> ## Documentation Index
> Fetch the complete documentation index at: https://developer.kodexa.ai/llms.txt
> Use this file to discover all available pages before exploring further.

# Secret Commands

> Use kdx secret commands to list, create, update, and delete write-only organization secrets used by Activity steps, modules, and service bridge integrations.

# Secret Commands

The `kdx secret` command manages organization secrets used by platform resources such as Activity steps, modules, and service bridge integrations.

Secret values are write-only. The CLI can list secret names, set values securely, and delete names, but it never reads secret values back from the platform.

## Available Commands

| Command  | Description                          |
| -------- | ------------------------------------ |
| `list`   | List secret names in an organization |
| `set`    | Create or update a secret value      |
| `delete` | Delete a secret name                 |

## List Secrets

```bash theme={null}
kdx secret list <org-slug>
```

Example:

```bash theme={null}
kdx secret list acme
```

Output:

```text theme={null}
3 secret(s) in 'acme':
  ERP_API_TOKEN
  ERP_BASE_URL
  OCR_SERVICE_KEY
```

Only names are returned. Values are never printed.

## Set a Secret

```bash theme={null}
kdx secret set <org-slug> <name> [flags]
```

By default, the CLI prompts for the value with no terminal echo.

```bash theme={null}
kdx secret set acme ERP_API_TOKEN
```

For non-interactive workflows, pass exactly one value source.

| Flag                 | Description                                                   |
| -------------------- | ------------------------------------------------------------- |
| `--from-file <path>` | Read the value from a file and trim a single trailing newline |
| `--from-env <name>`  | Read the value from an environment variable                   |
| `--from-stdin`       | Read the value from standard input                            |

Examples:

```bash theme={null}
# From an environment variable in CI
kdx secret set acme ERP_API_TOKEN --from-env ERP_API_TOKEN

# From a local file
kdx secret set acme OCR_SERVICE_KEY --from-file ./secrets/ocr-key.txt

# From a password manager or another command
op read 'op://Engineering/ERP/token' | kdx secret set acme ERP_API_TOKEN --from-stdin
```

Output:

```text theme={null}
Set secret "ERP_API_TOKEN" in organization "acme" (48 bytes)
```

The byte count confirms that a value was sent without showing the value itself.

## Delete a Secret

```bash theme={null}
kdx secret delete <org-slug> <name>
```

Example:

```bash theme={null}
kdx secret delete acme OLD_ERP_API_TOKEN
```

Deleting a name that does not exist is not treated as an error by the command.

## Recommended Patterns

Use stable names that describe the external system and purpose:

```text theme={null}
ERP_API_TOKEN
ERP_BASE_URL
AZURE_DOCUMENT_INTELLIGENCE_KEY
CLAIMS_SYSTEM_CLIENT_SECRET
```

Keep environment-specific values in environment-specific organizations or sync targets. Do not commit secret values to metadata repositories. For CI/CD, store the value in the CI secret store and pass it with `--from-env`.

## Troubleshooting

| Symptom                                 | What to check                                                                 |
| --------------------------------------- | ----------------------------------------------------------------------------- |
| `organization not found`                | Confirm the organization slug and active profile.                             |
| `environment variable is not set`       | Confirm the variable exists in the current shell or CI job.                   |
| `stdin is not a terminal`               | In non-interactive mode, pass `--from-file`, `--from-env`, or `--from-stdin`. |
| Secret appears to be missing at runtime | Confirm the Activity step or service bridge references the exact secret name. |
