diff --git a/deno-secrets-template.ts b/deno-secrets-template.ts
new file mode 100644
index 0000000..a20ecea
--- /dev/null
+++ b/deno-secrets-template.ts
@@ -0,0 +1,51 @@
+#!/usr/bin/env deno
+
+import { Eta } from "https://deno.land/x/eta@v3.1.0/src/index.ts"
+import { InfisicalSDK } from "npm:@infisical/sdk"
+
+import { Logger } from "jsr:@deno-library/logger";
+const logger = new Logger();
+
+import "jsr:@std/dotenv/load";
+
+logger.info("Starting up Infisical SDK")
+
+const client = new InfisicalSDK({
+  siteUrl: "https://secrets.amy.mov"
+});
+
+logger.debug("Authenticating...")
+
+await client.auth().universalAuth.login({
+  clientId: Deno.env.get("INFISICAL_CLIENT_ID") || "",
+  clientSecret: Deno.env.get("INFISICAL_CLIENT_SECRET") || "",
+})
+
+const projectId = Deno.env.get("INFISICAL_PROJECT_ID") || ""
+logger.debug(`Authenticated! Fetching secrets for project ${projectId}`)
+
+const allSecrets = await client.secrets().listSecrets({
+  environment: "prod",
+  projectId,
+  recursive: true
+});
+
+logger.info(`Got ${allSecrets.secrets.length} secrets`)
+
+const etaSecrets = Object.fromEntries(allSecrets.secrets.map(s => [s.secretKey, s.secretValue]))
+
+const DEFAULT_INPUT_PATH = "./secrets.eta"
+const DEFAULT_OUTPUT_PATH = "./secrets.pp"
+
+const inputPath = Deno.env.get("TEMPLATE_PATH") || DEFAULT_INPUT_PATH
+const outputPath = Deno.env.get("OUTPUT_PATH") || DEFAULT_OUTPUT_PATH
+
+logger.info(`Template: ${inputPath}, Output: ${outputPath}. Rendering`)
+
+const eta = new Eta({ varName: "secrets" })
+const src = Deno.readTextFileSync(inputPath)
+const res = eta.renderString(src, etaSecrets)
+
+Deno.writeTextFileSync(outputPath, res)
+
+logger.info("Done!")
\ No newline at end of file