Command-Line Interface

API Stronghold
CLI

Manage Secrets From Your Terminal

The API Stronghold CLI lets you manage API keys, generate environment files, sync secrets to cloud providers, and control access — all from the command line. Available for macOS, Linux, and Windows.

Installation

Install the CLI with a single command. It auto-detects your platform and adds itself to your PATH.

macOS & Linux

Run this command in your terminal:

curl -fsSL https://www.apistronghold.com/cli/install.sh | sh

Installs to /usr/local/bin/ (if writable) or ~/.local/bin/

Supports both curl and wget

Verifies installation automatically

Windows

Run this command in Command Prompt:

curl -fsSL https://www.apistronghold.com/cli/install.cmd -o install.cmd && install.cmd && del install.cmd

Installs to %USERPROFILE%\.api-stronghold\bin\

Automatically adds to your user PATH (no admin required)

Restart your terminal after installing for the PATH change to take effect

Windows (Git Bash / WSL)

If you're using Git Bash, WSL, or another Unix-like shell on Windows, use the same command as macOS/Linux:

curl -fsSL https://www.apistronghold.com/cli/install.sh | sh

The shell installer detects Windows environments (MINGW, MSYS, Cygwin) and installs accordingly.

Authentication

Authenticate once, then use the CLI non-interactively in scripts, containers, and CI/CD pipelines.

API User Token

Recommended for automation

Non-interactive authentication for scripts, containers, and CI/CD. Create an API user in the dashboard and authenticate with the token.

api-stronghold-cli auth api-user --token <TOKEN>

Browser Login

For human users

Interactive OAuth login that opens your browser. Tokens auto-refresh so you stay logged in.

api-stronghold-cli login

Command Reference

Everything you need to manage secrets from the command line.

Key Management

Command	Description
`key list`	List all API keys you have access to
`key get <name>`	Decrypt and retrieve a specific key value
`key create <name> <value>`	Create a new API key
`key update <id> <name> <value>`	Update an existing key
`key delete <id>`	Delete an API key

Deployment Profiles

Command	Description
`deployment list`	List all deployment profiles
`deployment create <name> <provider> <projectId> <env>`	Create a new deployment profile
`deployment sync <id>`	Sync secrets to a deployment (GitHub, Vercel, Cloudflare)
`deployment sync --all`	Sync all deployment profiles at once
`deployment env-file <env> <filename>`	Generate a `.env` file from a deployment
`deployment env-file <env> --stdout`	Output export statements for `eval` usage
`deployment add-mapping <deploymentId> <keyId> <envVar>`	Map a key to an environment variable name
`deployment list-mappings <deploymentId>`	View all key mappings for a deployment

Groups & Access Control

Command	Description
`group list`	List all user groups
`group create <name>`	Create a new user group
`group add-members <groupId> <userId>`	Add members to a group
`group assign-api-keys <groupId> <keyIds>`	Control which keys a group can access
`group assign-deployments <groupId> <deploymentIds>`	Assign deployment profiles to a group
`group my-resources`	View keys and deployments accessible to you

Global Flags

Flag	Description
`--api-url <url>`	Override the API endpoint
`--config <path>`	Custom config file path (default: `~/.api-stronghold/config.yaml`)
`--version, -v`	Show CLI version
`--help, -h`	Show help for any command

Common Workflows

Practical examples for everyday usage.

Generate a .env file

Pull secrets from a deployment profile and write them to a local .env file.

api-stronghold-cli deployment env-file production .env

Load secrets into the current shell

Export secrets as environment variables without writing a file. Ideal for container entrypoints and CI/CD.

eval $(api-stronghold-cli deployment env-file production --stdout)

Sync secrets to cloud providers

Push secrets to GitHub Actions, Vercel, or Cloudflare in a single command.

# Sync one deployment

api-stronghold-cli deployment sync production

# Sync all deployments

api-stronghold-cli deployment sync --all

Use in CI/CD pipelines

Authenticate with an API user token and inject secrets at build time.

# Authenticate (store token as a CI secret)

api-stronghold-cli auth api-user --token $API_STRONGHOLD_TOKEN

# Load secrets and run your build

eval $(api-stronghold-cli deployment env-file production --stdout)

npm run build

Security

The CLI is built with zero-knowledge encryption at its core.

Zero-Knowledge Encryption

All keys are encrypted client-side with AES-256-GCM before leaving your machine. The server never sees plaintext values.

Server-Side Access Control

Key exclusion rules are enforced on the server. The CLI only ever receives keys the user is authorized to access.

Encrypted Credential Storage

Stored credentials use PBKDF2 with 310,000 iterations for key derivation. Tokens auto-refresh without re-prompting.

Automatic Token Refresh

Session tokens refresh automatically in the background. No manual re-authentication needed for long-running processes.

Ready to Get Started?

Install the CLI and start managing your secrets from the terminal in minutes.