Secrets
A secret is a named, encrypted value — for example DATABASE_PASSWORD or
STRIPE_API_KEY. You store it once, then reference it from a
deployment’s environment variables, so credentials never live in
plain text in your deployment configuration.
Creating a secret
From the Secrets page:
- Click Add secret.
- Give it a name (commonly the environment-variable name your app expects,
e.g.
DATABASE_URL). - Enter the value.
- Save. The value is stored encrypted.
You can also create a secret inline while adding an environment variable in the New deployment wizard — handy when you realise you need one mid-setup.
Using a secret in a deployment
When you add an environment variable to a deployment, choose secret reference instead of a plain value and pick the secret. At runtime its value is injected into your container — it never appears in the deployment configuration or the dashboard.
Managed database credentials work the same way: a database publishes its password as a secret, which you reference from your app’s environment variables.
Scope
Secrets are account-wide — once created, a secret is available to any of your deployments. You choose which ones each deployment uses by referencing them from its environment variables.
Managing secrets
- View / update the value at any time.
- Delete a secret you no longer need.
If a secret is still referenced by a running deployment, update the deployment to stop referencing it before deleting, so the app doesn’t lose the value on its next rollout.
Good to know
- Name a secret after the environment variable that will use it — it makes the mapping obvious.
- Values are encrypted at rest and are never shown in a deployment’s configuration.
- Secrets are the right home for anything sensitive — keep passwords, tokens and keys out of plain environment values and out of your container image.