Secrets
hq-vault store
Store a secret. Value is read from stdin with echo disabled — it never appears in your terminal history or shell output.
# Interactive (prompts for value)hq-vault store aws/access-key
# From a filehq-vault store tls/cert.pem --file ./cert.pem
# With metadatahq-vault store slack/token --type oauth-token --description "Indigo workspace user token"| Flag | Description |
|---|---|
--file <path> | Read secret value from file instead of stdin |
--type <type> | Metadata type: oauth-token, api-key, password, certificate, other |
--description <text> | Human-readable description |
hq-vault get
Retrieve and decrypt a secret. Value is written to stdout for piping.
# Print to stdouthq-vault get aws/access-key
# Export as environment variableeval $(hq-vault get aws/access-key --env AWS_ACCESS_KEY_ID)| Flag | Description |
|---|---|
--env <VAR> | Output as export VAR=value for shell eval |
hq-vault list
List secrets with metadata. Values are never shown.
# List allhq-vault list
# Filter by prefixhq-vault list aws/hq-vault list slack/indigo/Example output:
PATH TYPE UPDATEDaws/access-key api-key 2 hours agoaws/secret-key api-key 2 hours agoslack/indigo/user-token oauth-token 1 day agoslack/indigo/bot-token oauth-token 1 day agomongodb/atlas/uri password 3 days agohq-vault delete
Delete a secret. Prompts for confirmation unless --force is used.
hq-vault delete aws/old-keyhq-vault delete aws/old-key --forcehq-vault ingest
Securely ingest a secret — designed for AI agent workflows. The agent runs this command, the user provides the value, and the agent only sees a confirmation (never the secret value).
# Via stdin (echo disabled)hq-vault ingest slack/new-token
# Via one-time web pagehq-vault ingest slack/new-token --web
# With metadatahq-vault ingest clerk/key --type api-key --description "Clerk secret key"| Flag | Description |
|---|---|
--web | Open a one-time HTTPS page for browser-based entry |
--type <type> | Metadata type |
--description <text> | Description |
--overwrite | Allow replacing an existing secret |
The --web flag serves a single-use page on a random port with a 60-second expiry. After submission, the page self-destructs.
Agent output (the only thing visible in conversation):
🔐 Waiting for secure entry...✅ Stored: slack/new-token (42 bytes, type: oauth-token)hq-vault env
Output a single secret as a shell export statement.
eval $(hq-vault env aws/access-key AWS_ACCESS_KEY_ID)# Equivalent to: export AWS_ACCESS_KEY_ID=<value>hq-vault env-file
Export all secrets under a prefix as a dotenv or shell export file. Drop-in replacement for .env files.
# Output as dotenv formathq-vault env-file myapp/
# Output as shell exportshq-vault env-file myapp/ --format export
# Load into current shelleval $(hq-vault env-file myapp/ --format export)| Flag | Default | Description |
|---|---|---|
--format <fmt> | dotenv | Output format: dotenv or export |
Example output (dotenv):
AWS_ACCESS_KEY_ID=AKIAIOSFODNN7EXAMPLEAWS_SECRET_ACCESS_KEY=wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEDATABASE_URL=postgres://user:pass@host:5432/dbSecrets are mapped from path to variable name: myapp/aws-key becomes AWS_KEY.