PushKeyPushKey

.env Injection

Write assigned keys directly into project .env files.

How it works

pushkey inject merges assigned keys into the project's .env — existing values for other variables are preserved. .env is automatically added to .gitignore if not already present.

pushkey inject /path/to/project

Assign keys to a project first

pushkey assign OPENAI_API_KEY /path/to/project
pushkey assign STRIPE_SECRET_KEY /path/to/project
pushkey inject /path/to/project
# → writes both keys to /path/to/project/.env

CI/CD

Pass the vault password via environment variable for non-interactive pipelines:

PUSHKEY_PASSWORD=${{ secrets.VAULT_PASS }} pushkey inject .

GitHub Actions

- name: Inject secrets
  env:
    PUSHKEY_PASSWORD: ${{ secrets.VAULT_PASS }}
  run: |
    pip install pushkey
    pushkey inject .

Vercel

pushkey inject . && vercel env pull

Notes

  • Inject is non-destructive — it only writes keys assigned to the project and leaves all other .env lines untouched
  • The .env file is created if it doesn't exist
  • Running inject again updates values if they've been rotated in the vault

Cloud API

Zero-knowledge sync backend for Pro+ users. Self-hostable via FastAPI.

Vault & Crypto

AES-256-GCM encryption, Argon2id key derivation, and vault file format.

On this page

How it worksAssign keys to a project firstCI/CDGitHub ActionsVercelNotes