Documentation
A single binary that authenticates with locked.sh, pulls your environment's secrets, and injects them into any process — never written to disk.
verified Latest release: v0.1.2
macOS and Linux, x86_64 and arm64. One command:
$ curl -fsSL https://locked.sh/install.sh | bash
Installs ~/.local/bin/locked
and adds that directory to your PATH
in your shell's startup file. Idempotent — re‑running won't duplicate anything.
| Variable | Default | Purpose |
|---|---|---|
| LOCKED_VERSION | latest | Tag to install, e.g. v0.1.2. |
| LOCKED_INSTALL_DIR | ~/.local/bin | Override target directory. Set to /usr/local/bin for a sudo'd system install. |
| LOCKED_BASE_URL | github.com/locked-sh/locked-releases/releases | Where to fetch binaries from. |
$ curl -fsSL https://locked.sh/install.sh | LOCKED_VERSION=v0.1.2 bash
Download locked_Windows_x86_64.zip
(or arm64) from the
latest release
and place locked.exe on your %PATH%.
Every release ships a checksums.txt.
The installer verifies the archive automatically; for a manual check:
$ shasum -a 256 locked_Darwin_arm64.tar.gz # compare against the matching line in checksums.txt
From zero to running your app with injected secrets.
# 1. Sign in (opens a browser to authorize this machine) $ locked login # 2. Link your repo to a project / environment $ cd ~/code/my-app $ locked init # 3. Run your app with secrets injected as env-vars $ locked run -- npm start $ locked run -- rails server $ locked run --env=production -- bundle exec sidekiq
locked login
Authenticate this machine using a one-time device code. The CLI prints a code, opens locked.sh/cli/authorize in your browser, and waits while you confirm the code matches.
Tokens are stored in ~/.locked/auth.yaml
(file mode 0600). Access tokens are short-lived JWTs; the refresh token rotates on use.
locked logout
Revoke the current refresh token on the server and delete local credentials.
locked whoami
Print the email of the currently authenticated user and any project the current directory is linked to.
locked init
Link the current directory to an organization, project, and default environment. Creates
a .locked/config.yaml file
in the working directory — commit this file so teammates inherit the same project link.
Re-running prompts to overwrite the existing link.
locked env
[--show] [--format=…] [--env=…]
Fetch and print all secrets in the linked environment. By default values are redacted; pass
--show to reveal them.
| Flag | Default | Purpose |
|---|---|---|
| --show, -s | false | Reveal redacted values. |
| --format, -f | table | One of table, dotenv, export, json. |
| --env, -e | linked env | Override the environment for this call. |
$ locked env --format=dotenv --show > .env.local $ eval "$(locked env --format=export --show)"
locked run -- <cmd>
[--env=…]
Run a command with the linked environment's secrets injected into its process environment. The CLI never writes the secrets to disk — they live only in the subprocess.
$ locked run -- npm start $ locked run -- rails server $ locked run --env=staging -- python manage.py runserver $ locked run -- node -e 'console.log(process.env.DATABASE_URL)'
Use -- to separate locked's flags from the command's flags. Exit code is propagated.
locked version
(also: --version)
Print the CLI version, git commit, and build date.
./.locked/config.yaml
Written by locked init. Commit this so teammates inherit the project link.
organization_id: 9739bfe6-f4f7-46a1-829c-f9a2b50c567f project_id: ce3bec3f-e3a3-4bcf-a1dc-bd344a86fbef environment: development
~/.locked/config.yaml
Stores the API URL (defaults to https://locked.sh).
Override per-shell with the LOCKED_API_URL env var,
useful for dev or self-hosted instances:
$ LOCKED_API_URL=http://localhost:3000 locked login
~/.locked/auth.yaml
Holds the access token and refresh token. File mode is 0600; delete it (or
run locked logout) to invalidate.
Re-run the install one-liner. It replaces the existing binary in place:
$ curl -fsSL https://locked.sh/install.sh | bash $ locked --version
# Remove the binary $ rm ~/.local/bin/locked # Drop credentials and global config (optional) $ rm -rf ~/.locked # Drop the PATH snippet (look for the "locked.sh CLI: PATH" marker) $ $EDITOR ~/.zshrc # or ~/.bashrc / ~/.bash_profile
Per-repo .locked/
directories are local to each repo and harmless to leave; remove them yourself if desired.
Source
CLI binaries are mirrored at github.com/locked-sh/locked-releases. The source repo is private; report CLI issues via your locked.sh contact.