Providers Reference
SecretSpec supports multiple storage backends for secrets. Each provider has its own URI format and configuration options.
DotEnv Provider
Section titled “DotEnv Provider”URI: dotenv://[path] - Stores secrets in .env files
dotenv:// # Uses default .envdotenv:///config/.env # Custom pathdotenv://config/.env # Relative pathFeatures: Read/write, profiles, human-readable, no encryption
Environment Provider
Section titled “Environment Provider”URI: env:// - Read-only access to system environment variables
env:// # Current process environmentFeatures: Read-only, no setup required, no persistence
Keyring Provider
Section titled “Keyring Provider”URI: keyring:// - Uses system keychain/keyring for secure storage
keyring:// # System default keychainFeatures: Read/write, secure encryption, profiles, cross-platform
Storage: Service secretspec/{project}, username {profile}:{key}
LastPass Provider
Section titled “LastPass Provider”URI: lastpass://[folder] - Integrates with LastPass via lpass CLI
lastpass://work # Store in work folderlastpass:///personal/projects # Nested folderlastpass://localhost # Root (no folder)Features: Read/write, cloud sync, profiles via folders, auto-sync
Prerequisites: lpass CLI, authenticated with lpass login
Storage: Item name {folder}/{profile}/{project}/{key}
OnePassword Provider
Section titled “OnePassword Provider”URI: onepassword://[account@]vault or onepassword+token://user:token@vault
onepassword://MyVault # Default accountonepassword://work@CompanyVault # Specific accountonepassword+token://user:op_token@SecureVault # Service accountFeatures: Read/write, cloud sync, profiles via vaults, service accounts
Prerequisites: op CLI, authenticated with op signin
Storage: Item name {project}/{key}, tags automated, {project}
Provider Selection
Section titled “Provider Selection”Command Line
Section titled “Command Line”# Simple provider namessecretspec get API_KEY --provider keyringsecretspec get API_KEY --provider dotenvsecretspec get API_KEY --provider env
# URIs with configurationsecretspec get API_KEY --provider dotenv:/path/to/.envsecretspec get API_KEY --provider onepassword://vaultsecretspec get API_KEY --provider "onepassword://account@vault"Environment Variables
Section titled “Environment Variables”export SECRETSPEC_PROVIDER=keyringexport SECRETSPEC_PROVIDER="dotenv:///config/.env"Security Considerations
Section titled “Security Considerations”| Provider | Encryption | Storage Location | Network Access |
|---|---|---|---|
| DotEnv | ❌ Plain text | Local filesystem | ❌ No |
| Environment | ❌ Plain text | Process memory | ❌ No |
| Keyring | ✅ System encryption | System keychain | ❌ No |
| LastPass | ✅ End-to-end | Cloud (LastPass) | ✅ Yes |
| OnePassword | ✅ End-to-end | Cloud (OnePassword) | ✅ Yes |