Skip to main content
The TinyCloud Secret Vault is a dedicated encrypted secrets management system for your applications. Store API keys, database credentials, tokens, and other sensitive values with end-to-end encryption — then access them from the CLI, CI/CD pipelines, or the web-based Secrets Manager.

How It Works

TinyCloud provides three layers for managing configuration and secrets, each designed for a different use case:

Secret Vault

tc secrets — End-to-end encrypted storage purpose-built for application secrets. API keys, tokens, passwords, database credentials.

Data Vault

tc vault — Lower-level encrypted KV storage. Use when you need encrypted values with full control over key paths.

Variables

tc vars — Plaintext configuration values. Not encrypted. Feature flags, endpoint URLs, log levels, and other non-sensitive config.
LayerEncryptedUse CaseExample
tc secretsYesSensitive credentialsSTRIPE_KEY, DATABASE_URL
tc vaultYesLower-level encrypted KVCustom key paths, binary data
tc varsNoNon-sensitive configAPI_BASE_URL, LOG_LEVEL
The tc vault and tc vars commands require a private key. Set TC_PRIVATE_KEY as an environment variable or pass --private-key on each command. tc secrets uses the active authenticated profile and also accepts --private-key as an override.

Secret Vault

The Secret Vault (tc secrets) is the primary way to manage application secrets. Values are end-to-end encrypted and organized under a dedicated secrets namespace in your space.

tc secrets put

Store an encrypted secret. 
tc secrets put <name> <value>

$ tc secrets put STRIPE_KEY "sk_live_abc123..."
{
  "name": "STRIPE_KEY",
  "written": true
}

tc secrets get

Retrieve and decrypt a secret. 
tc secrets get <name>

$ tc secrets get STRIPE_KEY
{
  "name": "STRIPE_KEY",
  "value": "sk_live_abc123..."
}

tc secrets list

List all secrets in the default scope, or pass --scope for a logical secret scope. 
tc secrets list

$ tc secrets list
{
  "secrets": [
    "DATABASE_URL",
    "JWT_SECRET",
    "STRIPE_KEY"
  ],
  "count": 3
}
--space <scope> is accepted as a deprecated alias for --scope <scope>. It is a logical secrets scope, not a TinyCloud space URI.

tc secrets delete

Delete a secret. 
tc secrets delete <name>

$ tc secrets delete STRIPE_KEY
{
  "name": "STRIPE_KEY",
  "deleted": true
}

tc secrets manage

Open the TinyCloud Secrets Manager web UI in your browser. 
tc secrets manage

$ tc secrets manage
{
  "opened": "https://secrets.tinycloud.xyz"
}
This launches the browser-based Secrets Manager for visual management of your secrets.

Scoped Secrets

Secrets support logical scopes. By default, tc secrets commands operate in the default scope. Use --scope to organize secrets for environments, teams, or services. 
# List secrets in the default scope
tc secrets list

# List secrets in a logical scope
tc secrets list --scope team-prod

# Get a scoped secret
tc secrets get DATABASE_URL --scope team-prod
Do not pass full TinyCloud space URIs to tc secrets --space; that flag is a deprecated alias for logical --scope.

Secrets Manager Web UI

The TinyCloud Secrets Manager at secrets.tinycloud.xyz is a browser-based interface for viewing and managing your secrets. It authenticates through OpenKey and provides a visual alternative to the CLI.
1

Open the Secrets Manager

Run tc secrets manage or navigate directly to secrets.tinycloud.xyz.
2

Authenticate

Sign in with your OpenKey-linked identity. The web UI uses the same authentication as the CLI.
3

Manage secrets

View, create, update, and delete secrets across your spaces from the browser. Changes are immediately reflected in the CLI.
The Secrets Manager web UI is useful for onboarding team members, auditing stored secrets, and managing secrets without terminal access.

Data Vault

The Data Vault (tc vault) provides lower-level encrypted key-value storage. Unlike the Secret Vault, you manage the full key path yourself, giving you complete flexibility over how data is organized.

tc vault unlock

Unlock the vault for the current session. Required before other vault operations. 
tc vault unlock

$ tc vault unlock
{
  "unlocked": true
}

tc vault put

Store an encrypted value. 
tc vault put <key> <value>

$ tc vault put my-app/api-key "sk_live_abc123..."
{
  "key": "my-app/api-key",
  "written": true
}

tc vault get

Retrieve and decrypt a value. 
tc vault get <key>

$ tc vault get my-app/api-key
{
  "key": "my-app/api-key",
  "data": "sk_live_abc123..."
}

tc vault delete

Delete an encrypted value. 
tc vault delete <key>

$ tc vault delete my-app/api-key
{
  "key": "my-app/api-key",
  "deleted": true
}

tc vault list

List all vault keys. 
tc vault list

$ tc vault list
{
  "keys": [
    "my-app/api-key",
    "my-app/db-password",
    "services/stripe-secret"
  ],
  "count": 3,
  "prefix": null
}

tc vault head

Get metadata for a vault key without decrypting the value. 
tc vault head <key>

$ tc vault head my-app/api-key
{
  "key": "my-app/api-key",
  "exists": true,
  "metadata": {
    "contentLength": 128
  }
}

Variables

Variables (tc vars) store plaintext key-value pairs for non-sensitive configuration. They are not encrypted. The current CLI requires a private key via TC_PRIVATE_KEY or --private-key.

tc vars put

Store a variable. 
tc vars put <name> <value>

$ tc vars put API_BASE_URL "https://api.example.com"
{
  "name": "API_BASE_URL",
  "written": true
}

tc vars get

Retrieve a variable. 
tc vars get <name>

$ tc vars get API_BASE_URL
{
  "name": "API_BASE_URL",
  "value": "https://api.example.com"
}

tc vars list

List all variables. 
tc vars list

$ tc vars list
{
  "variables": [
    "API_BASE_URL",
    "FEATURE_NEW_UI",
    "LOG_LEVEL"
  ],
  "count": 3
}

tc vars delete

Delete a variable. 
tc vars delete <name>

Practical Examples

Application Configuration

# Vault and vars require a private key.
export TC_PRIVATE_KEY=$TINYCLOUD_PRIVATE_KEY

# Store secrets (encrypted via Secret Vault)
tc secrets put DATABASE_URL "postgres://user:pass@host:5432/db"
tc secrets put STRIPE_KEY "sk_live_abc123"
tc secrets put JWT_SECRET "super-secret-jwt-key"

# Store config (plaintext variables)
tc vars put API_BASE_URL "https://api.example.com"
tc vars put LOG_LEVEL "info"
tc vars put FEATURE_NEW_DASHBOARD "true"

# Read in a script
DB_URL=$(tc secrets get DATABASE_URL | jq -r '.value')
API_URL=$(tc vars get API_BASE_URL | jq -r '.value')

CI/CD Pipeline

# In CI, set the private key from your CI secrets
export TC_PRIVATE_KEY=$CI_TINYCLOUD_KEY

# Pull secrets for deployment
tc secrets get DATABASE_URL | jq -r '.value' > .env.database
tc secrets get STRIPE_KEY | jq -r '.value' > .env.stripe

# Pull config variables
tc vars get API_BASE_URL | jq -r '.value' >> .env

Scoped Environment Secrets

# Store production secrets in a logical scope
tc secrets put DATABASE_URL "postgres://prod:secret@db.internal:5432/app" --scope prod
tc secrets put REDIS_URL "redis://:authpass@cache.internal:6379" --scope prod

# List scoped secret names
tc secrets list --scope prod

# Read a scoped secret
tc secrets get DATABASE_URL --scope prod
Use tc secrets for anything sensitive — API keys, passwords, tokens, connection strings. Use tc vars for non-sensitive configuration like URLs, feature flags, and log levels that do not need encryption.