Store and retrieve custom secrets in the OS keychain. Secrets are available to your functions at runtime and during deploy — the CLI injects them from the keychain so you never put secret values in source files.
Secrets are stored under the sinch-cli service in the OS keychain with a custom- prefix. Key names must be uppercase letters, numbers, and underscores only (e.g., API_KEY, DATABASE_PASSWORD).
List all custom secrets by key name. Values are not shown.
sinch secrets listAdd or update a secret in the OS keychain. If the key already exists, the value is updated.
sinch secrets add <KEY> <VALUE>When run from a function directory (one containing an .env file), the command also appends KEY= to .env for you — that empty placeholder is what tells the deploy step to substitute the keychain value at upload time. If .env already declares the key, the existing line is left as is. If the line already has a non-empty value, the .env value wins over the keychain at deploy — clear it (KEY=) if you want the keychain value used instead.
If there is no .env in the current directory (e.g. running the command globally), only the keychain is updated; declare the key manually in your function's .env for it to ship.
Retrieve a secret from the keychain. The value is hidden by default.
sinch secrets get <KEY> [--show]Remove a secret from the keychain. Requires confirmation unless --force is passed.
Aliases: remove, rm
sinch secrets delete <KEY> [-f, --force]Remove all custom secrets from the keychain. Requires confirmation unless --force is passed.
sinch secrets clear [-f, --force]