CLI
The sablefort command-line interface brings your vaults into scripts, terminals, and pipelines. It authenticates as you (or as a service account), decrypts items locally, and can inject secrets into a process environment so they never sit in a plaintext file.
Install
Install with the method that fits your platform:
# macOS / Linux (Homebrew)
brew install sablefort/tap/sablefort
# Linux (script)
curl -fsSL https://get.sablefort.com/cli | sh
# Windows (winget)
winget install Sablefort.CLI
Verify the install:
$ sablefort --version
sablefort 2.4.1
Sign in
Run sablefort login to authenticate interactively. The CLI opens your browser to complete sign-in (including SSO and two-factor if your org requires them), then unlocks locally with your master password.
$ sablefort login
→ Opening https://app.sablefort.com/cli-auth ...
→ Waiting for browser authentication... done
→ Unlocking on this device...
✓ Signed in as ada@example.com (org: Example, Inc.)
The session is cached in your OS keychain and refreshes automatically. Sign out on a shared machine with sablefort logout.
List vaults
sablefort vault list shows the vaults you can access.
$ sablefort vault list
NAME ITEMS ROLE
engineering 42 editor
on-call 9 viewer
finance 17 viewer
Add --json to any command for machine-readable output:
$ sablefort vault list --json
[
{ "name": "engineering", "items": 42, "role": "editor" },
{ "name": "on-call", "items": 9, "role": "viewer" }
]
Read an item
Use sablefort get to read a single item or field. Reference an item by vault/item and optionally a field name.
# Print all non-secret fields of an item
$ sablefort get engineering/"Deploy Key"
# Print just one field's value (nothing else) — ideal for piping
$ sablefort get engineering/"Deploy Key" --field password
s3cr3t-…
Because output is meant for scripting, --field prints only the value with no label, so you can assign it directly:
DEPLOY_TOKEN="$(sablefort get engineering/'Deploy Key' --field password)"
Inject secrets into the environment
sablefort env resolves references and runs a command with those secrets present only in that process's environment. Nothing is written to disk.
Define references in a template file — values point at items, never contain the secret itself:
# .sablefort.env
DEPLOY_TOKEN=ref://engineering/Deploy Key/password
DB_URL=ref://engineering/App Database/connection_string
Then run your command with those variables populated:
$ sablefort env --file .sablefort.env -- ./deploy.sh
The -- separates Sablefort's flags from the command to run. When deploy.sh exits, the secrets leave memory with the process.
Use in CI
In a pipeline, authenticate with a non-interactive service-account token rather than the browser flow. Create the token in the admin console under Service accounts, scope it to only the vaults the job needs, and store it in your CI provider's secret store.
# The runner exposes SABLEFORT_TOKEN as a masked CI secret.
# The CLI reads it automatically — no interactive login needed.
$ export SABLEFORT_TOKEN="sk_live_…"
$ sablefort env --file .sablefort.env -- npm run deploy
A complete GitHub Actions step:
- name: Deploy
env:
SABLEFORT_TOKEN: ${{ secrets.SABLEFORT_TOKEN }}
run: |
curl -fsSL https://get.sablefort.com/cli | sh
sablefort env --file .sablefort.env -- ./deploy.sh
Command reference
| Command | Description |
|---|---|
sablefort login | Authenticate and unlock on this device. |
sablefort logout | End the session and clear the cached token. |
sablefort vault list | List accessible vaults. |
sablefort item list <vault> | List items in a vault. |
sablefort get <vault>/<item> | Read an item; add --field for one value. |
sablefort env --file <f> -- <cmd> | Run a command with referenced secrets in its environment. |
sablefort whoami | Show the current account and org. |