Storing Secrets and API keys

Simply storing secrets securely

Wouldn't it be nice to store secret values like API keys, database passwords, and private keys directly in the source code? Of course, we can’t do that it's horrifyingly insecure! (Unfortunately, it's also very common.)

Encore's built-in secrets manager makes it simple to store secrets in a secure way, and lets you use them in your program like regular variables.

When creating new environments, Encore automatically sets up secrets management using best practices for each cloud provider. See the infrastructure documentation for more details.

Defining secrets

With Encore you define secrets directly in your code by creating a struct:

var secrets struct { SSHPrivateKey string // ed25519 private key for SSH server GitHubAPIToken string // personal access token for deployments // ... }
Take care

The variable must be an unexported struct named secrets, and all the fields must be of type string like you see above.

Then you set the secret value using encore secret set --type <types...> <secret-name>.

<types> defines which environment types the secret value applies to. Use a comma-separated list of production, development, preview, and local. Shorthands: prod, dev, pr.

For example encore secret set --type prod SSHPrivateKey sets the secret value for production environments,
and encore secret set --type dev,preview,local GitHubAPIToken sets the secret value for development, preview, and local environments.

Take care

There can only be one secret value for each environment type. For example, if you already have a secret value that's shared between development, preview and local and you want to override the value for local, you must first edit the existing secret value and remove local. Only then can you define a new secret value specifically for local. (Same goes for the other environment types.)

You can edit existing secret values on the Encore web platform under Settings > Secrets.

For certain use cases it can be useful to define a secret for a specific environment instead of an environment type. You can do so with encore secret set --env <env-name> <secret-name>. Secret values for specific environments take precedence over values for environment types.

The values are stored safely using GCP's Key Management Service, and delivered securely directly to your application.

Using secrets

Once you've provided values for all the secrets, you can just use them in your program like a regular variable. For example:

func callGitHub(ctx context.Context) { req, _ := http.NewRequestWithContext(ctx, "GET", "https:///api.github.com/user", nil) req.Header.Add("Authorization", "token " + secrets.GitHubAPIToken) resp, err := http.DefaultClient.Do(req) // ... handle err and resp }

Secret keys are globally unique for your whole application; if multiple services use the same secret name they both receive the same secret value at runtime.

Please note

Once you've used secrets in your program, the Encore compiler will check that they are set before running or deploying your application.