🔐 keyden

Documentation

Quick Start

Get from zero to vault-powered secrets in under five minutes.

01

Install keyden globally

Install once and the keyden CLI is available in every project on your machine.

npm install -g keyden
# or
npx keyden  # no install required
02

Create your vault

keyden creates ~/.keyden/vault.enc encrypted with your chosen password. Use KEYDEN_PASSWORD env var to skip the prompt in scripts.

keyden init
# Enter vault password: ••••••••
# Confirm password:    ••••••••
# ✓ Vault created at ~/.keyden/vault.enc
03

Store secrets

Store any key/value pair. Values are encrypted immediately — they never appear in any log or file.

keyden set GEMINI_API_KEY
# Enter value for GEMINI_API_KEY: ••••••••••
# ✓ Stored GEMINI_API_KEY

# Or pass the value inline
keyden set DATABASE_URL "postgres://user:pass@host/db"

# Or pipe from stdin
cat secret.txt | keyden set API_KEY --stdin
04

Run your app with secrets injected

keyden run spawns your command with all vault secrets pre-loaded into process.env. No code changes needed in your app.

keyden run node server.js
keyden run npm start
keyden run npm run dev

# Shell features need an explicit interpreter
keyden run bash -c "echo $GEMINI_API_KEY"

Node.js SDK

Use the SDK for programmatic access — the key is derived once and cached in memory for 5 minutes, so repeated get() calls are fast.

const keyden = require('keyden');

// Option A: explicit open (recommended for servers)
await keyden.open(process.env.KEYDEN_PASSWORD);
const apiKey = await keyden.get('GEMINI_API_KEY');

// Option B: KEYDEN_PASSWORD env var — no open() needed
const apiKey = await keyden.get('GEMINI_API_KEY');

// Check existence without throwing
const exists = await keyden.has('OPTIONAL_KEY');

// List all keys
const keys = await keyden.list();

// Clean up session key from memory
keyden.close();

Non-interactive mode

Set KEYDEN_PASSWORD in your shell profile to skip password prompts in scripts, tests, and CI pipelines.

Mac / Linux

# Add to ~/.zshrc or ~/.bash_profile
export KEYDEN_PASSWORD="your-vault-password"

# Reload your profile
source ~/.zshrc

# Now all keyden commands run without a password prompt
keyden list
keyden run npm start

Windows — PowerShell

# Add to your PowerShell profile (run: notepad $PROFILE)
$env:KEYDEN_PASSWORD = "your-vault-password"

# Reload your profile
. $PROFILE

# Now all keyden commands run without a password prompt
keyden list
keyden run npm start

Windows — Command Prompt

:: Add a persistent user-level variable (no restart needed for new terminals)
setx KEYDEN_PASSWORD "your-vault-password"

:: Open a new Command Prompt window, then:
keyden list
keyden run npm start

Something not working?

Run keyden doctor to diagnose vault setup — it checks file existence, permissions (chmod 600), and whether KEYDEN_PASSWORD decrypts the vault correctly.

keyden doctor
CLI reference →Browse examples →