Skip to main content
Secrets are encrypted key-value pairs stored at the project level, with a different value per environment.

Structure

Each secret has:
  • Name — the key used as an environment variable (e.g. DATABASE_URL, API_KEY)
  • Values — one encrypted value per environment
  • Note — an optional encrypted note for documentation

Naming rules

Secret names can contain:
  • Uppercase and lowercase letters (A-Z, a-z)
  • Numbers (0-9)
  • Underscores (_) and hyphens (-)
Use uppercase with underscores for consistency with environment variable conventions (e.g. DATABASE_URL, STRIPE_SECRET_KEY).

Managing secrets

Dashboard

The project dashboard shows secrets in a table with one column per environment. You can:
  • Add a secret by clicking “Add Secret” and entering the key and values
  • Edit a value by clicking on it in the table
  • Delete a secret from the secret options menu
  • Search secrets using the search bar (supports fuzzy matching)
  • Show/hide values with the visibility toggle

CLI

The ek secret commands are deprecated and may be removed in a future release. Manage secrets through the dashboard instead.
The CLI provides commands for managing secrets from the terminal: 
# Create a secret
ek secret create DATABASE_URL "postgresql://localhost:5432/dev"

# Update a secret (prompts for new value)
ek secret update DATABASE_URL

# Delete a secret
ek secret delete DATABASE_URL

# List all secrets (values masked by default)
ek secret list

# List with visible values
ek secret list --show

Using secrets

There are three ways to use your secrets:
  1. CLI injection — run ek run -- <command> to inject secrets as environment variables into any process. See CLI quickstart.
  2. Syncs — push secrets to external providers (GitHub, Vercel, AWS, GCP) automatically. See Syncs overview.
  3. API / SDK — fetch secrets programmatically using an API token. See Machine credentials.

Best practices

  • Don’t store secrets in source code. Use Enkryptify as the single source of truth and inject secrets at runtime.
  • Use environment-specific values. Each environment should have its own credentials, don’t share production database URLs with development.
  • Use descriptive names. Name secrets clearly so their purpose is obvious (e.g. STRIPE_SECRET_KEY instead of SECRET_KEY).