Quickstart
Sign in, create a project, and sync your first .env file in under a minute.
This walks you from a fresh install to a synced .env file. It assumes you have
already installed the CLI.
Sign in
klef loginThis opens your browser so you can sign in with a magic link, Google, or GitHub. Once you are signed in, the CLI asks for your encryption password. This password is what unlocks your secrets, and it is never sent to the server.
Your encryption password is not recoverable by Klef
If you forget it, you recover access with the recovery code shown once at
signup, using klef login --recover. Klef cannot reset it for you, because
Klef never sees it.
Create a project
From the root of your app, create a project. This writes a .klef file to the
current directory:
klef init my-appThe .klef file holds the project id and default environment. It contains no
secrets and is meant to be committed to git.
Push your local secrets
If you already have a .env.local, encrypt it and upload it:
klef pushEvery value is encrypted on your machine before it leaves. The server stores only ciphertext.
Pull on another machine
On a second machine, install the CLI, sign in, link the directory to the same project, and pull:
klef link my-app
klef pullklef pull is a smart merge. It updates changed values, appends new keys, and
preserves your existing comments and ordering in .env.local.
Run your app with secrets injected
You do not have to write secrets to disk to use them. Inject them straight into a process:
klef run -- npm run devWhat to commit
| File | Commit to git? | Why |
|---|---|---|
.klef | Yes | Project id and default environment. No secrets. |
.env.local | No | Contains plaintext secret values on your machine only. |
Next step
Learn the building blocks in Core concepts, or jump to the full Command reference.