The CLI provides three layers of secret and configuration management: vault for raw encrypted storage, secrets for a convenience layer with automatic key prefixing, and vars for plaintext variables.
Overview
| Layer | Encrypted | Prefix | Use Case |
|---|
tc vault | Yes | None (raw keys) | Low-level encrypted storage |
tc secrets | Yes | Auto-prefixed (secrets/) | Application secrets (API keys, tokens) |
tc vars | No | Auto-prefixed (vars/) | Plaintext configuration (feature flags, URLs) |
The vault and secrets commands require a private key. Set TC_PRIVATE_KEY as an environment variable or pass --private-key on each command.
Vault
The vault provides raw encrypted key-value storage. You manage the full key path yourself.
tc vault unlock
Unlock the vault for the current session. Required before other vault operations.
$ tc vault unlock
Vault unlocked for profile "default".
tc vault put
Store an encrypted value.
tc vault put <key> <value>
$ tc vault put my-app/api-key "sk_live_abc123..."
Encrypted and stored: my-app/api-key
tc vault get
Retrieve and decrypt a value.
$ tc vault get my-app/api-key
Key: my-app/api-key
Value: sk_live_abc123...
$ tc vault get my-app/api-key --json
{
"key": "my-app/api-key",
"value": "sk_live_abc123..."
}
tc vault delete
Delete an encrypted value.
$ tc vault delete my-app/api-key
Deleted: my-app/api-key
tc vault list
List all vault keys.
$ tc vault list
Vault keys:
my-app/api-key
my-app/db-password
services/stripe-secret
3 keys total
tc vault head
Get metadata for a vault key without decrypting the value.
$ tc vault head my-app/api-key
Key: my-app/api-key
Size: 128 bytes (encrypted)
Updated: 2026-03-07T10:00:00.000Z
Secrets
The secrets commands are a convenience layer on top of the vault. Keys are automatically prefixed with secrets/, so tc secrets put api-key "value" stores the value at secrets/api-key in the vault.
tc secrets put
Store a secret.
tc secrets put <name> <value>
$ tc secrets put stripe-key "sk_live_abc123..."
Secret stored: stripe-key
tc secrets get
Retrieve a secret.
$ tc secrets get stripe-key
stripe-key = sk_live_abc123...
$ tc secrets get stripe-key --json
{
"name": "stripe-key",
"value": "sk_live_abc123..."
}
tc secrets list
List all secrets.
$ tc secrets list
Secrets:
stripe-key
database-url
jwt-secret
3 secrets total
tc secrets delete
Delete a secret.
$ tc secrets delete stripe-key
Secret deleted: stripe-key
Variables
Variables are plaintext key-value pairs for non-sensitive configuration. They are stored unencrypted and do not require a private key.
tc vars put
Store a variable.
tc vars put <name> <value>
$ tc vars put api-url "https://api.example.com"
Variable stored: api-url
tc vars get
Retrieve a variable.
$ tc vars get api-url
api-url = https://api.example.com
tc vars list
List all variables.
$ tc vars list
Variables:
api-url
feature-new-ui
log-level
3 variables total
tc vars delete
Delete a variable.
Practical Examples
Application Configuration
# Store secrets (encrypted)
tc secrets put DATABASE_URL "postgres://user:pass@host:5432/db"
tc secrets put STRIPE_KEY "sk_live_abc123"
# Store config (plaintext)
tc vars put API_BASE_URL "https://api.example.com"
tc vars put LOG_LEVEL "info"
tc vars put FEATURE_NEW_DASHBOARD "true"
# Read in a script
DB_URL=$(tc secrets get DATABASE_URL --json | jq -r '.value')
API_URL=$(tc vars get API_BASE_URL --json | jq -r '.value')
CI/CD Pipeline
# In CI, set the private key from your CI secrets
export TC_PRIVATE_KEY=$CI_TINYCLOUD_KEY
# Pull secrets for deployment
tc secrets get DATABASE_URL --json | jq -r '.value' > .env.database
tc secrets get STRIPE_KEY --json | jq -r '.value' > .env.stripe
# Pull config variables
tc vars get API_BASE_URL --json | jq -r '.value' >> .env
Use tc secrets for anything sensitive (API keys, passwords, tokens). Use tc vars for non-sensitive configuration (URLs, feature flags, log levels) that does not need encryption.
