  • upsert — insert or update (default).
  • overwrite — replace all values; deletes anything not in the file.

Or push individual values from the dashboard.

4. Read it back

Pull the current state of an environment to a local file:

shush pull --env=prod                 # writes .env.prod
shush pull --env=prod --out=.env.live # custom path

Or stream them into a process at boot:

shush run --env=prod -- node server.js

For shell pipelines:

eval "$(shush export --format=shell --env=prod)"

5. Verify

shush check --env=prod
# shush: ok — env=prod (12 keys)
#   DATABASE_URL
#   STRIPE_SECRET_KEY
#   ...

That’s it. From here, you’ll likely want to wire @shushsecrets/inject into your app boot — see the SDK reference.

Last updated on
IntroductionCLI reference