MarketDeck docs
secrets
Inspect, test, export metadata for, plan rotation for, and remove stored credentials without printing secret values.
marketdeck secrets is the metadata-only credential surface. It reports what is configured, tests whether references are readable, creates rotation plans, exports non-secret metadata, and removes individual secret entries. It never prints private keys, API keys, bot tokens, or other secret values.
Secrets are still written through the dedicated commands that read from STDIN, such as marketdeck wallets set-secret and marketdeck openrouter set-key. The secrets command is for inventory, diagnostics, planning, and controlled removal.
Usage#
marketdeck secrets <subcommand> [flags]Subcommands#
| Subcommand | What it does |
|---|---|
status | Show keyring backend status, libsecret/vault presence, metadata index presence, and secret-id counts. |
list [--scope S] | List only secret ids, scopes, and metadata. S is wallet, openrouter, telegram, or all. Values are never returned. |
doctor | Check wallet secrets, OpenRouter, Telegram, and keyring bridge health. |
test [--scope S] [--ref R] [--live] | Test referenced credentials without printing values. --live may call remote provider APIs. |
rotate-plan [--scope S] [--ref R] [--out PATH] | Create a manual credential rotation checklist. It does not rotate anything automatically. |
export-metadata [--out PATH] | Export status, inventory, and doctor metadata only. No secret values are included. |
unset --scope S --id ID --yes / unset --scope S --ref REF --yes | Remove one stored secret entry. S is wallet, openrouter, or telegram. The explicit --yes gate is required. |
Examples#
marketdeck secrets status --format text
marketdeck secrets list --scope wallet --format json
marketdeck secrets doctor --format json
marketdeck secrets test --scope wallet --ref live
marketdeck secrets test --scope openrouter --live
marketdeck secrets rotate-plan --scope all --out /tmp/marketdeck-secrets-rotate.json
marketdeck secrets export-metadata --out /tmp/marketdeck-secrets-metadata.json
marketdeck secrets unset --scope wallet --ref live --yesSafe secret input#
Secret values are not accepted by marketdeck secrets. Use the existing write paths that read from STDIN:
echo -n '0xPRIVATEKEY...' | marketdeck wallets set-secret live
echo -n '{"apiKey":"...","apiSecret":"..."}' | marketdeck wallets set-secret binance-main
echo -n 'sk-or-v1-...' | marketdeck openrouter set-keyThat keeps values out of shell argv, /proc/<pid>/cmdline, and process listings. Prefer a shell history configuration that does not store pasted secrets, or use an interactive stdin prompt when available.
Metadata exports#
export-metadata is deliberately non-secret. The payload can include:
- keyring backend availability
- libsecret / vault metadata
- secret ids and scopes
- wallet names, ids, types, and exchanges
- OpenRouter and Telegram presence/configuration status
- doctor findings
It does not include private keys, OpenRouter API keys, Telegram bot tokens, API secrets, or wallet signing material.
Rotation plans#
rotate-plan produces a checklist, not an automatic rotation. For wallets, it tells you to create a new exchange credential, pipe it into marketdeck wallets set-secret, test the metadata path, then revoke the old credential at the exchange. OpenRouter and Telegram follow the same manual pattern: create a new provider credential, store it through the safe CLI/UI path, test, then revoke the old one.
WebUI and GNOME#
Both official plugins consume this command instead of implementing their own secret inspection logic:
- WebUI
/diagnosticsexposes secret diagnostics, metadata export, and rotation plan download. - WebUI
/walletsshows per-wallet credential status and can unset a stored wallet secret after confirmation. - GNOME Preferences shows credential diagnostics, metadata export, rotation plan creation, per-wallet status, and confirmed unset.
The plugins do not print secret values and do not store credentials of their own.