varcrypt
v0.1.4
Published
CLI for VarCrypt — pull encrypted secrets from the cloud
Readme
varcrypt
CLI for VarCrypt — pull AES-256-GCM encrypted environment variables from the cloud directly into your terminal.
Requirements
Node.js 18 or later.
Installation
npm install -g varcryptQuick start
1. Generate an API token
Go to VarCrypt → Settings → API Tokens and create a new token. Copy the vc_… value — it's only shown once.
2. Save the token locally
varcrypt login
# Paste your API token:The token is stored in ~/.varcrypt/config.json.
3. Pull secrets
varcrypt pull <project-slug> <environment>Example:
varcrypt pull my-app production
# DATABASE_URL=postgres://...
# API_KEY=sk-...Pipe directly into a process:
env $(varcrypt pull my-app production) node server.jsOr source as shell exports:
source <(varcrypt pull my-app production --output export)Commands
varcrypt login
Prompts for an API token and saves it to ~/.varcrypt/config.json.
varcrypt pull <project> <env> [options]
Prints secrets for the given project and environment as KEY=value lines.
| Option | Description |
|---|---|
| --output export | Print as export KEY="value" instead of KEY=value |
| --host <url> | Override the API host (default: http://localhost:3000) |
The --host flag is useful for self-hosted deployments:
varcrypt pull my-app staging --host https://varcrypt.example.comHow it works
Secrets are encrypted with AES-256-GCM at rest. The CLI sends your API token in the Authorization header; the server decrypts and returns the plaintext values over HTTPS. Your token is scoped to a single organization — it cannot read secrets from other organizations.
Security
- Tokens are stored in
~/.varcrypt/config.jsonwith default file permissions. Protect this file like you would an SSH key. - Always pull over HTTPS in production. The default
localhost:3000host is intended for local development only. - Rotate tokens in the VarCrypt dashboard if one is compromised.
License
MIT
