Documentation

ConfigShield Docs

Everything you need to manage secrets from the command line and via API.

Quick Start

Get up and running in under 60 seconds.

Download the CLI

Terminal

$ pip install configshield

"color:#6b7280"># Or download directly
$ curl -o configshield.py https://configshield.app/cli/configshield.py

Configure your API key

Get your API key from Dashboard → API Keys

Terminal

$ configshield config --api-key cs_live_your_key_here
  DONE  API key saved: cs_live_your_key_...

Pull your secrets

Terminal

$ configshield pull --project my-app --env production
  [1]  Finding project 'my-app'...
  [2]  Pulling secrets from my-app (production)...
  [3]  Writing 24 secrets to .env.production...
  DONE  Pulled 24 secrets to .env.production

Installation

The ConfigShield CLI has zero dependencies -- it uses only the Python standard library.

Option A: pip install (recommended)

Terminal

$ pip install configshield

Option B: Direct download

Terminal

"color:#6b7280"># Download the single-file CLI
$ curl -o configshield.py https://configshield.app/cli/configshield.py

"color:#6b7280"># Make executable (macOS/Linux)
$ chmod +x configshield.py

"color:#6b7280"># Run
$ python configshield.py --version
configshield 1.0.0

Requirements

Python 3.8 or later
No external dependencies
Works on macOS, Linux, and Windows

Configuration

Configuration is stored in ~/.configshield/config.json.

Set your API key

Terminal

$ configshield config --api-key cs_live_xxxxxxxxxxxxx

Set a default project

Terminal

"color:#6b7280"># So you don't need --project every time
$ configshield config --default-project my-app

Custom API URL (self-hosted)

Terminal

$ configshield config --api-url https://your-api.example.com

View current config

Terminal

$ configshield config

  Current Configuration
  ========================================
  API Key:         cs_live_abc12345...
  API URL:         https://api.configshield.app
  Default Project: my-app
  Config File:     /home/user/.configshield/config.json

Config file format

~/.configshield/config.json

{
  "api_key": "cs_live_xxxxxxxxxxxxx",
  "api_url": "https://api.configshield.app",
  "default_project": "my-app"
}

Pull Secrets

Download secrets from ConfigShield and write them to a local .env file.

Basic pull

Terminal

$ configshield pull --project my-app --env production

This creates .env.production in the current directory. Development environment creates .env by default.

Pull to a specific file

Terminal

$ configshield pull --project my-app --env staging --output .env.staging

Pull to stdout (for piping)

Terminal

$ configshield pull --project my-app --env production --stdout
DATABASE_URL=postgresql://user:pass@host:5432/db
REDIS_URL=redis://default:xxx@redis:6379
STRIPE_KEY=sk_live_xxxxxxxxx

"color:#6b7280"># Pipe to another command
$ configshield pull --project my-app --stdout | grep DATABASE

Force overwrite

Terminal

"color:#6b7280"># Skip the "overwrite?" prompt
$ configshield pull --project my-app --env production --force

All pull options

Flag	Short	Description
`--project`	`-p`	Project name (or use default)
`--env`	`-e`	Environment: development, staging, production
`--output`	`-o`	Output file path (default: .env or .env.{env})
`--stdout`		Print to stdout instead of file
`--force`	`-f`	Overwrite without prompting

Push Secrets

Upload a local .env file to ConfigShield.

Terminal

"color:#6b7280"># Push .env to a project
$ configshield push --project my-app --env development
  [1]  Reading .env...
  INFO  Found 15 secrets in .env
  [2]  Finding project 'my-app'...
  [3]  Pushing 15 secrets to my-app (development)...
  DONE  Imported 15 secrets, skipped 0

Push a specific file

Terminal

$ configshield push --project my-app --env production --file .env.production

All Commands

Command	Description
`configshield config`	View or set configuration (API key, URL, default project)
`configshield list`	List all your projects
`configshield pull`	Pull secrets to a .env file
`configshield push`	Push a .env file to ConfigShield
`configshield status`	Check connection and account info
`configshield --version`	Show CLI version

CI/CD Integration

Use ConfigShield in your deployment pipeline to pull secrets at build time.

GitHub Actions

.github/workflows/deploy.yml

name: Deploy
on: [push]
jobs:
  deploy:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - name: Install ConfigShield CLI
        run: pip install configshield

      - name: Pull production secrets
        env:
          CONFIGSHIELD_API_KEY: ${{ secrets.CONFIGSHIELD_API_KEY }}
        run: |
          configshield config --api-key $CONFIGSHIELD_API_KEY
          configshield pull --project my-app --env production --force

      - name: Deploy
        run: npm run deploy

Docker

Dockerfile

FROM python:3.12-slim

"color:#6b7280"># Install ConfigShield CLI
RUN pip install configshield

"color:#6b7280"># Pull secrets at build time
ARG CONFIGSHIELD_API_KEY
RUN configshield config --api-key $CONFIGSHIELD_API_KEY
RUN configshield pull --project my-app --env production --force

"color:#6b7280"># Your app
COPY . /app
WORKDIR /app
CMD ["python", "main.py"]

Railway

Terminal

"color:#6b7280"># Set your API key as a Railway variable
$ railway variables set CONFIGSHIELD_API_KEY=cs_live_xxx

"color:#6b7280"># In your start script, pull secrets first
$ configshield config --api-key $CONFIGSHIELD_API_KEY && configshield pull --project my-app --env production --force && npm start

API Reference

Base URL: https://api.configshield.app
Authentication: X-API-Key: cs_live_xxx header

Authentication

POST/api/auth/registerCreate a new account

POST/api/auth/loginGet access + refresh tokens

GET/api/auth/meGet current user profile

POST/api/auth/refreshRefresh access token

POST/api/auth/forgot-passwordSend password reset email

POST/api/auth/reset-passwordReset password with token

PATCH/api/auth/preferencesUpdate notification preferences

Projects

Create and manage projects.

GET/api/projectsList all projects

POST/api/projectsCreate a new project

GET/api/projects/:idGet project details

PATCH/api/projects/:idUpdate a project

DELETE/api/projects/:idDelete a project

Secrets

Create, read, update, and delete secrets within a project.

GET/api/projects/:id/secretsList all secrets (masked values)

POST/api/projects/:id/secretsCreate a secret

GET/api/projects/:id/secrets/:sidGet secret (decrypted)

PUT/api/projects/:id/secrets/:sidUpdate a secret

DELETE/api/projects/:id/secrets/:sidDelete a secret

POST/api/projects/:id/secrets/importImport .env content

GET/api/projects/:id/secrets/exportExport as .env format

API Keys

Manage API keys for programmatic access.

POST/api/auth/api-keysCreate a new API key (Pro only)

GET/api/auth/api-keysList all API keys

DELETE/api/auth/api-keys/:idRevoke an API key

cURL Examples

List projects

Terminal

$ curl -s https://api.configshield.app/api/projects \
  -H "X-API-Key: cs_live_your_key" | python -m json.tool

Create a secret

Terminal

$ curl -X POST https://api.configshield.app/api/projects/PROJECT_ID/secrets \
  -H "X-API-Key: cs_live_your_key" \
  -H "Content-Type: application/json" \
  -d '{"key": "DATABASE_URL", "value": "postgresql://...", "description": "Main database"}'

Export secrets as .env

Terminal

$ curl -s https://api.configshield.app/api/projects/PROJECT_ID/secrets/export \
  -H "X-API-Key: cs_live_your_key" | python -c "import sys,json; print(json.load(sys.stdin)['content'])"

Import .env file

Terminal

$ curl -X POST https://api.configshield.app/api/projects/PROJECT_ID/secrets/import \
  -H "X-API-Key: cs_live_your_key" \
  -H "Content-Type: application/json" \
  -d "{\"env_text\": \"$(cat .env)\"}"

Update email preferences

Terminal

$ curl -X PATCH https://api.configshield.app/api/auth/preferences \
  -H "X-API-Key: cs_live_your_key" \
  -H "Content-Type: application/json" \
  -d '{"daily_digest": false}'

Need Help?

We're here to help you get the most out of ConfigShield.

Email Support

Go to Dashboard