@keywaysh/cli
v0.5.3
Published
GitHub-native secrets management CLI
Maintainers
nicolasrttReadme
Keyway CLI
Stop sharing .env files on Slack. GitHub access = secret access.
The Problem
You're still doing this:
- Pasting secrets in Slack DMs
- Emailing
.envfiles to new devs - Rotating every secret when someone leaves
- Manually copying vars to Vercel/Railway/Netlify
The Solution
keyway pullThat's it. If you have access to the repo, you have access to the secrets. No invites, no training, no friction.
Install
Homebrew (macOS & Linux)
brew install keywaysh/tap/keywayInstall Script
curl -fsSL https://get.keyway.sh | shnpx (no install)
npx @keywaysh/cli initDirect download
Grab the binary for your platform from Releases.
Quick Start
keyway initThis will:
- Authenticate with GitHub
- Create an encrypted vault for your repo
- Push your local
.envto the vault
New teammate joins? They run keyway pull. Done in 30 seconds.
How It Works
keyway init # First time: create vault, push secrets
keyway push # Update remote secrets
keyway pull # Get latest secrets
keyway sync vercel # Deploy to Vercel, Railway, NetlifyZero-Trust Mode
Never write secrets to disk. Inject them directly into your process:
keyway run -- npm start
keyway run --env production -- ./my-appSecrets exist only in memory. When the process exits, they're gone.
Security
Your secrets are protected by:
| Layer | Protection | |-------|------------| | Encryption | AES-256-GCM with random IV per secret | | At Rest | Encrypted in database, keys in isolated service | | In Transit | TLS 1.3 everywhere | | Access Control | GitHub collaborator API — no separate user management | | Audit Trail | Every pull and view is logged with IP and location |
We can't read your secrets. Even if our database leaks, attackers get encrypted blobs.
Read our security whitepaper →
Commands
| Command | Description |
|---------|-------------|
| keyway init | Create vault and push initial secrets |
| keyway push | Push local secrets to vault |
| keyway pull | Pull secrets from vault |
| keyway set KEY=VALUE | Set a single secret in the vault |
| keyway run | Run command with secrets injected (zero-trust) |
| keyway diff | Compare local vs remote secrets |
| keyway sync | Sync to Vercel, Railway, Netlify |
| keyway connect | Connect to a provider (Vercel, Railway) |
| keyway connections | List connected providers |
| keyway disconnect | Remove a provider connection |
| keyway scan | Scan repo for leaked secrets |
| keyway login | Authenticate with GitHub |
| keyway logout | Clear stored credentials |
| keyway doctor | Diagnose environment issues |
Environment Variables
| Variable | Description |
|----------|-------------|
| KEYWAY_TOKEN | Auth token for CI/CD (use keyway login --ci) |
| KEYWAY_API_URL | Custom API endpoint |
| KEYWAY_DISABLE_TELEMETRY=1 | Disable anonymous analytics |
Why Keyway?
- 30 seconds to onboard a new developer
- 0 secrets to rotate when someone leaves (just revoke GitHub access)
- 1 command to deploy secrets to production
- GitHub-native — no new accounts, no new permissions to manage
CI/CD
Use an API key for automation:
# Generate an API key (Dashboard > Settings > API Keys)
# Use scope "read:secrets" for CI — least privilege principle# GitHub Actions example
env:
KEYWAY_TOKEN: ${{ secrets.KEYWAY_TOKEN }}
run: keyway pull --env productionOr use the GitHub Action:
- uses: keywaysh/keyway-action@v1
with:
token: ${{ secrets.KEYWAY_TOKEN }}
environment: productionDevelopment
# Prerequisites: Go 1.22+
make build # Build → ./bin/keyway
make test # Run tests
make lint # Run golangci-lint
make install # Install to /usr/local/bin/keywayReleases are automated via GoReleaser on tag push.
Links
License
MIT — see LICENSE