⌨️ CLI

CLI Quickstart

Install ass — the Agent Secret Store CLI — and manage your vault from the terminal.

Installation

Choose the installation method that fits your workflow:

npm (Node.js)

Recommended if you already use Node.js

Homebrew

Best for macOS users

Direct download

Works everywhere, no runtime needed

npm

Shell

npm install -g @agentsecretstore/cli

# Verify installation
ass --version
# → ass/1.0.0 darwin-arm64 node-v22.12.0

# No global install? Run any command on demand with npx:
npx @agentsecretstore/cli --version
npx @agentsecretstore/cli secrets list production

Homebrew

Shell

brew install agent-secret-store/tap/ass

# Verify installation
ass --version
# → ass/1.0.0 darwin-arm64 node-v22.12.0

Direct download

Shell

# macOS / Linux (direct download)
curl -fsSL https://cli.agentsecretstore.com/install.sh | bash

# Windows (PowerShell)
iwr https://cli.agentsecretstore.com/install.ps1 -useb | iex

# Verify installation
ass --version

First steps

1
Set your agent key
Create an agent in the dashboard and expose its key to the CLI as an environment variable. Secret commands exchange this key for short-lived scoped tokens automatically.
Shell
# Create an agent in the dashboard, then export its key export ASS_AGENT_KEY="ass_xxxxxxxxxxxxxxxxxxxxxxxx" # Confirm the CLI can reach the API ass status # status ● Operational # logged in yes
Non-interactive environments
CI/CD, Docker, and agent runtimes should set ASS_AGENT_KEYdirectly. No browser login is required for secret read/write commands.

List and retrieve secrets

Browse your vault and pull secret values directly to your terminal:

Shell

# List secrets in a namespace
ass secrets list production
# → production/gemini/GEMINI_API_KEY          sensitive   v3   2d ago
# → production/stripe/STRIPE_SECRET_KEY       critical    v1   7d ago
# → production/database/DATABASE_URL            standard    v2   1h ago

# Retrieve a specific secret value
ass secrets get production/gemini/GEMINI_API_KEY
# → gemini-api-key-example

# Use --json for scripting
ass secrets get production/gemini/GEMINI_API_KEY --json
# → {"path":"production/gemini/GEMINI_API_KEY","value":"gemini-api-key-example","version":3}

Terminal history

Secret values printed to stdout may appear in your shell history. Pipe to a file or use --json and process programmatically to avoid accidental exposure.

Import your .env file

Bulk-import an existing .env file into a namespace. Always dry-run first:

Shell

# Import all secrets from .env
ass env import .env --namespace production
# Scanning .env...
# ✓ Imported: production/GEMINI_API_KEY
# ✓ Imported: production/STRIPE_SECRET_KEY
# ✓ Imported: production/DATABASE_URL
# ✓ Imported: production/SLACK_BOT_TOKEN
# ✓ Imported 12 secrets to production

# Preview without writing
ass env import .env --namespace production --dry-run

4
Register your first agent
Use the dashboard to create an agent registration with scoped access. Each service should have its own agent with the minimum required scopes:
Shell
# Recommended setup in the dashboard: # 1. Open /dashboard/agents # 2. Add an agent named "my-inference-agent" # 3. Allow namespace: production/gemini # 4. Allow scopes: secrets:read:* # 5. Copy the generated ass_... key once export ASS_AGENT_KEY="ass_xxxxxxxxxxxxxxxxxxxxxxxx"
Save the agent key now
The agent key is shown only once at creation. Copy it immediately and store it in your secrets manager. If you lose it, you'll need to revoke the agent and create a new one.

What's next

CLI Reference →

Every command, flag, and option documented.

.env Migration →

Full guide for teams moving from flat files.

CLI in CI/CD →

Use ass in GitHub Actions and GitLab CI.

Scoped Tokens →

Issue short-lived tokens for each agent.

Installation

Choose the installation method that fits your workflow:

npm (Node.js)

Recommended if you already use Node.js

Homebrew

Best for macOS users

Direct download

Works everywhere, no runtime needed

npm

Shell

npm install -g @agentsecretstore/cli

# Verify installation
ass --version
# → ass/1.0.0 darwin-arm64 node-v22.12.0

# No global install? Run any command on demand with npx:
npx @agentsecretstore/cli --version
npx @agentsecretstore/cli secrets list production

Homebrew

Shell

brew install agent-secret-store/tap/ass

# Verify installation
ass --version
# → ass/1.0.0 darwin-arm64 node-v22.12.0

Direct download

Shell

# macOS / Linux (direct download)
curl -fsSL https://cli.agentsecretstore.com/install.sh | bash

# Windows (PowerShell)
iwr https://cli.agentsecretstore.com/install.ps1 -useb | iex

# Verify installation
ass --version

First steps

Set your agent key

Create an agent in the dashboard and expose its key to the CLI as an environment variable. Secret commands exchange this key for short-lived scoped tokens automatically.

Shell

# Create an agent in the dashboard, then export its key
export ASS_AGENT_KEY="ass_xxxxxxxxxxxxxxxxxxxxxxxx"

# Confirm the CLI can reach the API
ass status
# status   ● Operational
# logged in  yes

Non-interactive environments

CI/CD, Docker, and agent runtimes should set ASS_AGENT_KEYdirectly. No browser login is required for secret read/write commands.

List and retrieve secrets

Browse your vault and pull secret values directly to your terminal:

Shell

# List secrets in a namespace
ass secrets list production
# → production/gemini/GEMINI_API_KEY          sensitive   v3   2d ago
# → production/stripe/STRIPE_SECRET_KEY       critical    v1   7d ago
# → production/database/DATABASE_URL            standard    v2   1h ago

# Retrieve a specific secret value
ass secrets get production/gemini/GEMINI_API_KEY
# → gemini-api-key-example

# Use --json for scripting
ass secrets get production/gemini/GEMINI_API_KEY --json
# → {"path":"production/gemini/GEMINI_API_KEY","value":"gemini-api-key-example","version":3}

Terminal history

Secret values printed to stdout may appear in your shell history. Pipe to a file or use --json and process programmatically to avoid accidental exposure.

Import your .env file

Bulk-import an existing .env file into a namespace. Always dry-run first:

Shell

# Import all secrets from .env
ass env import .env --namespace production
# Scanning .env...
# ✓ Imported: production/GEMINI_API_KEY
# ✓ Imported: production/STRIPE_SECRET_KEY
# ✓ Imported: production/DATABASE_URL
# ✓ Imported: production/SLACK_BOT_TOKEN
# ✓ Imported 12 secrets to production

# Preview without writing
ass env import .env --namespace production --dry-run

Register your first agent

Use the dashboard to create an agent registration with scoped access. Each service should have its own agent with the minimum required scopes:

Shell

# Recommended setup in the dashboard:
# 1. Open /dashboard/agents
# 2. Add an agent named "my-inference-agent"
# 3. Allow namespace: production/gemini
# 4. Allow scopes: secrets:read:*
# 5. Copy the generated ass_... key once

export ASS_AGENT_KEY="ass_xxxxxxxxxxxxxxxxxxxxxxxx"

Save the agent key now

The agent key is shown only once at creation. Copy it immediately and store it in your secrets manager. If you lose it, you'll need to revoke the agent and create a new one.