Skip to main content
Relic is the secrets layer developers actually trust. Manage and share secrets from the CLI, TUI, or web dashboard while everything stays encrypted on your device. Relic TUI

​
Prerequisites

Relic runs in the terminal. For the best experience with the TUI, use a modern terminal emulator:
Other terminals work for the CLI, but may have rendering issues with colors and UI elements in the TUI.

​
Installation

curl -fsSL https://relic.so/install | bash
You can also download prebuilt binaries from the GitHub Releases page.
Windows is not officially supported yet. You can use Relic through WSL, but expect issues.

​
How Relic Is Organized

Secrets in Relic follow a hierarchical structure: 
Project
└── Environment (development, staging, production, ...)
    ├── Secret
    ├── Secret
    └── Folder (optional)
        ├── Secret
        └── Secret
  • Project: A container for all secrets related to an application or service.
  • Environment: Separates secrets by deployment target. Every project has at least one.
  • Folder: Optional grouping within an environment. Useful for organizing secrets by service or domain (e.g. database, api, web).
  • Secret: A key-value pair. The key is stored in plaintext, the value is encrypted with AES-256-GCM.
When you run relic run -e production, all secrets in that environment are injected. Add -f database to include only secrets from a specific folder.

​
Getting Started

1

Sign in

Open the TUI and sign in with your Google or GitHub account:
relic
TUI loginYou can also sign in directly from the CLI:
relic login
Both methods use device authorization. A browser window opens, you approve the request, and the session is stored locally.
2

Manage secrets

After signing in, the TUI opens your project list. From here you can:
  • Create projects
  • Add environments (development, staging, production)
  • Create and organize secrets within environments
See TUI guide for details.
3

Initialize your project

Navigate to the root of your project and run:
relic init
This creates:
  • relic.toml with your project ID
  • .relic/ directory for local cache
Add .relic/ to your .gitignore to keep cache files out of version control.
4

Inject secrets

Run any command with secrets injected as environment variables:
relic run -e development -- bun run dev
Secrets are decrypted locally and passed to your process at runtime. Nothing is written to disk.See CLI guide for all available options.
Last modified on May 2, 2026