gon secrets

Manage shared environment variables stored in the GON Registry. Secrets are encrypted at rest and automatically injected into .env when running gon install.

Commands

gon secrets:set KEY=VALUE [--description "..."]  # Store or update a secret
gon secrets:list                                 # List all secret keys
gon secrets:delete KEY                           # Delete a secret

secrets:set

Stores or updates a secret in the Registry. The key must be uppercase with underscores (UPPER_SNAKE_CASE). If the key already exists, its value is overwritten.

gon secrets:set GEOIP_API_KEY=B321F682C4F646B0D48114FBDE3F9C6C
gon secrets:set STRIPE_SECRET_KEY=sk_live_... --description "Stripe payment gateway"

Requires authentication (gon auth). Only users with admin access can manage secrets.

secrets:list

Displays all stored secret keys with their descriptions and last update time. Values are never shown.

gon secrets:list

secrets:delete

Deletes a secret from the Registry. Prompts for confirmation before deleting.

gon secrets:delete GEOIP_API_KEY

Automatic injection

When running gon install in a new project, all secrets are automatically fetched from the Registry and merged into the local .env file. Existing values in .env are not overwritten.

gon install   # Fetches secrets and appends them to .env

Admin UI

Secrets can also be managed through the GON Registry admin panel at /admin/registry/secrets. By default, values are encrypted and displayed as ****. Non-sensitive secrets (e.g. public API keys) can be marked as not sensitive, in which case the value is stored and displayed in plaintext.