Back to skills
SkillHub ClubShip Full StackFull StackBackend
authy
Inject secrets into subprocesses via environment variables. You never see secret values — authy run injects them directly. Use for any command that needs API keys, credentials, or tokens.
Packaged view
This page reorganizes the original catalog entry around fit, installability, and workflow context first. The original raw source lives below.
Stars
3,079
Hot score
99
Updated
March 19, 2026
Overall rating
C4.0
Composite score
4.0
Best-practice grade
A92.4
Install command
npx @skill-hub/cli install openclaw-skills-authy
Repository
openclaw/skills
Skill path: skills/eric8810/authy
Inject secrets into subprocesses via environment variables. You never see secret values — authy run injects them directly. Use for any command that needs API keys, credentials, or tokens.
Open repositoryBest for
Primary workflow: Ship Full Stack.
Technical facets: Full Stack, Backend.
Target audience: everyone.
License: MIT.
Original source
Catalog source: SkillHub Club.
Repository owner: openclaw.
This is still a mirrored public skill entry. Review the repository before installing into production workflows.
What it helps with
- Install authy into Claude Code, Codex CLI, Gemini CLI, or OpenCode workflows
- Review https://github.com/openclaw/skills before adding authy to shared team environments
- Use authy for development workflows
Works across
Claude CodeCodex CLIGemini CLIOpenCode
Favorites: 0.
Sub-skills: 0.
Aggregator: No.
Original source / Raw SKILL.md
---
name: authy
description: "Inject secrets into subprocesses via environment variables. You never see secret values — authy run injects them directly. Use for any command that needs API keys, credentials, or tokens."
license: MIT
compatibility: Requires `authy` on PATH. Auth via AUTHY_TOKEN (run-only) + AUTHY_KEYFILE.
metadata:
author: eric8810
version: "0.3.0"
homepage: https://github.com/eric8810/authy
openclaw:
requires:
bins: ["authy"]
env: ["AUTHY_KEYFILE", "AUTHY_TOKEN"]
files: ["$AUTHY_KEYFILE"]
---
# Authy — Secure Secret Injection
Inject secrets into subprocesses as environment variables. You never see, handle, or log secret values.
## How It Works
Your token is run-only. You can discover secret **names** with `authy list` and inject them into subprocesses with `authy run`. You never see secret values directly.
## Inject Secrets into a Command
```bash
authy run --scope <policy> --uppercase --replace-dash '_' -- <command> [args...]
```
The `--uppercase --replace-dash '_'` flags turn secret names like `db-host` into env vars like `DB_HOST`.
Examples:
```bash
authy run --scope deploy --uppercase --replace-dash '_' -- ./deploy.sh
authy run --scope backend --uppercase --replace-dash '_' -- node server.js
authy run --scope testing --uppercase --replace-dash '_' -- pytest
```
## Discover Secret Names
```bash
authy list --scope <policy> --json
```
Output: `{"secrets":[{"name":"db-host","version":1,...}]}`
## Write Scripts That Use Secrets
Write code that reads environment variables, then run it with `authy run`:
```bash
cat > task.sh << 'EOF'
#!/bin/bash
curl -H "Authorization: Bearer $API_KEY" https://api.example.com/data
EOF
chmod +x task.sh
authy run --scope my-scope --uppercase --replace-dash '_' -- ./task.sh
```
## Error Codes
| Code | Meaning |
|------|---------|
| 0 | Success |
| 2 | Auth failed — check AUTHY_TOKEN / AUTHY_KEYFILE |
| 3 | Secret or policy not found |
| 4 | Access denied or run-only restriction |
| 6 | Token invalid, expired, or revoked |
## Rules
1. **Only use `authy run` and `authy list`** — these are the only commands available to you
2. **Never hardcode credentials** — reference env vars, run via `authy run`
3. **Never echo, print, or log env vars** in subprocess scripts — secrets exist in memory only
4. **Never redirect env vars to files** — do not write `$SECRET` to disk
5. **Use `--scope`** to limit access to needed secrets only
---
## Skill Companion Files
> Additional files collected from the skill directory layout.
### _meta.json
```json
{
"owner": "eric8810",
"slug": "authy",
"displayName": "Authy",
"latest": {
"version": "0.3.0",
"publishedAt": 1771463246071,
"commit": "https://github.com/openclaw/skills/commit/d0cf28800a9969ad45161138de437e964bcb7a01"
},
"history": [
{
"version": "0.2.2",
"publishedAt": 1771377793192,
"commit": "https://github.com/openclaw/skills/commit/64c80107a3d63230cf857b184548e105d0a2f54d"
}
]
}
```
### references/commands.md
```markdown
# Authy Command Reference
## Agent Commands
| Command | Purpose |
|---------|---------|
| `authy run --scope <s> -- <cmd>` | Inject secrets into a subprocess |
| `authy list --json` | List all secret names (no values) |
| `authy list --scope <s> --json` | List secrets filtered by policy |
| `authy policy test --scope <s> <name> --json` | Check if a secret is accessible |
## Naming Transforms
Given a secret named `db-host`:
| Flags | Env Var |
|-------|---------|
| `--uppercase --replace-dash '_'` | `DB_HOST` |
| `--prefix 'APP_' --uppercase --replace-dash '_'` | `APP_DB_HOST` |
## Common Patterns
```bash
# Launch a service
authy run --scope backend --uppercase --replace-dash '_' -- node server.js
# Run tests with credentials
authy run --scope testing --uppercase --replace-dash '_' -- pytest tests/
# Check what secrets exist
authy list --scope deploy --json | jq '.secrets[].name'
# Write a script, then run it with secrets
cat > task.sh << 'SCRIPT'
#!/bin/bash
psql "$DATABASE_URL" -c "SELECT 1"
SCRIPT
chmod +x task.sh
authy run --scope db --uppercase --replace-dash '_' -- ./task.sh
rm task.sh
```
## Notes
- Your token is run-only — only the commands listed above are available
- Secrets are injected into subprocesses as env vars and never written to disk
- Do not echo, print, or redirect environment variables containing secrets
```