Configuration
Learn how to configure the SecretStash CLI package in your Laravel application or standalone PHP project.
The SecretStash CLI can be configured differently depending on whether you are using it within a Laravel application or as a standalone tool in any PHP project.
Laravel Configuration
Once you've installed the SecretStash CLI and optionally published the configuration file, you can customize its behavior in config/secret-stash.php.
API Token
Your personal API token for authenticating with the SecretStash API. You can generate this token using the secret-stash:token command or through the SecretStash web interface.
It's recommended to store your API token in your .env file as SECRET_STASH_API_TOKEN rather than hardcoding it in the configuration file.
Application ID
The unique application ID supplied to you by the SecretStash service. This ID identifies which application's variables the CLI should interact with.
Ignored Variables
A list of environment variables that should be ignored when pushing to or pulling from the SecretStash API. These keys are case-sensitive.
Note that variables starting with the SECRET_STASH_ prefix are always ignored by default and do not need to be added to this list.
API URL
The base URL for your SecretStash API instance. This should include the protocol (http/https) and domain, but not the /api path.
This is only for testing and evaluation purposes.
Publish the Config File
To publish the configuration file, run:
Standalone Configuration
When using the CLI outside of Laravel (via vendor/bin/secret-stash), there is no config file to publish. Instead, the CLI resolves configuration using the following priority order:
- System environment variables (highest priority)
.envfile in the current working directory- Default values
This means you can configure the CLI entirely through your project's .env file or by exporting environment variables in your shell.
Default Values
When running in standalone mode, the following defaults apply:
| Setting | Default Value |
|---|---|
api_url | https://secretstash.cloud |
ignored_variables | APP_KEY, APP_ENV |
In standalone mode, the ignored variables list cannot be customized via a config file. The defaults (APP_KEY and APP_ENV) are always used, along with any variables starting with the SECRET_STASH_ prefix.
Key Directory Override
By default, the SecretStash CLI stores device keys and metadata in the ~/.secret-stash/ directory. You can override this path by setting the SECRET_STASH_KEY_DIR environment variable:
When SECRET_STASH_KEY_DIR is set, all SecretStash CLI commands (secret-stash:variables, secret-stash:envelope, secret-stash:keys, etc.) will read device keys and metadata from the specified directory instead of ~/.secret-stash/.
This is primarily used to support temporary device keys in CI/CD pipelines. When you run secret-stash:keys init --temporary, the CLI generates keys into an isolated /tmp directory and prints the SECRET_STASH_KEY_DIR export line. Setting this variable in subsequent pipeline steps allows those commands to locate the temporary keys.
The directory specified by SECRET_STASH_KEY_DIR must contain valid device_private_key.pem and device.json files. If the directory does not exist or the key files are missing, CLI commands will fail.
Environment Variables
Both Laravel and standalone modes support the following environment variables. In Laravel, these are typically set in your .env file and read via config/secret-stash.php. In standalone mode, they are read directly from system environment variables or the .env file.
| Variable | Description | Default |
|---|---|---|
SECRET_STASH_API_TOKEN | Your personal API token | null |
SECRET_STASH_APPLICATION_ID | Your SecretStash Application ID | null |
SECRET_STASH_API_URL | The base URL for the SecretStash API | https://secretstash.cloud |
SECRET_STASH_KEY_DIR | Override the default ~/.secret-stash/ key directory | ~/.secret-stash/ |
Learn how to use these settings in the Commands section.