Docs · quickstart

Ship your first agent with a real key in under five minutes.

Three steps: install the CLI, mint an agent token in the dashboard, run a process. The CLI keeps the secret out of disk, env files, and shell history. The Python SDK does the same for code.

1. Create your workspace

Sign up free at app.secrevo.com. Login is delegated to PrysmID — pick email + password or any social provider. The Free plan gives you 3 identities, 1 workspace, 2 projects, and 7 days of audit log, permanently. No credit card.

If your organization already has a Secrevo workspace, ask the owner to invite you instead of creating a new one. They invite you from /members in their dashboard.

2. Install the CLI

The installer downloads the right binary for your OS/arch, verifies its SHA-256 against the release checksums.txt, and drops it in a user-writable directory (no sudo, no admin).

macOS / Linux

curl -fsSL https://github.com/getsecrevo/cli/releases/latest/download/install.sh | bash

Default install location: ~/.local/bin/secrevo. Override with SECREVO_INSTALL_DIR=/opt/secrevo. Pin a tag with SECREVO_VERSION=v0.2.0.

Windows (PowerShell 5.1+)

irm https://github.com/getsecrevo/cli/releases/latest/download/install.ps1 | iex

Default install location: %LOCALAPPDATA%\secrevo\bin\secrevo.exe. Override with $env:SECREVO_INSTALL_DIR.

From source (Go ≥ 1.25)

go install github.com/getsecrevo/cli/cmd/secrevo@latest

Verify

secrevo version

You should see the tag of the release you installed (for example secrevo v0.2.0). Anything ending in -dev means you are looking at a local build, not a release.

3. Mint an agent token

Agent tokens are how non-human callers (your scripts, CI jobs, deployed services) authenticate to the API. Every token belongs to a human owner and inherits their grants — revoke the human and every token they minted dies with them.

Open app.secrevo.com/agents.
Click New agent. Give it a name that describes the process (for example summarize-bot).
Copy the token shown once. It looks like agt_…. The dashboard will never show it again.

Export it in the shell where you will run the CLI:

export SECREVO_API_TOKEN=agt_...
export SECREVO_WORKSPACE_ID=workspace-...

On Windows PowerShell:

$env:SECREVO_API_TOKEN = "agt_..."
$env:SECREVO_WORKSPACE_ID = "workspace-..."

The workspace ID is shown at the top of the dashboard. SECREVO_API_BASE_URL defaults to https://api.secrevo.com and only needs to be set if you run against a self-hosted instance.

4. Run your first command

Put a real key in your workspace from the dashboard at app.secrevo.com/secrets — for example a real OPENAI_API_KEY. Then:

secrevo run --secret OPENAI_API_KEY -- python -c "import os; print(bool(os.environ['OPENAI_API_KEY']))"

You should see True. The secret was fetched from the API, injected into the subprocess's environment, and never touched disk. The child process's exit code is propagated, so secrevo run -- false exits 1.

Inject several secrets at once, or rename them on the way in:

secrevo run \
  --secret AWS_ACCESS_KEY_ID \
  --secret AWS_SECRET_ACCESS_KEY \
  -- aws s3 ls

secrevo run --secret prod-stripe=STRIPE_API_KEY -- npm test

Use the Python SDK

For code that should fetch secrets itself instead of inheriting them from secrevo run:

pip install secrevo-sdk
# or with a third-party integration:
pip install "secrevo-sdk[openai]"

from secrevo_sdk import SecrevoClient

with SecrevoClient.from_env() as secrevo:
    # Native OpenAI client, key already wired. Value never enters your code.
    openai = secrevo.openai_for("OPENAI_API_KEY")
    reply = openai.responses.create(
        model="gpt-5",
        input="What is the capital of France?",
    )
    print(reply.output_text)

Same pattern for anthropic_for, stripe_for, aws_session_for, and github_for. An AsyncSecrevoClient ships for FastAPI / asyncio. Full surface and offline-cache options in the SDK README.

Reference & repos

github.com/getsecrevo/cli — CLI source, releases, install scripts.
github.com/getsecrevo/sdk-python — Python SDK source.
pypi.org/project/secrevo-sdk — published SDK releases.
api.secrevo.com — production API base URL. Health check at /healthz.
app.secrevo.com — dashboard (sign-in required).
Security overview · Status · Privacy · Terms · DPA

Troubleshooting

`secrevo version` prints `0.1.0-dev`

You are running a local go build, not an installed release. Reinstall using one of the one-liners above.

`401 unauthorized` from the CLI or SDK

Either SECREVO_API_TOKEN is unset / typo'd, or the agent token was revoked. Mint a new one from app.secrevo.com/agents.

`403 forbidden` reading a secret you can see in the dashboard

The agent inherits the grants of its owner. If you can see a secret as a member but the agent can't, check that the owner — not just the workspace — has a grant on it. Owners can audit their agents' effective access from /agents.

Windows SmartScreen warns the installer is unsigned

The release binaries are not Authenticode-signed yet. Verify the SHA-256 against checksums.txt on the release page before running. Signing is on the roadmap.

Something else

Open an issue at getsecrevo/cli/issues or write to [email protected].