> ## Documentation Index
> Fetch the complete documentation index at: https://fentaris.mintlify.site/llms.txt
> Use this file to discover all available pages before exploring further.

# SDK-Only Secrets

> Use local Fentaris secrets commands without a generated Fentaris project.

SDK-only projects can use `@fentaris/core` and the `fentaris secrets` commands without creating `fentaris.json`. The CLI discovers the nearest `package.json` that depends on `@fentaris/core`.

## Quick Start

Install the core package and CLI:

```bash theme={null} theme={"theme":{"light":"github-light","dark":"github-dark"}}
pnpm add @fentaris/core
pnpm add -D @fentaris/cli
```

Add Fentaris metadata to `package.json`:

```json theme={null} theme={"theme":{"light":"github-light","dark":"github-dark"}}
{
  "dependencies": {
    "@fentaris/core": "^2.0.0"
  },
  "fentaris": {
    "entrypoint": "src/server.ts",
    "authDir": ".fentaris"
  }
}
```

Declare the credential reference and its encrypted local source in the entrypoint:

```ts theme={null} theme={"theme":{"light":"github-light","dark":"github-dark"}}
import {
  bearer,
  credential,
  credentialJson,
  fentaris,
  mcp,
  streamableHttp,
} from "@fentaris/core";

const app = fentaris({
  defaults: {
    credentials: {
      "github.token": credentialJson("defaults.github.token"),
    },
  },
  servers: [
    mcp("github", {
      transport: streamableHttp({ url: "https://github.example/mcp" }),
      auth: bearer(credential("github.token")),
    }),
  ],
});

await app.start({ port: 4000, path: "/mcp" });
```

Generate the committed manifest:

```bash theme={null} theme={"theme":{"light":"github-light","dark":"github-dark"}}
fentaris secrets manifest --entrypoint src/server.ts
```

Store local values without putting them in shell history:

```bash theme={null} theme={"theme":{"light":"github-light","dark":"github-dark"}}
export FENTARIS_AUTH_KEY="local-encryption-key"
printf '%s' "$GITHUB_TOKEN" | fentaris secrets set github.token --value-stdin --non-interactive
```

The default-scope CLI command writes `defaults.github.token`, matching the `credentialJson(...)` declaration. Use `--user <id>` or `--group <id>` only when the TypeScript configuration declares the corresponding user or group credential source.

## What To Commit

Commit the manifest and the package metadata:

```txt theme={null} theme={"theme":{"light":"github-light","dark":"github-dark"}}
package.json
.fentaris/secrets.manifest.json
```

Do not commit the encrypted local credential store:

```txt theme={null} theme={"theme":{"light":"github-light","dark":"github-dark"}}
.fentaris/credentials.enc.json
```

<Note>
  `.fentaris/secrets.manifest.json` contains reference names and scopes only. It is the schema teammates and CI need; it does not contain secret values.
</Note>

## Validate In CI

Use manifest check mode to catch stale credential declarations:

```bash theme={null} theme={"theme":{"light":"github-light","dark":"github-dark"}}
fentaris secrets manifest --entrypoint src/server.ts --check
```

Run `fentaris secrets doctor` locally when a teammate cannot start the proxy because a required credential is missing.

## Related Documentation

* [Config file](/reference/config-file)
* [CLI Usage](/reference/cli)
* [Governance auth](/guides/governance-auth)
* [Security](/guides/security)