Security Guide

Managing Secrets

API keys, database passwords, and other credentials stay out of your source code. We detect them during analysis, store them encrypted, and inject them at runtime.

Back to Getting Started After You Deploy

Step By Step

How it works

Secrets are handled automatically as part of the deploy flow. You only need to supply values for external credentials.

  1. 1

    We scan your code during analysis

    When you paste code or push via git, we look for environment variable references and hardcoded values like API keys and passwords.

  2. 2

    Hardcoded values get flagged

    If we find a secret in your source code, we show you the exact line and offer to replace it with an environment variable reference automatically.

  3. 3

    You provide the values we can't generate

    External API keys and credentials are yours to supply. We generate infrastructure secrets like database passwords for you.

  4. 4

    Secrets are encrypted and injected at runtime

    Values are encrypted at rest and only decrypted when your service starts. They're never stored in your source code or build artifacts.

Three Categories

What we detect

Every environment variable falls into one of three buckets. The category determines who provides the value.

  • Your credentials. External API keys, auth tokens, and third-party service credentials. You supply these because we can't generate them for you. Examples: Stripe keys, AWS credentials, OpenAI tokens.

  • Infrastructure secrets. Database passwords, session secrets, and encryption keys. We generate secure values automatically and wire them into your service's environment.

  • Static configuration. Ports, environment modes, and internal hostnames. These are set by the platform and don't contain sensitive data.

After Deploy

The Secrets tab

Every service has a Secrets tab where you manage values, track versions, and respond to changes.

  • Needs configuration. Secrets we detected but don't have values for yet. Your service won't deploy until these are filled in.

  • Version history. Every update creates a new version. If a value breaks something, roll back to the previous version without redeploying your code.

  • Removed from codebase. When you push new code that no longer references a secret, we flag it so you can clean up. We don't delete it automatically in case you still need it.

What To Watch For

Common situations

  • Hardcoded API keys in pasted code. The most common flag. We show you the exact line, the replacement, and a one-click fix. Hit Secure All and we rewrite the references for you.

  • Missing values after a git push. If your new code references a secret that doesn't have a value yet, we block the deploy and show what needs to be configured on the Secrets tab.

Read Next

Keep going

Paste Your Code

See how secret detection works during the paste flow.

Read guide

Deploy from Git

How secrets are handled during push-to-deploy.

Read guide

After You Deploy

Where to find the Secrets tab and what else to check.

Read guide