Manage your instance secrets. Reads and writes .env.secrets (which is always gitignored). When the nself-vault plugin is installed, secrets are encrypted at rest and rotation is automated.
# List all secret keys (values are masked)
nself secrets list
# Get a specific secret value
nself secrets get STRIPE_SECRET_KEY
# Set a secret
nself secrets set STRIPE_SECRET_KEY sk_live_abc123...
# Rotate a secret (generates a new value or prompts for one)
nself secrets rotate HASURA_GRAPHQL_ADMIN_SECRETnself secrets <SUBCOMMAND> [ARGS] [FLAGS]nself secrets is the safe interface for managing the values in .env.secrets. That file sits at the top of the nSelf env cascade (.env.dev → .env.secrets → .env), so values set here override everything else at runtime.
.env.secrets is always gitignored. The nself secrets commands never print secret values to stdout unless you explicitly use secrets get or secrets export. The list subcommand always masks values.
When the nself-vault plugin is installed (nself plugin install nself-vault), the backend stores all secrets encrypted using AES-256-GCM in Postgres rather than in the plain-text .env.secrets file. The same nself secrets interface works identically either way — the storage backend switches transparently.
Print all secret keys with masked values. Keys from .env.secrets are shown alongside their source (file or vault).
nself secrets list
KEY SOURCE VALUE
─────────────────────────────────────────────────────
HASURA_GRAPHQL_ADMIN_SECRET file ••••••••••••
STRIPE_SECRET_KEY file ••••••••••••
JWT_SECRET vault ••••••••••••Print the value for a single key. Prints to stdout so you can pipe it.
nself secrets get STRIPE_SECRET_KEY
sk_live_abc123...
# Pipe into another command
nself secrets get STRIPE_SECRET_KEY | pbcopySet or update a secret. If nself-vault is installed, the value is encrypted before storage. If services are running, the change takes effect on the next nself restart.
nself secrets set STRIPE_SECRET_KEY sk_live_newkey...
# Read value from stdin (avoids shell history)
nself secrets set STRIPE_SECRET_KEY -Rotate a secret. For known secrets (like HASURA_GRAPHQL_ADMIN_SECRET and JWT_SECRET), the CLI generates a new cryptographically random value automatically. For application secrets like Stripe keys, it prompts you to enter the new value.
nself secrets rotate HASURA_GRAPHQL_ADMIN_SECRET
# Generating new 64-char random secret...
# Updated. Run nself restart hasura to apply.
nself secrets rotate STRIPE_SECRET_KEY
# Enter new value for STRIPE_SECRET_KEY: [hidden input]
# Updated.Bulk-import secrets from an env file. Existing keys are overwritten. Keys not in the file are left untouched.
nself secrets import ./prod-secrets.envPrint all secrets as a plain .env file to stdout. Use with care — this exposes all values in plaintext.
# Export to a file for backup
nself secrets export > secrets-backup-$(date +%Y%m%d).env
# Diff current secrets against a reference
nself secrets export | diff - reference-secrets.env| Flag | Type | Default | Description |
|---|---|---|---|
--json | bool | false | Output list as JSON (keys and sources only — values still masked) |
--reveal | bool | false | Show unmasked values in list output. Prints a warning banner. |
--env <name> | string | current | Target a different environment's secrets file: dev, staging, prod |
NSELF_VAULT_KEY — Master encryption key when nself-vault is installed. Set this in your shell profile on the host machine. Never put it in any env file.nself secrets set HASURA_GRAPHQL_ADMIN_SECRET $(openssl rand -hex 32)
nself secrets set JWT_SECRET $(openssl rand -hex 64)
nself secrets set STRIPE_SECRET_KEY sk_live_...
nself startnself secrets rotate HASURA_GRAPHQL_ADMIN_SECRET
nself secrets rotate JWT_SECRET
nself restart hasura authnself secrets import .env.production.baknself secrets export | age -r age1... > secrets.age0 — success1 — read or write error (file permission, vault error)2 — invalid subcommand, missing key argument, or unknown key on rotate