Web Dashboard

Organization Secrets

The Secrets page in your dashboard is where you securely manage organization-wide secrets — API keys, database credentials, tokens, and other sensitive values. All secrets are encrypted with AES-256-GCM and isolated per organization.

Accessing the Secrets Page

Click Secrets in the left sidebar

Use the organization dropdown in the header to switch between organizations

Environment Switcher

Above the secrets list, an Environment dropdown lets you switch between development, staging, and production. Switching the environment refreshes the list to show only secrets in the selected bucket and triggers a brief confirmation toast.

Each environment is fully isolated — the same key can hold different values in development and production. Create, edit, and delete operations apply only to the currently selected environment.

When you switch environments, any revealed values are hidden again immediately so you don't accidentally view production data while working in development.

Managing Secrets

Creating a Secret

Click + Add Secret in the top right

Enter the Secret Key (e.g., STRIPE_SECRET_KEY) — automatically uppercased

Enter the Secret Value — the sensitive value to store

(Optional) Add a Description for context

Click Create Secret

Keys must use only A-Z, 0-9, underscore, hyphen, and period. Maximum 256 characters. Values can be up to 1 MB.

Revealing a Secret Value

Values are masked by default. Click the eye icon next to a secret to reveal its plaintext value.

For security, revealed values automatically hide again after 30 seconds.

Editing a Secret

Click the pencil icon next to the secret

Update the value and/or description

Click Save — the version increments automatically

Deleting a Secret

Click the trash icon next to the secret

Confirm deletion in the dialog

Deletion is permanent and cannot be undone. The secret will become immediately inaccessible to your applications.

Searching Secrets

Use the search box above the list to filter secrets by key name. Search is case-insensitive and matches partial keys.

Roles & Permissions

What each role can do

Role	View	Reveal	Create	Edit	Delete
Owner	✓	✓	✓	✓	✓
Admin	✓	✓	✓	✓	✓
Editor	✓	✓	—	—	—
Viewer	✓	✓	—	—	—

Editors and Viewers can read all secrets but cannot create, edit, or delete them. The Add, Edit, and Delete buttons are hidden for these roles.

Switching Organizations

If you belong to multiple organizations, use the organization dropdown in the header to switch between them. Each organization has its own independent set of secrets — secrets in one org are completely invisible to another.

When you switch organizations, the secrets list refreshes automatically to show only the secrets of the currently selected organization.

Security & Encryption

How your secrets are protected

AES-256-GCM encryption — values are encrypted at the edge before being stored. Plaintext never reaches the database.

Organization isolation — secrets are scoped per organization at the database level. Cross-organization access is impossible.

Audit logs — every create, read, update, and delete operation is logged with timestamp, user, IP address, and user agent.

HTTPS everywhere — all traffic is encrypted in transit with HSTS enabled.

Auto-hide on reveal — revealed values automatically re-mask after 30 seconds.

Best Practices

Use descriptive keys. Prefer STRIPE_LIVE_SECRET_KEY over generic names like SECRET.

Add descriptions. Explain what the secret is for so future team members understand the context.

Limit access. Use the Editor or Viewer role for users who only need to read secrets.

Rotate regularly. Update sensitive secrets like database passwords and API keys on a schedule.

Review audit logs. Check the Audit Logs page for unexpected reveal or update activity.

Next Steps

Manage Secrets via CLI

Use the envv secrets command to manage secrets from your terminal.

Audit Logs

Review every secret operation — who did what and when.