Secrets
How EZKeel manages secrets with Infisical — from declaration to injection.
How It Works
EZKeel uses Infisical as its secrets backend. Instead of scattering .env files across developer machines (where they get stale, leaked, or lost), secrets live in a centralized, access-controlled vault with per-environment scoping.
The flow is:
- Declare required secrets in
workspace.yaml - Add secret values in the Infisical dashboard (per environment: dev, staging, prod)
- Inject them at runtime with
ezkeel secrets inject
Declaring Secrets
In your workspace.yaml, list the environment variables your project requires:
This serves as documentation and enables validation. EZKeel knows which secrets the project needs and can warn you if any are missing.
Adding Secrets
Add the actual secret values through the Infisical dashboard or CLI:
Via the Infisical Dashboard
- Open
https://secrets.example.comin your browser - Navigate to your project
- Select the environment (e.g. "Development")
- Click "Add Secret" and enter the key/value pair
Via the Infisical CLI
Injecting Secrets
The ezkeel secrets inject command exports secrets as shell export statements. Use eval to load them into your current shell:
Tip: Add eval $(ezkeel secrets inject dev) to your shell profile or Dev Container postStartCommand to inject secrets automatically when you start working.
Automatic Injection with ezkeel ai
When you run ezkeel ai, secrets are injected automatically. The CLI determines which API key the tool needs and fetches it from Infisical before launching:
| Tool | Required Secret |
|---|---|
claude | ANTHROPIC_API_KEY |
codex | OPENAI_API_KEY |
local / ollama/* | none (runs locally) |
Secrets in Dev Containers
To have secrets available inside your Dev Container, add the injection command to your container's lifecycle hooks. In .devcontainer/devcontainer.json:
This ensures that every time the container starts, the latest secrets from Infisical are loaded into the environment — no stale .env files required.