> ## Documentation Index
> Fetch the complete documentation index at: https://docs.enkryptify.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Secrets

> Store, manage and distribute encrypted secrets across environments.

Secrets are encrypted key-value pairs stored at the project level, with a different value per environment.

## Structure

Each secret has:

* **Name**: the key used as an environment variable (e.g. `DATABASE_URL`, `API_KEY`)
* **Values**: one encrypted value per environment
* **Note**: an optional encrypted note for documentation

## Naming rules

Secret names can contain:

* Uppercase and lowercase letters (A-Z, a-z)
* Numbers (0-9)
* Underscores (`_`) and hyphens (`-`)

Use uppercase with underscores for consistency with environment variable conventions (e.g. `DATABASE_URL`, `STRIPE_SECRET_KEY`).

## Managing secrets

### Dashboard

The project dashboard shows secrets in a table with one column per environment. You can:

* **Add** a secret by clicking "Add Secret" and entering the key and values
* **Edit** a value by clicking on it in the table
* **Delete** a secret from the secret options menu
* **Search** secrets using the search bar (supports fuzzy matching)
* **Show/hide** values with the visibility toggle

### CLI

<Warning>
  The `ek secret` commands are **deprecated** and may be removed in a future release. Manage secrets through the dashboard instead.
</Warning>

The [CLI](/cli/commands) provides commands for managing secrets from the terminal:

```bash theme={"dark"}
# Create a secret
ek secret create DATABASE_URL "postgresql://localhost:5432/dev"

# Update a secret (prompts for new value)
ek secret update DATABASE_URL

# Delete a secret
ek secret delete DATABASE_URL

# List all secrets (values masked by default)
ek secret list

# List with visible values
ek secret list --show
```

## Using secrets

There are three ways to use your secrets:

1. **CLI injection**: run `ek run -- <command>` to inject secrets as environment variables into any process. See [CLI quickstart](/cli/quickstart).

2. **Syncs**: push secrets to external providers (GitHub, Vercel, AWS, GCP) automatically. See [Syncs overview](/sync/overview).

3. **API / SDK**: fetch secrets programmatically using an [API token](/credentials/api-tokens). See [Machine credentials](/credentials/overview).

## Best practices

* **Don't store secrets in source code.** Use Enkryptify as the single source of truth and inject secrets at runtime.
* **Use environment-specific values.** Each environment should have its own credentials, don't share production database URLs with development.
* **Use descriptive names.** Name secrets clearly so their purpose is obvious (e.g. `STRIPE_SECRET_KEY` instead of `SECRET_KEY`).
