CLI

The sablefort command-line interface brings your vaults into scripts, terminals, and pipelines. It authenticates as you (or as a service account), decrypts items locally, and can inject secrets into a process environment so they never sit in a plaintext file.

Install

Install with the method that fits your platform:

# macOS / Linux (Homebrew)
brew install sablefort/tap/sablefort

# Linux (script)
curl -fsSL https://get.sablefort.com/cli | sh

# Windows (winget)
winget install Sablefort.CLI

Verify the install:

$ sablefort --version
sablefort 2.4.1

Sign in

Run sablefort login to authenticate interactively. The CLI opens your browser to complete sign-in (including SSO and two-factor if your org requires them), then unlocks locally with your master password.

$ sablefort login
→ Opening https://app.sablefort.com/cli-auth ...
→ Waiting for browser authentication... done
→ Unlocking on this device...
✓ Signed in as ada@example.com (org: Example, Inc.)

The session is cached in your OS keychain and refreshes automatically. Sign out on a shared machine with sablefort logout.

For unattended use (CI, servers), authenticate with a service-account token instead of the browser flow. See Use in CI below.

List vaults

sablefort vault list shows the vaults you can access.

$ sablefort vault list
NAME          ITEMS   ROLE
engineering   42      editor
on-call       9       viewer
finance       17      viewer

Add --json to any command for machine-readable output:

$ sablefort vault list --json
[
  { "name": "engineering", "items": 42, "role": "editor" },
  { "name": "on-call", "items": 9, "role": "viewer" }
]

Read an item

Use sablefort get to read a single item or field. Reference an item by vault/item and optionally a field name.

# Print all non-secret fields of an item
$ sablefort get engineering/"Deploy Key"

# Print just one field's value (nothing else) — ideal for piping
$ sablefort get engineering/"Deploy Key" --field password
s3cr3t-…

Because output is meant for scripting, --field prints only the value with no label, so you can assign it directly:

DEPLOY_TOKEN="$(sablefort get engineering/'Deploy Key' --field password)"

Inject secrets into the environment

sablefort env resolves references and runs a command with those secrets present only in that process's environment. Nothing is written to disk.

Define references in a template file — values point at items, never contain the secret itself:

# .sablefort.env
DEPLOY_TOKEN=ref://engineering/Deploy Key/password
DB_URL=ref://engineering/App Database/connection_string

Then run your command with those variables populated:

$ sablefort env --file .sablefort.env -- ./deploy.sh

The -- separates Sablefort's flags from the command to run. When deploy.sh exits, the secrets leave memory with the process.

Use in CI

In a pipeline, authenticate with a non-interactive service-account token rather than the browser flow. Create the token in the admin console under Service accounts, scope it to only the vaults the job needs, and store it in your CI provider's secret store.

# The runner exposes SABLEFORT_TOKEN as a masked CI secret.
# The CLI reads it automatically — no interactive login needed.
$ export SABLEFORT_TOKEN="sk_live_…"

$ sablefort env --file .sablefort.env -- npm run deploy

A complete GitHub Actions step:

- name: Deploy
  env:
    SABLEFORT_TOKEN: ${{ secrets.SABLEFORT_TOKEN }}
  run: |
    curl -fsSL https://get.sablefort.com/cli | sh
    sablefort env --file .sablefort.env -- ./deploy.sh
Scope service-account tokens tightly and rotate them on a schedule. A token only grants what its vault membership allows, and every read is written to the audit log.

Command reference

CommandDescription
sablefort loginAuthenticate and unlock on this device.
sablefort logoutEnd the session and clear the cached token.
sablefort vault listList accessible vaults.
sablefort item list <vault>List items in a vault.
sablefort get <vault>/<item>Read an item; add --field for one value.
sablefort env --file <f> -- <cmd>Run a command with referenced secrets in its environment.
sablefort whoamiShow the current account and org.