Skip to main content

import

Import secrets from a file or migrate directly from another secrets platform.

Usage

envshed import <file> [options]           # from a file
envshed import --from doppler [options]   # from Doppler

Supported file formats: .env, .json, .yaml, .yml, .csv. The format is auto-detected from the file extension. Use --format to override.

Supported external sources for --from: doppler. See Migrate from Doppler for the full walkthrough.

Options

OptionDescription
<file>Path to the file to import (omit when using --from)
--format <format>Format override: env, json, yaml, csv
--forceOverwrite existing secrets without confirmation
--from <source>Migrate from an external source. Currently supported: doppler
--token <token>API token for the --from source (Doppler service account token). Env: DOPPLER_TOKEN
--doppler-project <name>Doppler project to migrate (omit to migrate every accessible project)
--doppler-config <name>Doppler config to migrate. Requires --doppler-project
--doppler-api-url <url>Override the Doppler API base URL (defaults to https://api.doppler.com)
--config-map <pairs>Rename Doppler configs during import, e.g. prd=production,stg=staging
--dry-runPrint the migration plan without writing anything (Doppler only)
-o, --org <slug>Organization slug
-p, --project <slug>Project slug
-e, --env <slug>Target environment slug

Format Support

.env files

Standard KEY=VALUE format. Multiline values in double-quoted strings are supported:

DATABASE_URL=postgres://localhost/mydb
PRIVATE_KEY="-----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAK...
-----END RSA PRIVATE KEY-----"

JSON files

Flat key-value object:

{
  "DATABASE_URL": "postgres://localhost/mydb",
  "API_KEY": "secret123"
}

Also supports Infisical's export format (array of objects with key and value fields).

YAML files

Flat key-value mapping:

DATABASE_URL: postgres://localhost/mydb
ENABLE_FEATURE: "no"

Note: Values that look like YAML booleans (yes, no, true, false, on, off) are always imported as strings. Use quotes if you want to be explicit.

CSV files

CSV with a header row containing key and value columns:

key,value
DATABASE_URL,postgres://localhost/mydb
API_KEY,secret123

Quoted fields containing commas or newlines are handled correctly.

Conflict Detection

Before writing, the CLI fetches existing secrets and checks for conflicts. If any existing keys would be overwritten with a different value, you are prompted to confirm:

The following existing secrets would be overwritten:

  ~ DATABASE_URL (will be overwritten)

Continue and import? (y/N)

Use --force to skip this confirmation.

Migrating from Doppler

# Dry run — list every project/config that would be migrated
envshed import --from doppler --token dp.sa.xxxx --org my-org --dry-run

# Full migration: create every matching Envshed project+env and push secrets
envshed import --from doppler --token dp.sa.xxxx --org my-org

# Migrate one Doppler project, rename its configs
envshed import --from doppler \
  --token dp.sa.xxxx \
  --org my-org \
  --doppler-project backend \
  --config-map "prd=production,stg=staging"

See Migrate from Doppler for the full guide, including how to generate a read-only Doppler service account token and map personal configs.

Examples

# Import from a .env file (auto-detected)
envshed import .env

# Import a JSON export with explicit format
envshed import secrets.json --format json

# Import to a specific environment without confirmation
envshed import production.env --env production --force

# Import from a different directory
envshed import /path/to/export.yaml