@lockzero/render-lockzero

@lockzero/render-lockzero

Sync secrets from your LockZero vault into Render.com environment variables via the Render API v1.

Installation

npm install -g @lockzero/render-lockzero

Or use npx:

npx @lockzero/render-lockzero sync --help

CLI Usage

lockzero-render sync \
  --lz-key    lz_live_... \
  --render-key rnd_... \
  --service   srv_... \
  --namespaces openai,stripe \
  --prefix     ""

Options

Flag	Required	Default	Description
--lz-key	Yes*	LOCKZERO_API_KEY env	LockZero API key
--render-key	Yes*	RENDER_API_KEY env	Render API key from render.com/u/settings
--service	Yes	—	Render service ID (e.g. srv_abc123)
--namespaces	Yes	—	Comma-separated LockZero namespaces
--prefix	No	""	Prefix for injected variable names

*Can also be set via environment variable.

How it works

• Fetches existing Render env vars for the service (to preserve non-LockZero variables).
• For each namespace, fetches all fields from LockZero via GET /api/credentials/:namespace.
• Merges the new values into the existing set (LockZero values take precedence for matching keys).
• Writes the merged set back via PUT /services/:id/env-vars.

Render's PUT /env-vars is a full-replace operation, so the merge step ensures you don't accidentally delete manually-set variables.

Programmatic API

import { syncToRender } from "@lockzero/render-lockzero";

const result = await syncToRender({
  lzApiKey:    "lz_live_...",
  renderApiKey: "rnd_...",
  serviceId:   "srv_...",
  namespaces:  ["openai", "stripe"],
  prefix:      "",
});

console.log(`Synced ${result.synced} variables`);
if (result.errors.length) {
  console.error("Errors:", result.errors);
}

Getting a Render API Key

• Go to https://render.com/u/settings
• Scroll to API Keys → Create API Key.
• Use it as --render-key or RENDER_API_KEY.

Finding your Service ID

In the Render dashboard, open your service. The ID is in the URL: https://dashboard.render.com/web/srv-XXXXX → service ID is srv-XXXXX.