secrets

Store API keys, tokens, and other credentials in an encrypted local vault. Values are encrypted at rest using a master key derived from your machine identity and are never displayed in full without --unmask.

Caution

Backups exported via secrets export contain encrypted values and require the same master key to restore. If you reinstall or move machines without preserving the master key, the backup is unrecoverable.

Overview

snippbot secrets set <name>          # Store a secret (prompt or stdin)
snippbot secrets get <name>          # Show masked value
snippbot secrets list                # List names only (never values)
snippbot secrets delete <name>       # Remove a secret
snippbot secrets rotate <name>       # Replace value, keep history
snippbot secrets export              # Encrypted backup blob
snippbot secrets import <file>       # Restore from backup
snippbot secrets audit               # View access log

---

snippbot secrets set

Store a secret encrypted at rest.

snippbot secrets set anthropic_api_key -v sk-ant-...
echo "sk-ant-..." | snippbot secrets set anthropic_api_key
snippbot secrets set github_token -v ghp-... -c tokens

Option	Description
-v, --value	Secret value (prompted or read from stdin if omitted)
-c, --category	Category label (auto-detected for known keys like *_api_key)

---

snippbot secrets get

Retrieve a secret. The value is masked by default.

snippbot secrets get anthropic_api_key             # sk-a********XYZ
snippbot secrets get anthropic_api_key --unmask    # Full value (use with care)

Option	Description
--unmask	Print the full value. Avoid in shared terminals.

---

snippbot secrets list

List all stored secrets. The table shows names only — values are never exposed here.

snippbot secrets list
snippbot secrets list --category api_keys
snippbot secrets list --json-output

Option	Description
-c, --category	Filter by category
--json-output	Emit structured JSON (names, categories, timestamps)

---

snippbot secrets delete

Remove a secret permanently.

snippbot secrets delete old_api_key          # Prompts for confirmation
snippbot secrets delete old_api_key --yes    # Skip confirmation

Option	Description
-y, --yes	Skip confirmation prompt

---

snippbot secrets rotate

Replace a secret’s value while preserving its name/category. Useful for key rotation.

snippbot secrets rotate anthropic_api_key -v sk-ant-new...
echo "new-value" | snippbot secrets rotate anthropic_api_key

---

snippbot secrets export / import

Export and restore encrypted backups. Exported blobs are useless without the master key.

snippbot secrets export                      # Print encrypted JSON to stdout
snippbot secrets export -o backup.json       # Write to file
snippbot secrets import backup.json
snippbot secrets import backup.json --overwrite    # Replace existing entries

---

snippbot secrets audit

View the access log. Entries record reads, writes, rotations, and deletions with timestamps.

snippbot secrets audit                       # Last 20 entries
snippbot secrets audit --name anthropic_api_key
snippbot secrets audit --limit 50

Option	Description
-n, --name	Filter to one secret
-l, --limit	Max rows (default: 20)

---

Related

• auth — daemon user account & API keys (separate from general secrets)
• config — use config set for non-sensitive settings; sensitive keys are auto-migrated to this encrypted store