Skip to main content
The TinyCloud Secret Vault is a dedicated encrypted secrets management system for your applications. Store API keys, database credentials, tokens, and other sensitive values with end-to-end encryption — then access them from the CLI, CI/CD pipelines, or the web-based Secrets Manager.

How It Works

TinyCloud provides three layers for managing configuration and secrets, each designed for a different use case:

Secret Vault

tc secrets — End-to-end encrypted storage purpose-built for application secrets. API keys, tokens, passwords, database credentials.

Data Vault

tc vault — General-purpose encrypted storage for any data. Lower-level with flexible key naming. Use when you need full control over key paths.

Variables

tc vars — Plaintext configuration values. Not encrypted. Feature flags, endpoint URLs, log levels, and other non-sensitive config.
LayerEncryptedUse CaseExample
tc secretsYesSensitive credentialsSTRIPE_KEY, DATABASE_URL
tc vaultYesAny encrypted dataCustom key paths, binary data
tc varsNoNon-sensitive configAPI_BASE_URL, LOG_LEVEL
The vault and secrets commands require a private key. Set TC_PRIVATE_KEY as an environment variable or pass --private-key on each command.

Secret Vault

The Secret Vault (tc secrets) is the primary way to manage application secrets. Values are end-to-end encrypted and organized under a dedicated secrets namespace in your space.

tc secrets put

Store an encrypted secret. 
tc secrets put <name> <value>

$ tc secrets put STRIPE_KEY "sk_live_abc123..."
  Secret stored: STRIPE_KEY

tc secrets get

Retrieve and decrypt a secret. 
tc secrets get <name>

$ tc secrets get STRIPE_KEY
  STRIPE_KEY = sk_live_abc123...

tc secrets list

List all secrets in a space. 
tc secrets list

$ tc secrets list
  Secrets:
    DATABASE_URL
    JWT_SECRET
    STRIPE_KEY

  3 secrets total
To list secrets from another space, you need delegation access to that space. Without a valid delegation, the command will return an authorization error.

tc secrets delete

Delete a secret. 
tc secrets delete <name>

$ tc secrets delete STRIPE_KEY
  Secret deleted: STRIPE_KEY

tc secrets manage

Open the TinyCloud Secrets Manager web UI in your browser. 
tc secrets manage

$ tc secrets manage
  Opening Secrets Manager...
  https://secrets.tinycloud.xyz
This launches the browser-based Secrets Manager for visual management of your secrets.

Multi-Space Secrets

Secrets are scoped to a space. By default, tc secrets commands operate on your current active space. Use the --space flag to work with secrets in a different space. 
# List secrets in your current space
tc secrets list

# List secrets in a specific space
tc secrets list --space tinycloud:pkh:eip155:1:0xd8dA6BF26964aF9D7eEd9e03E53415D37aA96045:team-prod

# Get a secret from a delegated space
tc secrets get DATABASE_URL --space tinycloud:pkh:eip155:1:0xd8dA6BF26964aF9D7eEd9e03E53415D37aA96045:team-prod
Accessing secrets in another user’s space requires a delegation that grants the appropriate permissions. See Delegations & Sharing for how to create and receive delegations.

Secrets Manager Web UI

The TinyCloud Secrets Manager at secrets.tinycloud.xyz is a browser-based interface for viewing and managing your secrets. It authenticates through OpenKey and provides a visual alternative to the CLI.
1

Open the Secrets Manager

Run tc secrets manage or navigate directly to secrets.tinycloud.xyz.
2

Authenticate

Sign in with your OpenKey-linked identity. The web UI uses the same authentication as the CLI.
3

Manage secrets

View, create, update, and delete secrets across your spaces from the browser. Changes are immediately reflected in the CLI.
The Secrets Manager web UI is useful for onboarding team members, auditing stored secrets, and managing secrets without terminal access.

Data Vault

The Data Vault (tc vault) provides general-purpose encrypted key-value storage. Unlike the Secret Vault, you manage the full key path yourself, giving you complete flexibility over how data is organized.

tc vault unlock

Unlock the vault for the current session. Required before other vault operations. 
tc vault unlock

$ tc vault unlock
  Vault unlocked for profile "default".

tc vault put

Store an encrypted value. 
tc vault put <key> <value>

$ tc vault put my-app/api-key "sk_live_abc123..."
  Encrypted and stored: my-app/api-key

tc vault get

Retrieve and decrypt a value. 
tc vault get <key>

$ tc vault get my-app/api-key
  Key:    my-app/api-key
  Value:  sk_live_abc123...

tc vault delete

Delete an encrypted value. 
tc vault delete <key>

$ tc vault delete my-app/api-key
  Deleted: my-app/api-key

tc vault list

List all vault keys. 
tc vault list

$ tc vault list
  Vault keys:
    my-app/api-key
    my-app/db-password
    services/stripe-secret

  3 keys total

tc vault head

Get metadata for a vault key without decrypting the value. 
tc vault head <key>

$ tc vault head my-app/api-key
  Key:      my-app/api-key
  Size:     128 bytes (encrypted)
  Updated:  2026-03-07T10:00:00.000Z

Variables

Variables (tc vars) store plaintext key-value pairs for non-sensitive configuration. They are not encrypted and do not require a private key.

tc vars put

Store a variable. 
tc vars put <name> <value>

$ tc vars put API_BASE_URL "https://api.example.com"
  Variable stored: API_BASE_URL

tc vars get

Retrieve a variable. 
tc vars get <name>

$ tc vars get API_BASE_URL
  API_BASE_URL = https://api.example.com

tc vars list

List all variables. 
tc vars list

$ tc vars list
  Variables:
    API_BASE_URL
    FEATURE_NEW_UI
    LOG_LEVEL

  3 variables total

tc vars delete

Delete a variable. 
tc vars delete <name>

Practical Examples

Application Configuration

# Store secrets (encrypted via Secret Vault)
tc secrets put DATABASE_URL "postgres://user:pass@host:5432/db"
tc secrets put STRIPE_KEY "sk_live_abc123"
tc secrets put JWT_SECRET "super-secret-jwt-key"

# Store config (plaintext variables)
tc vars put API_BASE_URL "https://api.example.com"
tc vars put LOG_LEVEL "info"
tc vars put FEATURE_NEW_DASHBOARD "true"

# Read in a script
DB_URL=$(tc secrets get DATABASE_URL --json | jq -r '.value')
API_URL=$(tc vars get API_BASE_URL --json | jq -r '.value')

CI/CD Pipeline

# In CI, set the private key from your CI secrets
export TC_PRIVATE_KEY=$CI_TINYCLOUD_KEY

# Pull secrets for deployment
tc secrets get DATABASE_URL --json | jq -r '.value' > .env.database
tc secrets get STRIPE_KEY --json | jq -r '.value' > .env.stripe

# Pull config variables
tc vars get API_BASE_URL --json | jq -r '.value' >> .env

Team Secrets with Delegations

# Team lead: store production secrets in the team space
tc secrets put DATABASE_URL "postgres://prod:[email protected]:5432/app"
tc secrets put REDIS_URL "redis://:[email protected]:6379"

# Team lead: grant a team member read access to secrets
tc delegation create \
    --to did:pkh:eip155:1:0x5678...efgh \
    --actions kv/get,kv/list \
    --paths "secrets/*" \
    --duration 30d

# Team member: read secrets from the team space
tc secrets get DATABASE_URL \
    --space tinycloud:pkh:eip155:1:0xd8dA6BF26964aF9D7eEd9e03E53415D37aA96045:team-prod
Use tc secrets for anything sensitive — API keys, passwords, tokens, connection strings. Use tc vars for non-sensitive configuration like URLs, feature flags, and log levels that do not need encryption.