Skip to main content
Store and manage credentials in the OS keyring for use with cordon’s keyring secret source.

cordon secret set

Store a secret in the OS keyring for a route or service defined in cordon.toml. 
cordon secret set NAME
Looks up the route or service by name in cordon.toml, extracts the account from its keyring config. The keyring service name is always cordon, and prompts for the secret value interactively (the value is not echoed to the terminal).
Argument / OptionDescription
NAMERoute or service name from cordon.toml
--configPath to config file (default: cordon.toml)
--yes, -ySkip confirmation prompts

Example

# Given this route in cordon.toml:
#   [[routes]]
#   name = "stripe"
#
#   [routes.match]
#   host = "api.stripe.com"
#
#   [routes.auth]
#   type = "bearer"
#
#   [routes.auth.secret]
#   source = "keyring"
#   account = "stripe-api-key"

# Store the credential:
cordon secret set stripe
# Enter secret: ****

Piped input

cordon secret set also accepts piped stdin for automation. The secret source should be a secret manager or ephemeral credential — never echo, printf, or a plaintext file: 
# Good — secret comes from 1Password CLI, never touches disk or shell history
op read "op://Engineering/Stripe API Key/secret_key" | cordon secret set stripe --yes

# Bad — secret is in shell history
echo 'sk_live_...' | cordon secret set stripe --yes

# Bad — secret is in a plaintext file on disk
cat secret.txt | cordon secret set stripe --yes
Avoid passing secrets through echo, printf, or files. These expose the credential in shell history (~/.zsh_history, ~/.bash_history) or leave it as plaintext on disk. Use the interactive prompt (the default) or pipe from a secret manager.
On macOS, use cordon secret set rather than the security CLI to store credentials. Cordon needs to own the keychain entry to read it without triggering an authorization dialog on every request. See Secret Sources for details.
macOS SSH / headless sessions: If you run cordon secret set over SSH, in a headless CI job, or in a detached screen/tmux session, macOS Keychain will reject the operation with Platform secure storage failure: User interaction is not allowed.Unlock the login keychain first:
security unlock-keychain ~/Library/Keychains/login.keychain-db
This prompts for your macOS login password. Once unlocked, keychain operations work for the remainder of the session. If you have access to the Mac directly or via screen sharing, run cordon secret set from a terminal in the desktop session instead — the login keychain is already unlocked there.

cordon secret delete

Remove a secret from the OS keyring. 
cordon secret delete NAME
Argument / OptionDescription
NAMERoute or service name from cordon.toml
--configPath to config file (default: cordon.toml)