diff4

CLI

The diff4 command-line tool for sharing encrypted diffs and files.

The diff4 CLI lets you share encrypted diffs and file bundles directly from your terminal. It runs git diff locally, encrypts the output with AES-256-GCM, and posts it to the diff4 server — no plaintext ever leaves your machine.

All content is end-to-end encrypted. The server only stores the encrypted blob. Viewers must enter the correct passphrase to decrypt.

Installation

npm install -g @diff4/cli
bun add -g @diff4/cli

Download the latest binary for your platform from the releases page:

PlatformFile
macOS (Apple Silicon)diff4-darwin-arm64
macOS (Intel)diff4-darwin-x64
Linux (ARM64)diff4-linux-arm64
Linux (x64)diff4-linux-x64
Linux (ARM64, musl)diff4-linux-arm64-musl
Linux (x64, musl)diff4-linux-x64-musl
Windows (x64)diff4-windows-x64.exe
chmod +x diff4-darwin-arm64
./diff4-darwin-arm64 --help

Commands

diff4 git-latest

Diff the latest commit (git diff HEAD~1), encrypt the result, and share it via the diff4 server.

diff4 git-latest

The output contains the shareable preview URL:

{
  "id": "A3KX9M",
  "preview_url": "https://diff4.com/p/A3KX9M"
}

Share both the preview_url and the passphrase with your reviewer. They will need the passphrase to decrypt and view the diff.

diff4 git-staged

Diff the currently staged changes (git diff --staged), encrypt the result, and share it.

diff4 git-staged

Useful for sharing a preview of what you're about to commit.

diff4 files <paths...>

Read one or more files, encrypt them as a bundle, and share via the diff4 Files API.

diff4 files src/auth.ts src/utils.ts

The viewer displays a two-panel layout with a file list and content viewer.

diff4 key-gen [key]

Generate and save an encryption key to your shell config as DIFF4_PASSPHRASE. If no key is provided, a random 8-character key is generated.

# Generate a random key
diff4 key-gen

# Use a custom key
diff4 key-gen my-secret-key

This writes export DIFF4_PASSPHRASE="..." to your shell config file (.zshrc, .bashrc, or .profile), updating it if already set. After running, source your config or restart your terminal:

source ~/.zshrc

diff4 key-get

Print the current encryption key from the DIFF4_PASSPHRASE environment variable or shell config.

diff4 key-get

Global Options

All commands support these options:

FlagShortDescriptionDefault
--server <url>-sdiff4 server URLhttps://diff4.com
--passphrase <pass>-pEncryption passphraseDIFF4_PASSPHRASE env
--version-VPrint CLI version
--help-hPrint help

Passphrase

The passphrase is used to derive an AES-256-GCM encryption key via PBKDF2 (600,000 iterations). You can provide it in two ways, in order of priority:

  1. -p / --passphrase flag — pass directly on the command line
  2. DIFF4_PASSPHRASE environment variable — set via diff4 key-gen

If neither is set, the CLI will exit with a message to run diff4 key-gen.

Avoid passing passphrases via the -p flag in shared environments. The passphrase may appear in shell history. Prefer diff4 key-gen.

Environment Variables

VariableDescriptionDefault
DIFF4_SERVEROverride the default server URLhttps://diff4.com
DIFF4_PASSPHRASEDefault encryption passphrase

Examples

Share the latest commit

$ diff4 git-latest
{
  "id": "A3KX9M",
  "preview_url": "https://diff4.com/p/A3KX9M"
}

Share staged changes with a passphrase

$ diff4 git-staged -p my-secret
{
  "id": "K7PN2R",
  "preview_url": "https://diff4.com/p/K7PN2R"
}

Encryption

End-to-end encryption reference for the Diff and Files APIs.

Diff API

Create shareable diff previews via the REST API.

On this page

InstallationCommandsdiff4 git-latestdiff4 git-stageddiff4 files <paths...>diff4 key-gen [key]diff4 key-getGlobal OptionsPassphraseEnvironment VariablesExamplesShare the latest commitShare staged changes with a passphrase