CLI Guide

Learn how to get up and running with the Doppler CLI to inject secrets into your applications.


The Doppler CLI provides a consistent experience between developing locally and production. It is a lightweight binary that comes provided in a number of package managers, including Docker.

The Doppler CLI is open source can be found on GitHub.

# GnuPG is required for binary signature verification
brew install gnupg

# Using curl
curl -Ls --tlsv1.2 --proto "=https" --retry 3 | sudo sh

# Using wget
wget -t 3 -qO- | sudo sh

# Using brew (not recommended as auto-update is not supported)
brew install dopplerhq/cli/doppler
scoop bucket add doppler
scoop install doppler
# Add Doppler's RSA key
wget -q -t3 '' -O /etc/apk/keys/[email protected]

# Add Doppler's apk repo
echo '' | tee -a /etc/apk/repositories

# Install latest Doppler CLI
apk add doppler
# Install pre-reqs
sudo apt-get update && sudo apt-get install -y apt-transport-https ca-certificates curl gnupg

# Add Doppler's GPG key
curl -sLf --retry 3 --tlsv1.2 --proto "=https" '' | sudo apt-key add -

# Add Doppler's apt repo
echo "deb any-version main" | sudo tee /etc/apt/sources.list.d/doppler-cli.list

# Fetch and install latest doppler cli
sudo apt-get update && sudo apt-get install -y doppler
# Add Doppler's GPG key
sudo rpm --import ''

# Add Doppler's yum repo
sudo curl -sLf --retry 3 --tlsv1.2 --proto "=https" '' > /etc/yum.repos.d/doppler-cli.repo

# Update packages and install latest doppler cli
sudo yum update && sudo yum install doppler
# Does not rely on package managers
# Recommended for ephemeral environments (e.g. CI jobs)
# Supports Linux, BSD, and macOS

# Requires Curl & GnuPG:
#        Alpine: apk add curl gnupg
#   CentOS/RHEL: yum install -y curl gnupg
# Ubuntu/Debian: apt install -y curl gnupg

(curl -Ls --tlsv1.2 --proto "=https" --retry 3 || wget -t 3 -qO- | sudo sh

Now let's verify the Doppler CLI was installed correctly.

doppler --version


The Doppler CLI requires an API key for authentication. Access can be granted via the login flow for local development or using a Service Token for production environments as it restricts access to a specific config within a Project.

doppler login
# Service Token can be generated using the CLI or the dashboard

echo '' | doppler configure set token --scope /

Accessing Secrets

The Doppler CLI has numerous methods for supplying secrets to your application. See our dedicated Accessing Secrets Guide to learn more.

Setting Secrets

The CLI several easy to use options for setting and importing secrets. See our dedicated Setting Secrets Guide to learn more.

Shell Completion

Command completions are installed automatically. If completions are not working for you, add the following to your ~/.bash_profile or similar:

source <(doppler completion 2> /dev/null)

Running aliased commands

Running aliased commands is currently not supported. To use an alias, source your aliases file before executing your app.

doppler run --command="source ~/.bash_aliases && my_aliased_command"

Multiple workplaces

The Doppler CLI supports multiple workplaces by allowing you to scope your login to a specific directory. Any applications inside your chosen directory (and its sub-directories) will automatically use the correct API key.

# Workplace 1
doppler login --scope ~/workplace-1

# Workplace 2
doppler login --scope ~/workplace-2

Running an alternative shell

When using the --command flag, the Doppler CLI will determine what shell to use based on the SHELL environment variable. The CLI currently supports sh, bash, zsh, dash, fish, ksh, tcsh, and csh. If you are using an alternative shell, the CLI will fall back to sh. You can manually specify your preferred shell.

# e.g. use zsh2
doppler run -- zsh2 -c "printenv DOPPLER_CONFIG"


The Doppler CLI supports updating itself via the doppler update command. This will automatically download and install the latest version of the CLI.

The CLI will also prompt you to update whenever a new version is released.


Windows Users

This command is not supported on Windows. Instead, you may update via scoop update doppler.

List of Commands

  doppler [flags]
  doppler [command]

Available Commands:
  activity     Get workplace activity logs
  changelog    view the CLI's changelog
  completion   Print shell completion script
  configs      Manage configs
  configure    View the config file
  environments Manage environments
  feedback     Provide feedback about the Doppler CLI
  help         Help about any command
  import       Import projects into your Doppler workplace
  login        Authenticate to Doppler
  logout       Log out of the CLI
  open         open the Doppler dashboard
  projects     Manage projects
  run          Run a command with secrets injected into the environment
  secrets      Manage secrets
  settings     Get workplace settings
  setup        Setup the Doppler CLI for managing secrets
  update       update the Doppler CLI

      --api-host string                 The host address for the Doppler API (default "")
      --configuration string            config file (default "/Users/rb/.doppler/.doppler.yaml")
      --dashboard-host string           The host address for the Doppler Dashboard (default "")
      --debug                           output additional information
      --dns-resolver-address string     address to use for DNS resolution (default "")
      --dns-resolver-proto string       protocol to use for DNS resolution (default "udp")
      --dns-resolver-timeout duration   max dns lookup duration (default 5s)
      --enable-dns-resolver             bypass the OS's default DNS resolver
  -h, --help                            help for doppler
      --json                            output json
      --no-check-version                disable checking for Doppler CLI updates
      --no-read-env                     do not read config from the environment
      --no-timeout                      disable http timeout
      --no-verify-tls                   do not verify the validity of TLS certificates on HTTP requests (not recommended)
      --print-config                    output active configuration
      --scope string                    the directory to scope your config to (default ".")
      --silent                          disable output of info messages
      --timeout duration                max http request duration (default 10s)
  -t, --token string                    doppler token
  -v, --version                         Get the version of the Doppler CLI

Use "doppler [command] --help" for more information about a command.

What’s Next