# sinch secrets

Store and retrieve custom secrets in the OS keychain. Secrets are available to your functions at runtime and during deploy — the CLI injects them from the keychain so you never put secret values in source files.

Secrets are stored under the `sinch-cli` service in the OS keychain with a `custom-` prefix. Key names must be uppercase letters, numbers, and underscores only (e.g., `API_KEY`, `DATABASE_PASSWORD`).

## sinch secrets list

List all custom secrets by key name. Values are not shown.


```sh
sinch secrets list
```

## sinch secrets add

Add or update a secret in the OS keychain. If the key already exists, the value is updated.


```sh
sinch secrets add <KEY> <VALUE>
```

Add a blank entry in your `.env` (e.g., `ELEVENLABS_API_KEY=`) so the runtime and deploy process know to load this key from the keychain.

## sinch secrets get

Retrieve a secret from the keychain. The value is hidden by default.


```sh
sinch secrets get <KEY> [--show]
```

## sinch secrets delete

Remove a secret from the keychain. Requires confirmation unless `--force` is passed.

**Aliases:** `remove`, `rm`


```sh
sinch secrets delete <KEY> [-f, --force]
```

## sinch secrets clear

Remove all custom secrets from the keychain. Requires confirmation unless `--force` is passed.


```sh
sinch secrets clear [-f, --force]
```