ish secret list
List secret keys for the active workspace (values never returned)
Usage: ish secret list [options]
Options
Workspace ID; defaults to active workspace
ish secret set
Create or update a workspace secret
Usage: ish secret set <key> [value] [options]
Arguments
key
Secret key (uppercase, e.g. GROQ_API_KEY) (required)
value
Secret value. Omit when using —value-file or —value-stdin. (optional)
Options
Read the value from a file on disk (use ”-” for stdin)
Read the value from stdin (alias for —value-file -)
Optional description (what this secret is used for)
Visibility scope: agent | project (default: agent) Default: “agent”.
Workspace ID; defaults to active workspace
ish secret delete
Delete a workspace secret by key
Usage: ish secret delete <key> [options]
Arguments
key
Secret key to delete (required)
Options
Workspace ID; defaults to active workspace
Skip confirmation prompt (required in —json or non-TTY contexts)
Global flags
Every command accepts the global flags.output the version number
Auth token (or set ISH_TOKEN env var)
Read auth token from a file (preferred over —token / ISH_TOKEN)
Default workspace ID; per-subcommand —workspace overrides
Output as JSON (auto-enabled when piped)
Extract a single field from the JSON response and print only its value (implies —json internally; supports dotted paths e.g. person.name)
Force human-readable output even when stdout is piped (overrides JSON-when-piped auto-detection)
Comma-separated fields to include in JSON output (e.g. alias,name,status)
Include full UUIDs and timestamps in JSON output
Disable colored output (also honored: NO_COLOR env var)
Suppress progress messages on stderr (no-op for read commands that emit none)