mxkey

get & export

Print a secret value to stdout. Escape hatches — prefer `run`.

mxkey get <name>            # prints "value"
mxkey export <name>         # prints "ENV_VAR=value"

Both print the secret value to stdout. Use sparingly — prefer mxkey run, which never lets the value touch your shell.

When to use them

The legitimate use case is tools that can't read environment variables from a parent process and insist on parsing a file or shell-sourcing. For example, regenerating an .env on demand:

# ~/projects/myapp/scripts/gen-env.sh
for name in stripe_secret_key database_url openai_api_key; do
  mxkey export "project.myapp.$name"
done > .env.local

Then .env.local is gitignored and regenerated per dev session.

When NOT to use them

# DON'T do this
export OPENAI_API_KEY=$(mxkey get api.openai)

That puts the value in your shell's environment and in shell history (via the command line). Use mxkey run instead:

mxkey run api.openai -- curl https://api.openai.com/v1/models

Differences

getexport
Output<value><ENV_VAR>=<value>
Use caseManual one-off, piping to clipboard, etc.Bulk regeneration of .env files
Shell-source friendlyNoYes (source <(mxkey export api.foo)) — though again, prefer run.

Hard rules

  • Never use get on a backup code — that doesn't consume it, and you'll burn it twice.
  • Never paste the output of get into chat or commit it.
  • Treat get like cat private.key: it briefly exposes the value to whatever scrollback / terminal-multiplexer is recording.

See also

backup

Single-use 2FA recovery codes — atomic read-and-delete, never re-used.

Naming convention

<category>.<name> — a flat namespace with conventional category prefixes.

On this page

When to use themWhen NOT to use themDifferencesHard rulesSee also