Skip to content


You can use any command line tool that outputs secrets either as a string or in JSON format. Choose the binary by setting secret.command in your configuration file. You can then invoke this command with the secret and secretJSON template functions which return the raw output and JSON-decoded output respectively. All of the above secret managers can be supported in this way:

Secret Manager secret.command Template skeleton
1Password op {{ secretJSON "get" "item" "$ID" }}
Bitwarden bw {{ secretJSON "get" "$ID" }}
Doppler doppler {{ secretJSON "secrets" "download" "--json" "--no-file" }}
HashiCorp Vault vault {{ secretJSON "kv" "get" "-format=json" "$ID" }}
HCP Vault Secrets vlt {{ secret "secrets" "get" "--plaintext" "$ID" }}
LastPass lpass {{ secretJSON "show" "--json" "$ID" }}
KeePassXC keepassxc-cli Not possible (interactive command only)
Keeper keeper {{ secretJSON "get" "--format=json" "$ID" }}
pass pass {{ secret "show" "$ID" }}
passhole ph {{ secret "$ID" "password" }}