Setup & Auth

Initialize a project, manage your encryption key, run health checks, and install the pre-commit hook.

init

vars init

Sets up a new vars project:

Creates config.vars, the encrypted secrets file (safe to commit)
Creates .varskey, the master encryption key (gitignored)
Updates .gitignore to exclude key and swap files
Adds #vars import to package.json scripts

If a .env file exists, vars offers to import it. It reads the key-value pairs, guesses Zod schemas from the values, and encrypts everything before writing.

If config.vars already exists but .varskey is missing (e.g., a fresh clone), running init again detects the incomplete setup and creates the missing key file.

Flags

Flag	Short	Description
`--file <path>`	`-f`	Path to the `.env` file to import (default: `.env`)
`--env <name>`		Environment name for imported values (default: `dev`)

# Import from a non-default path, label values as "staging"
vars init --file .env.staging --env staging

Key Management

Subcommands for managing your encryption key.

Multi-PIN

Owner-scoped PINs for team access control. See Multi-PIN for the full explanation.

Setup & Auth

init

Key Management

Multi-PIN

Diagnostics

On this page

Setup & Auth

init

Key Management

key init — generate a key file

key export — export key for CI

key rotate — re-encrypt with a new key

Multi-PIN

pin create — create a scoped PIN

Revoking an owner PIN

Diagnostics

doctor — run health checks

completions — shell autocomplete

On this page