Secret Commands

The kdx secret command manages organization secrets used by platform resources such as Activity steps, modules, and service bridge integrations. Secret values are write-only. The CLI can list secret names, set values securely, and delete names, but it never reads secret values back from the platform.

Available Commands

Command	Description
`list`	List secret names in an organization
`set`	Create or update a secret value
`delete`	Delete a secret name

List Secrets

kdx secret list <org-slug>

Example:

kdx secret list acme

Output:

3 secret(s) in 'acme':
  ERP_API_TOKEN
  ERP_BASE_URL
  OCR_SERVICE_KEY

Only names are returned. Values are never printed.

Set a Secret

kdx secret set <org-slug> <name> [flags]

By default, the CLI prompts for the value with no terminal echo.

kdx secret set acme ERP_API_TOKEN

For non-interactive workflows, pass exactly one value source.

Flag	Description
`--from-file <path>`	Read the value from a file and trim a single trailing newline
`--from-env <name>`	Read the value from an environment variable
`--from-stdin`	Read the value from standard input

Examples:

# From an environment variable in CI
kdx secret set acme ERP_API_TOKEN --from-env ERP_API_TOKEN

# From a local file
kdx secret set acme OCR_SERVICE_KEY --from-file ./secrets/ocr-key.txt

# From a password manager or another command
op read 'op://Engineering/ERP/token' | kdx secret set acme ERP_API_TOKEN --from-stdin

Output:

Set secret "ERP_API_TOKEN" in organization "acme" (48 bytes)

The byte count confirms that a value was sent without showing the value itself.

Delete a Secret

kdx secret delete <org-slug> <name>

Example:

kdx secret delete acme OLD_ERP_API_TOKEN

Deleting a name that does not exist is not treated as an error by the command.

Recommended Patterns

Use stable names that describe the external system and purpose:

ERP_API_TOKEN
ERP_BASE_URL
AZURE_DOCUMENT_INTELLIGENCE_KEY
CLAIMS_SYSTEM_CLIENT_SECRET

Keep environment-specific values in environment-specific organizations or sync targets. Do not commit secret values to metadata repositories. For CI/CD, store the value in the CI secret store and pass it with --from-env.

Troubleshooting

Symptom	What to check
`organization not found`	Confirm the organization slug and active profile.
`environment variable is not set`	Confirm the variable exists in the current shell or CI job.
`stdin is not a terminal`	In non-interactive mode, pass `--from-file`, `--from-env`, or `--from-stdin`.
Secret appears to be missing at runtime	Confirm the Activity step or service bridge references the exact secret name.

​Secret Commands

​Available Commands

​List Secrets

​Set a Secret

​Delete a Secret

​Recommended Patterns

​Troubleshooting