> ## Documentation Index
> Fetch the complete documentation index at: https://docs.codezero.io/llms.txt
> Use this file to discover all available pages before exploring further.

# cordon secret

> Manage secrets in the OS keyring.

Store and manage credentials in the OS keyring for use with cordon's `keyring` secret source.

Secret commands take a keyring account name directly — they are decoupled from routes and config files. Use `cordon route show <name>` or `cordon listener show <name>` to find the keyring account for a route or listener.

<Tip>
  No `--config` or `--scope` flags — secret commands operate on the OS keyring directly by account name, independent of any config file.
</Tip>

## cordon secret set

Store a secret in the OS keyring.

```bash theme={null}
cordon secret set ACCOUNT [--yes]
```

The keyring service name is always `cordon`. Prompts for the secret value interactively (the value is not echoed to the terminal). If an entry already exists for the account, prompts for confirmation before overwriting.

| Argument / Option | Description                                    |
| ----------------- | ---------------------------------------------- |
| `ACCOUNT`         | Keyring account name                           |
| `--yes`, `-y`     | Skip confirmation prompts (overwrite existing) |

### Example

```bash theme={null}
# Find the keyring account for a route:
cordon route show stripe
# → account: stripe-api-key

# Store the credential:
cordon secret set stripe-api-key
# Enter secret value: ****
```

### Piped input

`cordon secret set` also accepts piped stdin for automation. The secret source
should be a secret manager or ephemeral credential — never `echo`, `printf`, or
a plaintext file:

```bash theme={null}
# Good — secret comes from 1Password CLI, never touches disk or shell history
op read "op://Engineering/Stripe API Key/secret_key" | cordon secret set stripe-api-key --yes

# Bad — secret is in shell history
echo 'sk_live_...' | cordon secret set stripe-api-key --yes

# Bad — secret is in a plaintext file on disk
cat secret.txt | cordon secret set stripe-api-key --yes
```

<Warning>
  **Avoid passing secrets through `echo`, `printf`, or files.** These expose the
  credential in shell history (`~/.zsh_history`, `~/.bash_history`) or leave it
  as plaintext on disk. Use the interactive prompt (the default) or pipe from a
  secret manager.
</Warning>

<Warning>
  On macOS, use `cordon secret set` rather than the `security` CLI to store credentials. Cordon needs to own the keychain entry to read it without triggering an authorization dialog on every request. See [Secret Sources](/configuration/secret-sources#platform-differences) for details.
</Warning>

<Warning>
  **macOS SSH / headless sessions:** Keychain may reject writes with `Platform secure storage failure: User interaction is not allowed.` See [Secret Sources: macOS troubleshooting](/configuration/secret-sources#troubleshooting-macos) for the unlock steps.
</Warning>

## cordon secret delete

Remove a secret from the OS keyring. Prompts for confirmation before deleting.

```bash theme={null}
cordon secret delete ACCOUNT [--yes]
```

| Argument / Option | Description              |
| ----------------- | ------------------------ |
| `ACCOUNT`         | Keyring account name     |
| `--yes`, `-y`     | Skip confirmation prompt |

```bash theme={null}
# Delete a keyring entry
cordon secret delete stripe-api-key

# Skip confirmation
cordon secret delete stripe-api-key --yes
```