prune
Delete secrets from a target platform. This is a remote-only operation — it does not affect your local vault.
Basic Usage
Remove a specific key from a target:
cred prune github JWT_SECRET --yes
Remove multiple keys:
cred prune github JWT_SECRET OLD_API_KEY --yes
Dry Run
Preview what will be deleted:
cred prune github JWT_SECRET --dry-run
Prune All
Remove all known keys from a target:
cred prune github --all --yes
This removes all secrets that cred has pushed to this target.
Environment-Specific Prune
Prune secrets from a specific environment:
cred prune github OLD_KEY --env prod --yes
Options
| Flag | Description |
|---|---|
--env <name> | Prune from specific environment |
--repo <owner/repo> | Explicit repository (GitHub) |
--project <id> | Explicit project ID (Vercel) |
--app <name> | Explicit app name (Fly.io) |
--force | Ignore per-secret target scopes |
--dry-run | Preview without deleting |
--yes | Confirm destructive operation |
--all | Prune all known secrets |
--json | Machine-readable output |
Safety
⚠️ Destructive operations require --yes unless using --dry-run.
This prevents accidental deletion of production secrets.
Local vs Remote
| Operation | Command |
|---|---|
| Delete from vault (local) | cred secret remove KEY --yes |
| Delete from target (remote) | cred prune github KEY --yes |
| Delete from both | Run both commands |
Workflow Example
Remove a secret completely:
# Remove from GitHub first
cred prune github OLD_SECRET --yes
# Then remove from local vault
cred secret remove OLD_SECRET --yes