Tokens & Grammar
envctl uses a flexible token system to resolve dynamic values in your configuration. Tokens are enclosed in double curly braces: {{ token }}.
Token Types
There are three primary types of tokens supported by envctl:
| Type | Syntax | Resolution |
|---|---|---|
| Variable | {{ IDENT }} | Resolves to a value defined in the [generators] section. |
| Secret | {{ secret:IDENT }} | Resolves to the contents of the file at the path stored in the IDENT generator. |
| Provider | {{ provider:NAME.FN }} | Calls a function FN from provider NAME and returns its output. |
Examples
Variable Token
If you have a generator:
toml
[generators]
PROJECT_NAME = "my-awesome-app"You can use it as {{ PROJECT_NAME }} in your configuration or .env template.
Provider Token
Use a provider to generate a secure password:
toml
[secrets.DB_PASSWORD]
value_source = <span v-pre>`{{ provider:password.generate-password }}`</span>Secret Token
If DB_PASS_FILE points to /path/to/password, then {{ secret:DB_PASS_FILE }} will resolve to the password itself.
Grammar Rules
- Identifiers (
IDENT): Must be alphanumeric and can include underscores. - Case Sensitivity: Identifiers are case-sensitive.
- No Nesting: Tokens cannot currently be nested within each other.
- Whitespace: Whitespace inside the curly braces is ignored (e.g.,
{{ IDENT }}is the same as{{IDENT}}).
Token Resolution Order
- Providers: All
provider:NAME.FNtokens in the[generators]section are called first. - Generators: The
[generators]section is processed, resolving any cross-references. - Phase Execution: Tokens in
[envfile],[secrets], and[certs]are resolved using the compiled generators.