Authy — Secure Secret Injection
Inject secrets into subprocesses as environment variables. You never see, handle, or log secret values.
How It Works
Your token is run-only. You can discover secret names with authy list and inject them into subprocesses with authy run. You never see secret values directly.
Inject Secrets into a Command
authy run --scope <policy> --uppercase --replace-dash '_' -- <command> [args...]
The --uppercase --replace-dash '_' flags turn secret names like db-host into env vars like DB_HOST.
Examples:
authy run --scope deploy --uppercase --replace-dash '_' -- ./deploy.sh
authy run --scope backend --uppercase --replace-dash '_' -- node server.js
authy run --scope testing --uppercase --replace-dash '_' -- pytest
Discover Secret Names
authy list --scope <policy> --json
Output: {"secrets":[{"name":"db-host","version":1,...}]}
Write Scripts That Use Secrets
Write code that reads environment variables, then run it with authy run:
cat > task.sh << 'EOF'
#!/bin/bash
curl -H "Authorization: Bearer $API_KEY" https://api.example.com/data
EOF
chmod +x task.sh
authy run --scope my-scope --uppercase --replace-dash '_' -- ./task.sh
Error Codes
| Code | Meaning |
|---|---|
| 0 | Success |
| 2 | Auth failed — check AUTHY_TOKEN / AUTHY_KEYFILE |
| 3 | Secret or policy not found |
| 4 | Access denied or run-only restriction |
| 6 | Token invalid, expired, or revoked |
Rules
- Only use
authy runandauthy list— these are the only commands available to you - Never hardcode credentials — reference env vars, run via
authy run - Never echo, print, or log env vars in subprocess scripts — secrets exist in memory only
- Never redirect env vars to files — do not write
$SECRETto disk - Use
--scopeto limit access to needed secrets only