CLI Reference
Commands
Section titled “Commands”bwenv init
Section titled “bwenv init”Launch the interactive setup wizard to configure secrets for the current directory.
bwenv initFlow:
- Detects available password manager CLIs
- Prompts you to select a provider (Bitwarden or 1Password)
- Authenticates with the selected provider
- Lists folders/vaults — browse with arrow keys, search by typing
- Previews the environment variables that will be exported
- Generates an
.envrcfile and auto-approves it via direnv
Example:
$ bwenv init? Select a provider: BitwardenUnlocking vault...? Select a folder: Production API KeysFound 12 environment variables from 5 itemsGenerated .envrc — secrets will load automatically via direnvbwenv export
Section titled “bwenv export”Export secrets as export KEY=VALUE lines to stdout (non-interactive).
bwenv export --provider <provider> --folder <folder>Flags:
--provider—bitwardenor1password--folder— folder name (Bitwarden) or vault name (1Password)
Examples:
# Print export linesbwenv export --provider bitwarden --folder "MySecrets"
# Load into current shelleval "$(bwenv export --provider bitwarden --folder "MySecrets")"
# 1Passwordeval "$(bwenv export --provider 1password --folder "Production")"bwenv login
Section titled “bwenv login”Re-authenticate with the provider configured in the current .envrc.
bwenv loginAliases: bwenv auth
Behavior:
- Reads the existing
.envrcto detect which provider and folder are configured - Re-authenticates with that provider (unlock/sign in)
- Updates the session token in
.envrc - Auto-approves the updated
.envrcvia direnv
Use this when your vault session has expired — it’s faster than bwenv init because it skips provider and folder selection.
Example:
$ bwenv loginRe-authenticating with Bitwarden...Enter master password:Session updated in .envrcbwenv logout
Section titled “bwenv logout”Lock all vaults and terminate active sessions.
bwenv logoutBehavior:
- Bitwarden — runs
bw lockto lock the vault - 1Password — runs
op signoutto end the session - Shows any lingering session environment variables and how to clear them
bwenv status
Section titled “bwenv status”Show a comprehensive overview of your current bwenv state.
bwenv statusShows:
- Current directory and
.envrcinfo (provider, folder) - direnv installation and hook status
- Provider CLI availability and active sessions
- Relevant environment variables (masked for security)
- Current config preferences
bwenv config
Section titled “bwenv config”Open the interactive settings editor.
bwenv configSettings:
| Setting | Default | Description |
|---|---|---|
| Show Emoji | ON | Display emoji icons in output |
| Show Direnv Output | OFF | Show/hide direnv’s loading/unloading messages |
| Show Export Summary | ON | Show the boxed summary when secrets are loaded via direnv |
| Auto Sync | ON | Automatically sync vault before fetching secrets (Bitwarden) |
Settings persist to ~/.config/bwenv/config.json.
bwenv allow
Section titled “bwenv allow”Approve the .envrc file in the current directory for direnv.
bwenv allowEquivalent to direnv allow. In TTY mode, also re-authenticates and updates the session if needed.
bwenv disallow
Section titled “bwenv disallow”Revoke direnv approval for the .envrc in the current directory.
bwenv disallowEquivalent to direnv revoke.
bwenv remove
Section titled “bwenv remove”Delete the .envrc file from the current directory.
bwenv removebwenv version
Section titled “bwenv version”Display the version string.
bwenv versionbwenv help
Section titled “bwenv help”Show usage information and available commands.
bwenv helpbwenv --helpbwenv -hExit Codes
Section titled “Exit Codes”0— Success1— General error (authentication failure, missing dependencies, etc.)
Environment Variables
Section titled “Environment Variables”| Variable | Description |
|---|---|
BW_SESSION | Bitwarden session token (auto-managed by bwenv) |
OP_SERVICE_ACCOUNT_TOKEN | 1Password service account token (for CI/CD) |
Output
Section titled “Output”All custom fields (Bitwarden) or item fields (1Password) from the selected folder/vault become environment variables:
# After bwenv init + direnv allow:echo $DATABASE_URLecho $API_KEYecho $JWT_SECRETGenerated .envrc Format
Section titled “Generated .envrc Format”The generated .envrc contains a single eval call:
# bwenv: provider=bitwarden folder="My Secrets"# Run bwenv login to re-authenticate if session expireseval "$(BW_SESSION='...' bwenv export --provider bitwarden --folder 'My Secrets')"No secrets are stored on disk (except session tokens which expire). The .envrc fetches secrets live from your vault each time direnv loads it.
Shell Aliases
Section titled “Shell Aliases”Useful additions to your shell config:
alias bwl='bwenv login'alias bws='bwenv status'alias bwi='bwenv init'alias bwr='bwenv remove'