diff --git a/pkgs/clan-cli/clan_cli/secrets/key.py b/pkgs/clan-cli/clan_cli/secrets/key.py
index db1a1bf57..f471615d3 100644
--- a/pkgs/clan-cli/clan_cli/secrets/key.py
+++ b/pkgs/clan-cli/clan_cli/secrets/key.py
@@ -1,5 +1,7 @@
 import argparse
+import json
 import logging
+import sys
 from pathlib import Path
 
 from clan_cli.errors import ClanError
@@ -54,9 +56,13 @@ def generate_command(args: argparse.Namespace) -> None:
 
 
 def show_command(args: argparse.Namespace) -> None:
-    key, key_type = sops.maybe_get_admin_public_key()
-    type_or_null = f'"{key_type.name.lower()}"' if key_type else "null"
-    print(f'{{"key": "{key}", "type": {type_or_null}}}')
+    key = sops.maybe_get_admin_public_key()
+    if not key:
+        msg = "No public key found"
+        raise ClanError(msg)
+    json.dump(
+        {"key": key.pubkey, "type": str(key.key_type)}, sys.stdout, indent=2, sort_keys=True
+    )
 
 
 def update_command(args: argparse.Namespace) -> None:
diff --git a/pkgs/clan-cli/tests/test_secrets_cli.py b/pkgs/clan-cli/tests/test_secrets_cli.py
index bb36af2f9..91b6ffd42 100644
--- a/pkgs/clan-cli/tests/test_secrets_cli.py
+++ b/pkgs/clan-cli/tests/test_secrets_cli.py
@@ -1,3 +1,4 @@
+import json
 import logging
 import os
 from collections.abc import Iterator
@@ -253,7 +254,7 @@ def test_secrets(
     cli.run(["secrets", "key", "generate", "--flake", str(test_flake.path)])
     with capture_output as output:
         cli.run(["secrets", "key", "show", "--flake", str(test_flake.path)])
-    key = output.out
+    key = json.loads(output.out)["key"]
     assert key.startswith("age1")
     cli.run(
         ["secrets", "users", "add", "--flake", str(test_flake.path), "testuser", key]