← Back to home

CLI Reference

All MeowPass CLI commands. Install with brew install meowrithm/tap/meowpass.

Quickstart (4 commands)

From zero to running
brew install meowrithm/tap/meowpass mp login mp init mp run -- npm start

After init, all commands use your default vault automatically — no --vault flag needed.

Getting Started

mp login

Authenticate via browser. Opens a device flow, sets your master password, generates encryption keys.

Usage: mp login
Example
$ mp login Opening your browser to authorize the CLI... URL: https://meowpass.dev/activate Code: ABCD-1234 Waiting for authorization... ✓ Logged in as you@example.com Master password set. Your secrets are E2E encrypted.
mp init

Scan for .env files, create a vault, encrypt and push all secrets. Sets as default vault.

Usage: mp init [--name vault-name] [--vault existing-id]
--name Vault name (default: directory name)
--vault Use existing vault instead of creating one
Example
$ mp init Found 2 env file(s): • .env • .env.production Create vault "my-project"? [Y/n] y Created vault "my-project" (ID: abc123) Pushed 12 secrets from .env Pushed 8 secrets from .env.production Set as default vault (no --vault flag needed) Next steps: mp pull → restore .env anytime mp run -- cmd → inject secrets into a process mp diff → check for drift
mp doctor

Check MeowPass configuration, API connectivity, auth status, and vault health.

Usage: mp doctor
Example
$ mp doctor MeowPass Doctor ================ [OK] Config file ~/.meowpass/config.yaml [OK] API reachable 245ms [OK] Authentication you@example.com (pro) [OK] Encryption salt found [OK] Master key cache cached in keychain [OK] Default vault my-project

Secrets

mp set

Encrypt and store a secret. Creates version 1 or bumps version on update.

Usage: mp set KEY VALUE [--vault id] [--ttl duration]
--vault Vault ID (optional if default set)
--ttl Auto-expire after duration (e.g., 24h, 30m, 168h)
Example
$ mp set STRIPE_KEY sk_live_abc123 Secret 'STRIPE_KEY' set (version 1) $ mp set DEPLOY_TOKEN xyz --ttl 24h Secret 'DEPLOY_TOKEN' set (version 1) [expires in 24h]
mp get

Decrypt a secret. Copies to clipboard by default.

Usage: mp get KEY [--vault id] [--no-clipboard]
--no-clipboard Print to stdout instead of clipboard
Example
$ mp get STRIPE_KEY Secret 'STRIPE_KEY' copied to clipboard $ mp get STRIPE_KEY --no-clipboard sk_live_abc123
mp list

List all secret keys in a vault with versions and last update date.

Usage: mp list [--vault id]
Example
$ mp list KEY VERSION UPDATED DATABASE_URL v3 2026-05-05 STRIPE_KEY v1 2026-05-04 OPENAI_API_KEY v2 2026-05-03
mp delete

Permanently delete a secret from the vault.

Usage: mp delete KEY [--vault id]
Example
$ mp delete OLD_TOKEN Secret 'OLD_TOKEN' deleted.

Sync & Run

mp pull

Decrypt all secrets and write to a .env file.

Usage: mp pull [--vault id] [--env name]
--env Environment name (writes .env.{name})
Example
$ mp pull Synced 12 secrets to .env $ mp pull --env production Synced 8 secrets to .env.production
mp push

Parse a local .env file, encrypt, and upload all secrets to the vault.

Usage: mp push [--vault id] [--env name]
Example
$ mp push Pushed 12 secrets from .env $ mp push --env staging Pushed 6 secrets from .env.staging
mp run

Decrypt vault secrets and inject into a subprocess as environment variables. Secrets never touch disk.

Usage: mp run [--vault id] [--env name] -- command [args...]
Example
$ mp run -- npm start [server] Listening on :3000 $ mp run -- docker compose up $ mp run -- python manage.py runserver $ mp run -- go run .
mp diff

Compare local .env with vault secrets. Shows added, removed, and changed keys with values.

Usage: mp diff [--vault id] [--env name] [--exit-on-drift]
--exit-on-drift Exit code 1 if differences found (for CI)
Example
$ mp diff + NEW_LOCAL_KEY (local only) - REMOVED_KEY (vault only) ~ DATABASE_URL (value differs) = STRIPE_KEY (unchanged) Comparing .env ↔ vault: 1 added, 1 removed, 1 changed

Versioning & Rotation

mp history

Show version history for a secret. Last 10 versions are retained.

Usage: mp history KEY [--vault id]
Example
$ mp history DATABASE_URL History for DATABASE_URL: VERSION DATE v4 2026-05-05 14:22 (current) v3 2026-04-28 09:11 v2 2026-04-15 16:45 v1 2026-04-01 10:30
mp rollback

Restore a secret to a previous version. Creates a new version (non-destructive).

Usage: mp rollback KEY --version N [--vault id]
Example
$ mp rollback DATABASE_URL --version 2 Rolled back 'DATABASE_URL' from v4 to v2 (now at v5)
mp rotate

Generate new vault key, re-encrypt all secrets. Client-side only — zero-knowledge maintained.

Usage: mp rotate [--vault id]
Example
$ mp rotate Rotated vault key and re-encrypted 12 secrets. Note: team members may need to re-sync their vault key.

Vaults & Teams

mp vault create

Create a new encrypted vault.

Usage: mp vault create NAME
Example
$ mp vault create my-api Vault 'my-api' created (ID: a1b2c3d4)
mp vault list

List all vaults you own or have access to.

Usage: mp vault list
Example
$ mp vault list ID NAME CREATED a1b2c3d4 my-api 2026-05-01 e5f6g7h8 my-web 2026-05-04
mp share

Share a vault with a team. Vault key is re-encrypted per member via X25519.

Usage: mp share VAULT_ID --team TEAM_ID
Example
$ mp share a1b2c3d4 --team t1a2b3c4 Vault shared with team. E2E encrypted.
mp team create

Create a team for vault sharing.

Usage: mp team create NAME
Example
$ mp team create backend Team 'backend' created (ID: t1a2b3c4)
mp team invite

Invite a member to a team by email.

Usage: mp team invite EMAIL --team ID [--role member|admin|owner]
Example
$ mp team invite sarah@acme.dev --team t1a2b3c4 --role admin

Utilities

mp export-key

Print derived master key and salt for CI/CD setup.

Usage: mp export-key [--format text|env|json]
Example
$ mp export-key Master Key (hex): b6b1ab19b15c1d17... Salt (base64): eNiyZD1y2Qgd8Suv... Default Vault: a1b2c3d4-... Add these as GitHub secrets: MEOWPASS_MASTER_KEY → the hex string above MEOWPASS_SALT → the base64 string above MEOWPASS_VAULT_ID → your vault ID MEOWPASS_TOKEN → from: mp apikey create ci-key $ mp export-key --format env MEOWPASS_MASTER_KEY=b6b1ab19b15c1d17... MEOWPASS_SALT=eNiyZD1y2Qgd8Suv... MEOWPASS_VAULT_ID=a1b2c3d4-...
mp apikey create

Generate an API key for MCP server or CI/CD.

Usage: mp apikey create NAME
Example
$ mp apikey create my-mcp-key API key created: mp_a1b2c3d4e5f6... Save this key — it won't be shown again.
mp git-hook install

Install a pre-commit hook for drift detection.

Usage: mp git-hook install [--vault id] [--strict]
--strict Block commits when drift detected (default: warn only)
Example
$ mp git-hook install Installed pre-commit hook (warn-only mode) $ mp git-hook install --strict Installed pre-commit hook (strict mode)
mp whoami

Show current authenticated user.

Usage: mp whoami
Example
$ mp whoami Email: you@example.com Name: Your Name Plan: pro