Commands
The vaulted binary ships 14 commands. Every command defaults to the project and environment pinned by the vaulted.toml discovered by walking up from the current directory, like git. The vault itself lives under VAULTED_CONFIG_DIR, default ~/.config/vaulted.
| Command | Description |
|---|---|
vaulted init | Create the vault, a project, default environments, and vaulted.toml |
vaulted unlock | Verify the master password and save it for later commands |
vaulted lock | Clear the stored master password |
vaulted set | Add or update a secret |
vaulted get | Print a secret value to stdout, pipeable |
vaulted list | List secret names, scopes, and value types |
vaulted rm | Remove a secret with a soft delete |
vaulted import | Import secrets from a dotenv file |
vaulted export | Reconstruct a dotenv file from an environment |
vaulted run | Run a command with decrypted secrets injected |
vaulted projects | Manage projects |
vaulted envs | Manage environments for the current project |
vaulted rotate | Rotate the project key and re-encrypt every secret |
vaulted mcp | Start the MCP stdio server |
vaulted init
vaulted init [--name <project>]
Creates the encrypted SQLite vault at ~/.config/vaulted/vaulted.db if it does not exist yet, a project with development, staging, and production environments, and a vaulted.toml that pins the project and default environment for the current directory.
Prompts for a master password and saves it to the OS keychain. There is no password recovery of any kind, a lost master password means an unreadable vault.
| Flag | Description |
|---|---|
--name <project> | Project name, defaults to the current directory name |
cd my-appvaulted init
vaulted unlock
vaulted unlock
Verifies the master password and saves it for later commands. The OS keychain is tried first and the password file fallback is deleted on success. Run this once before agent use, the MCP server never prompts.
No flags.
vaulted unlock
vaulted lock
vaulted lock
Clears the stored master password, both the keychain entry and the password file. Later commands fall back to VAULTED_PASSWORD or prompt again.
No flags.
vaulted lock
vaulted set
vaulted set KEY [value] [-e env] [--scope s] [--folder f]
Adds or updates a secret. When the value is omitted the CLI reads it from a hidden prompt or from stdin, so the value never lands in your shell history. Key names are letters, digits, and underscores, not starting with a digit.
| Flag | Description |
|---|---|
-e, --env <environment> | Environment, defaults to the vaulted.toml default environment |
--scope <scope> | client, server, or shared, defaults to shared for new secrets and stays unchanged on update |
--folder <folder> | Folder name, created if missing |
vaulted set STRIPE_KEYvaulted set DEBUG false
vaulted get
vaulted get KEY [-e env] [--folder f]
Prints the decrypted value to stdout with nothing else on stdout, so the output is safe to pipe or capture.
| Flag | Description |
|---|---|
-e, --env <environment> | Environment, defaults to the vaulted.toml default environment |
--folder <folder> | Folder name |
vaulted get STRIPE_KEY | pbcopy
vaulted list
vaulted list [-e env] [--folder f] [--reveal]
Lists secret names, scopes, and value types, never values. With --reveal the decrypted values are included and the reveal is written to the audit log.
| Flag | Description |
|---|---|
-e, --env <environment> | Environment, defaults to the vaulted.toml default environment |
--folder <folder> | Only secrets in this folder |
--reveal | Include decrypted values, audited |
vaulted list --reveal
vaulted rm
vaulted rm KEY [-e env] [--folder f]
Removes a secret with a soft delete. Setting the same key again revives the deleted row.
| Flag | Description |
|---|---|
-e, --env <environment> | Environment, defaults to the vaulted.toml default environment |
--folder <folder> | Folder name |
vaulted rm OLD_API_KEY
vaulted import
vaulted import <file> [-e env] [--overwrite|--skip]
Imports secrets from a dotenv file into the vault. When a key already exists the command fails and names the collisions, unless you pick a strategy with --overwrite or --skip. Once imported, the .env file can be deleted.
| Flag | Description |
|---|---|
-e, --env <environment> | Environment, defaults to the vaulted.toml default environment |
--overwrite | Replace secrets that already exist |
--skip | Skip secrets that already exist |
vaulted import .env
vaulted export
vaulted export [-e env] [-o file] [--force]
Reconstructs a dotenv file from an environment. Every export is audited, and the audit entry is written before any plaintext is emitted.
| Flag | Description |
|---|---|
-e, --env <environment> | Environment, defaults to the vaulted.toml default environment |
-o, --output <file> | Write to a file instead of stdout |
--force | Overwrite an existing output file |
vaulted export -e development -o .env.development
vaulted run
vaulted run [-e env] [--folder f] -- <cmd> [args...]
Runs a command with decrypted secrets injected through the hardened Rust runner. The child environment is cleared down to a 10 variable allowlist plus the injected secrets, so nothing from the parent environment leaks.
Injects server and shared scoped secrets from the root of the environment, or from one folder with --folder. The full hardening list is on the Security page.
| Flag | Description |
|---|---|
-e, --env <environment> | Environment, defaults to the vaulted.toml default environment |
--folder <folder> | Inject secrets from this folder instead of the root |
vaulted run -- npm run devvaulted run -e production -- ./deploy.sh
vaulted projects
vaulted projects list|create <name>
Manages projects in the vault.
| Subcommand | Description |
|---|---|
list | List all projects |
create <name> | Create a project with the default environments |
vaulted projects create api
vaulted envs
vaulted envs list|create <name>
Manages environments for the project pinned by the current directory's vaulted.toml.
| Subcommand | Description |
|---|---|
list | List environments, the vaulted.toml default is marked with * |
create <name> | Create an environment in the current project |
vaulted envs create preview
vaulted rotate
vaulted rotate
Rotates the project key and re-encrypts every secret. The swap happens in a single transaction, partial failure rolls back completely, and the rotation lands in the audit trail.
No flags.
vaulted rotate
vaulted mcp
vaulted mcp
Starts the MCP stdio server for Claude Code, Cursor, Codex, Zed, OpenCode, and Claude Desktop. Five tools, four read-only and one destructive, all documented on the MCP page. Run vaulted unlock once beforehand, the server never prompts for a password.
No flags.
claude mcp add vaulted -- vaulted mcp