Skip to main content
Store and manage credentials in the OS keyring for use with cordon’s keyring secret source.

cordon secret set

Store a secret in the OS keyring for a route or service defined in cordon.toml. 
cordon secret set <name>
Looks up the route or service by name in cordon.toml, extracts the account from its keyring config. The keyring service name is always cordon, and prompts for the secret value interactively (the value is not echoed to the terminal).
Argument / OptionDescription
<name>Route or service name from cordon.toml
--configPath to config file (default: cordon.toml)
--yes, -ySkip confirmation prompts

Example

# Given this route in cordon.toml:
#   [[routes]]
#   name = "stripe"
#
#   [routes.match]
#   host = "api.stripe.com"
#
#   [routes.auth]
#   type = "bearer"
#
#   [routes.auth.secret]
#   source = "keyring"
#   account = "stripe-api-key"

# Store the credential:
cordon secret set stripe
# Enter secret: ****

Piped input

cordon secret set also accepts piped stdin for automation. The secret source should be a secret manager or ephemeral credential — never echo, printf, or a plaintext file: 
# Good — secret comes from 1Password CLI, never touches disk or shell history
op read "op://Engineering/Stripe API Key/secret_key" | cordon secret set stripe --yes

# Bad — secret is in shell history
echo 'sk_live_...' | cordon secret set stripe --yes

# Bad — secret is in a plaintext file on disk
cat secret.txt | cordon secret set stripe --yes
Avoid passing secrets through echo, printf, or files. These expose the credential in shell history (~/.zsh_history, ~/.bash_history) or leave it as plaintext on disk. Use the interactive prompt (the default) or pipe from a secret manager.
On macOS, use cordon secret set rather than the security CLI to store credentials. Cordon needs to own the keychain entry to read it without triggering an authorization dialog on every request. See Secret Sources for details.

cordon secret delete

Remove a secret from the OS keyring. 
cordon secret delete <name>
Argument / OptionDescription
<name>Route or service name from cordon.toml
--configPath to config file (default: cordon.toml)