CLI Reference
Complete reference for all Redshift CLI commands.
Global Options
These options are available for all commands:
| Option | Description |
|---|---|
| --help, -h | Show help for command |
| --version, -v | Show version number |
| --json | Output in JSON format |
| --silent | Disable info messages |
| --debug | Show debug output |
| --config-dir <path> | Override config directory (default: ~/.redshift) |
redshift login
Authenticate with your Nostr identity.
| Flag | Description |
|---|---|
| --nsec <nsec> | Nostr private key (nsec1...) |
| --bunker <uri>, -b | NIP-46 bunker URL |
| --connect, -c | Generate NostrConnect URI for bunker pairing |
| --overwrite | Overwrite existing token if one exists |
Subcommands
login revoke — Revoke auth token (alias for logout). Accepts --yes / -y.
Authentication Methods
- Interactive — Run
redshift loginand you will be prompted for your nsec (hidden input). - Direct nsec — Pass the key directly with the
--nsecflag. - NIP-46 Bunker — Use
--bunker "bunker://..."(always quote the URL). - NostrConnect — Use
--connectto generate a URI for bunker pairing. - Environment variables — Set
REDSHIFT_NSECorREDSHIFT_BUNKERto bypass interactive login.
Examples
# Interactive login (recommended)
redshift login
# Login with nsec
redshift login --nsec nsec1...
# Login via NIP-46 bunker
redshift login --bunker "bunker://pubkey?relay=wss://...&secret=..."
# Generate NostrConnect URI
redshift login --connectredshift logout
Clear stored credentials (nsec from keychain and config file).
| Flag | Description |
|---|---|
| --yes, -y | Proceed without confirmation |
redshift me
Display info about the currently authenticated identity. Shows auth method, public key (npub), and auth source. Also available as redshift whoami. Supports --json.
redshift setup
Configure project and environment for the current directory. Creates a redshift.yaml file.
| Flag | Description |
|---|---|
| --project, -p | Project name |
| --config, -c | Config/environment slug (e.g. dev, staging, prod) |
| --no-interactive | Do not prompt; error if project/config not specified |
Examples
# Interactive setup
redshift setup
# Direct setup
redshift setup -p my-app -c development
# CI/CD (no prompts)
redshift setup --no-interactive -p my-app -c productionThis creates a redshift.yaml file in the current directory:
project: my-app
config: development
relays:
- wss://relay.damus.io
- wss://relay.primal.netredshift run
Run a command with secrets injected as environment variables.
redshift run [options] -- <command> [args...]| Flag | Description |
|---|---|
| --command | Command to execute (alternative to -- syntax) |
| --project, -p | Override project |
| --config, -c | Override config/environment |
| --mount <path> | Write secrets to an ephemeral file (accessible at REDSHIFT_CLI_SECRETS_PATH) |
| --mount-format <fmt> | File format for mount: env or json (default: json) |
| --fallback <file> | Path to fallback file for offline mode |
| --fallback-only | Read all secrets from fallback file only |
| --fallback-readonly | Disable modifying the fallback file |
| --no-fallback | Disable reading/writing fallback file |
| --forward-signals | Forward signals to child process (default: true) |
| --preserve-env <keys> | Comma-separated list of secrets where existing env value takes precedence |
Subcommands
run clean — Delete old fallback files.
Examples
# Run with secrets injected
redshift run -- npm start
redshift run -- python manage.py runserver
# Override environment
redshift run -c production -- npm run deploy
# Mount secrets to file
redshift run --mount secrets.json -- cat secrets.json
redshift run --mount .env --mount-format env -- ./start.sh
# Fallback for offline mode
redshift run --fallback ./fallback.json -- npm start
redshift run --fallback-only -- npm start
# Preserve existing env values
redshift run --preserve-env PORT,HOST -- npm startredshift secrets
Manage secrets. When run without a subcommand, defaults to listing secrets.
| Flag | Description |
|---|---|
| --project, -p | Override project |
| --config, -c | Override config/environment |
| --only-names | Only print secret names, omit values |
| --raw | Print raw secret values without redaction |
secrets get
Get one or more secret values.
redshift secrets get <KEY> [options]| Flag | Description |
|---|---|
| --plain | Print values without formatting |
| --copy | Copy value(s) to clipboard |
| --no-exit-on-missing-secret | Do not exit if secret not found |
secrets set
Set one or more secrets. Accepts KEY VALUE pairs or KEY=VALUE syntax.
redshift secrets set <KEY> <VALUE>
redshift secrets set KEY=VALUE| Flag | Description |
|---|---|
| --no-interactive | Do not allow interactive secret value entry |
secrets delete
Delete one or more secrets.
redshift secrets delete <KEY> [options]| Flag | Description |
|---|---|
| --yes, -y | Proceed without confirmation |
secrets download
Download secrets in various formats.
redshift secrets download [filepath] [options]| Flag | Description |
|---|---|
| --format <type> | Output format: json, env, yaml, docker, env-no-quotes (default: json) |
| --no-file | Print to stdout instead of file |
| --passphrase | Passphrase for encrypting the secrets file |
secrets upload
Upload a secrets file (default: .env). Parses .env format and merges with existing secrets on the relay.
redshift secrets upload [filepath]Examples
# List secrets
redshift secrets
redshift secrets --raw
redshift secrets --json
redshift secrets --only-names
# Get
redshift secrets get API_KEY
redshift secrets get API_KEY --plain
redshift secrets get API_KEY --copy
# Set
redshift secrets set API_KEY sk_live_xxx
redshift secrets set DB_URL 'postgres://...' REDIS_URL 'redis://...'
# Delete
redshift secrets delete OLD_KEY
redshift secrets delete KEY1 KEY2 -y
# Download
redshift secrets download ./secrets.json
redshift secrets download --format=env --no-file
redshift secrets download --format=env ./secrets.env
# Upload
redshift secrets upload .env
redshift secrets upload secrets.jsonredshift configure
View and modify CLI configuration.
| Flag | Description |
|---|---|
| --all | Print all saved options |
Subcommands
configure get [options...]— Get specific config values.configure set key=value [...]— Set config values. Allowed keys:relays,defaultProject,defaultEnvironment.configure unset key [...]— Remove config values.configure reset --yes— Reset configuration to initial state.
Sensitive keys like nsec are blocked from being set via configure.
redshift serve
Start the web administration UI.
| Flag | Description |
|---|---|
| --port, -p | Port to listen on (default: 3000) |
| --host, -H | Host to bind to (default: 127.0.0.1) |
| --open, -o | Open browser automatically |
redshift upgrade
Self-update the CLI binary from GitHub releases. Also available as redshift update.
| Flag | Description |
|---|---|
| --force, -f | Force install even if already on latest version |
| --tag, -t | Install a specific version (e.g. v0.3.0) |
Environment Variables
Redshift respects these environment variables:
| Variable | Description |
|---|---|
| REDSHIFT_NSEC | Private key for CI/CD (bypasses interactive login) |
| REDSHIFT_BUNKER | NIP-46 bunker URL for CI/CD |
| REDSHIFT_CONFIG_DIR | Override config directory (default: ~/.redshift) |
Configuration Files
~/.redshift/config.json
Global auth config containing nsec, bunker, auth method, relays, and defaults.
redshift.yaml
Per-project config specifying the project name, config/environment, and relay URLs. Created by redshift setup.
Exit Codes
| Code | Meaning |
|---|---|
| 0 | Success |
| 1 | General error |
| 2 | Authentication required |
| 3 | Project/environment not configured |