Getting Started

Get from zero to your first secret push in under 5 minutes.

1. Initialize your project

cred init

This creates .cred/vault.enc in your project and stores the encryption key in your OS credential store.

cred automatically detects targets from your project:

Initialized new cred project at .cred/
🔑 Encryption key generated and stored in the System Credential Store
📍 Detected targets:
   github: owner/repo

   Run 'cred target set <target>' to authenticate each target.

2. Authenticate a target

cred target set github

You’ll be prompted for a fine-grained PAT with Actions secrets permission. The token is stored per-project, so each project can use different tokens (important for fine-grained PATs scoped to specific repos).

3. Store a secret

cred secret set DATABASE_URL "postgres://user:pass@localhost/db"

4. Push to GitHub

Preview first:

cred push github --dry-run

Then push:

cred push github

No --repo flag needed — cred uses the target binding saved during init.

Done! Your secret is now in GitHub Actions.

Working with Environments

Organize secrets by environment (dev, staging, prod):

# Create environments
cred env create staging
cred env create prod

# Set secrets in specific environments
cred secret set DATABASE_URL "postgres://prod..." --env prod

# Push prod secrets to GitHub
cred push github --env prod

See env command for more details.

Next steps:

• Commands Reference — all available commands
• Environments — organize secrets by environment
• Sources — generate credentials from APIs like Resend
• Security Model — how your secrets are protected