Spin up a temporary web UI for securely entering secret keys and env vars
Project description
🔐 secret-portal
spin up a temporary web UI for securely entering secret keys and environment variables.
why?
entering API keys over messaging apps (telegram, slack, etc.) is sketchy — they get logged, cached, and stored in chat history. this tool spins up a one-time-use web form that saves secrets directly to an env file on your server.
install
uv tool install .
usage
# basic — saves to ~/.env, local only
secret-portal
# expose publicly via cloudflared tunnel (recommended)
secret-portal --tunnel cloudflared
# single key mode with guided instructions
secret-portal -k OPENAI_API_KEY \
-i '<strong>Get your key:</strong><ol><li>Go to platform.openai.com</li><li>Click API Keys</li><li>Create new key</li></ol>' \
-l "https://platform.openai.com/api-keys" \
--link-text "Open OpenAI dashboard →" \
--tunnel cloudflared
# custom env file and timeout
secret-portal -f ~/.secrets/api-keys --timeout 600
the CLI will print a one-time URL with an auth token. open it in your browser, enter your secrets, and hit save. the portal auto-destructs after the first submission.
tunneling
use --tunnel to expose the portal publicly so it's accessible from any device (phone, laptop, etc.).
| provider | flag | cost | notes |
|---|---|---|---|
| cloudflared (recommended) | --tunnel cloudflared |
free | no account needed, no interstitial pages, HTTPS, auto-downloads if missing |
| ngrok | --tunnel ngrok |
free (limited) | requires account + auth, free tier shows an interstitial warning page that blocks mobile/automated use |
| none | (default) | — | binds to 0.0.0.0, requires the port to be open in your firewall/security group |
we recommend cloudflared — it just works. no signup, no config, no interstitial. if the binary isn't installed, secret-portal will download it automatically on first use.
features
- one-time use: portal expires after a single submission
- token auth: URL contains a random 32-byte token — no token, no access
- auto-timeout: shuts down after 5 minutes (configurable) if unused
- merge mode: new secrets are merged into existing env file (won't clobber)
- file permissions: env file is set to
600(owner read/write only) - zero dependencies: pure python stdlib
- single key mode: pre-populate a key name so the user just pastes the value (
-k KEY_NAME) - guided instructions: add step-by-step instructions and a link to the key's console (
-i,-l) - reachability check: warns if the port isn't externally accessible and suggests
--tunnel cloudflared - no value leakage: secret values are never printed to stdout/stderr (tested)
security notes
- cloudflared tunnels use HTTPS automatically
- without a tunnel, the portal runs over HTTP — use behind a reverse proxy or SSH tunnel for production
- the one-time token prevents unauthorized access
- secrets never touch your chat history or terminal logs
- secret values never appear in stdout/stderr (enforced by tests)
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file secret_portal-0.1.0.tar.gz.
File metadata
- Download URL: secret_portal-0.1.0.tar.gz
- Upload date:
- Size: 18.5 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: uv/0.10.1 {"installer":{"name":"uv","version":"0.10.1","subcommand":["publish"]},"python":null,"implementation":{"name":null,"version":null},"distro":{"name":"Ubuntu","version":"24.04","id":"noble","libc":null},"system":{"name":null,"release":null},"cpu":null,"openssl_version":null,"setuptools_version":null,"rustc_version":null,"ci":true}
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
b267dbb560e120b39e915412a58ac76c7d755f9dec339531987c01777fde354b
|
|
| MD5 |
f63445d924a48dad6b209582d39e480c
|
|
| BLAKE2b-256 |
5ffbaadd5f9975e20d837db7ef92d3a8c507f3add25a4a4a433546745af9b149
|
File details
Details for the file secret_portal-0.1.0-py3-none-any.whl.
File metadata
- Download URL: secret_portal-0.1.0-py3-none-any.whl
- Upload date:
- Size: 9.3 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: uv/0.10.1 {"installer":{"name":"uv","version":"0.10.1","subcommand":["publish"]},"python":null,"implementation":{"name":null,"version":null},"distro":{"name":"Ubuntu","version":"24.04","id":"noble","libc":null},"system":{"name":null,"release":null},"cpu":null,"openssl_version":null,"setuptools_version":null,"rustc_version":null,"ci":true}
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
e8bd3fc043d3055b24a5152969908119ff083453da362bf8a9e6d6eb8431b7e5
|
|
| MD5 |
a04b4f7c1507180215f93e93e76f68d6
|
|
| BLAKE2b-256 |
90bbd30aa2061f24d5c85d5f2c6fd028c17107761af78b609cbaacd3cf7060e5
|
