ov secret

import { Aside } from ‘@astrojs/starlight/components’;

App context

Every secret lives inside an app. The CLI resolves which app to target in this order:

--app flag (highest priority)
Your configured default (set via ov app use)

ov app use my-saas             # set default once
ov secret set DATABASE_URL     # targets my-saas automatically
ov secret list                 # lists secrets in my-saas

Commands

Command	Description
`ov secret set <name>`	Create or update a secret
`ov secret get <name>`	Decrypt and print a secret value to stdout
`ov secret delete <name>`	Delete a secret
`ov secret list`	List all secret names in the active app
`ov secret import <file>`	Bulk import from `.env`, JSON, CSV, or a secret manager export

ov secret set

ov secret set DATABASE_URL
ov secret set DATABASE_URL --app my-saas

Prompts for the value (hidden input). Encrypts locally with a fresh DEK, stores ciphertext on the server. If the secret already exists it is updated in place with a new DEK.

ov secret get

ov secret get DATABASE_URL
ov secret get DATABASE_URL --app my-saas

Fetches the encrypted blob, decrypts locally, prints plaintext to stdout.

Pipe to clipboard (macOS):

ov secret get DATABASE_URL | pbcopy

ov secret delete

ov secret delete DATABASE_URL
ov secret delete DATABASE_URL --app my-saas

Deletes the ciphertext blob from the server. The deletion is logged to the audit trail.

ov secret list

ov secret list
ov secret list --app my-saas

Lists all secret names for the active app. Values are never returned.

Output:

App: my-saas

NAME               UPDATED
DATABASE_URL       2026-04-10T14:32:11Z
OPENAI_API_KEY     2026-04-01T09:00:00Z
STRIPE_SECRET_KEY  2026-04-05T11:45:00Z

ov secret import

ov secret import .env.production --app my-saas
ov secret import secrets.json --app my-saas --dry-run

Bulk import from any major format. Supported sources:

Format	Flag / auto-detected
`.env` file	auto-detected or `--source env`
JSON `{"KEY": "value"}`	auto-detected or `--source json`
CSV	`--source csv`
1Password export	`--source 1password`
Bitwarden export	`--source bitwarden`
LastPass export	`--source lastpass`
Dashlane export	`--source dashlane`
Doppler export	`--source doppler`
Infisical export	`--source infisical`
HashiCorp Vault export	`--source vault`
AWS Secrets Manager export	`--source awssm`

Use --dry-run to preview what would be imported without storing anything.

Flags

Flag	Description
`--app NAME`	Target app (overrides default)