Skip to main content

What are Secrets

Secrets are secure environment variables for storing sensitive information like API keys, database passwords, and authentication tokens. They’re essential for:
  • Payment processing - Stripe, PayPal API keys
  • Email services - SendGrid, Resend API keys
  • External APIs - HubSpot, Zendesk, custom service credentials
  • Database connections - Connection strings and passwords
Secrets are stored securely and never exposed in your frontend code or version control.

Managing Secrets in the Dashboard

Adding Secrets

  1. Go to the Secrets tab in OptiDev Cloud
  2. Click Add Secret
  3. Enter a name (like STRIPE_SECRET_KEY)
  4. Enter the value (your actual API key)
  5. Click Add another to add more secrets, or click Save to finish
Use the eye icon to toggle password visibility while entering values.
Use UPPERCASE_WITH_UNDERSCORES for secret names. This is the standard convention and makes them easy to identify in your code.

Viewing Secrets

The Secrets tab shows all your secrets with:
  • Secret name - The identifier you use in code
  • SHA256 digest - For verification (not the actual value)
  • Last updated - When the secret was last modified

Deleting a Secret

  1. Click the trash icon next to the secret you want to remove
  2. Confirm the deletion
Deleting a secret removes it immediately. Any Edge Functions using that secret will fail until you add it back.

Using Secrets with OptiDev Agent

Ask OptiDev Agent to use your secrets when creating functions:
“Create a Stripe payment function using my STRIPE_SECRET_KEY secret”
OptiDev Agent will:
  1. Write code that securely accesses your secret
  2. Never expose the secret value in your frontend code
  3. Use the proper Deno.env.get() method to retrieve it

Example: Email Service

“Set up email sending with my SENDGRID_API_KEY secret”

Example: Database Connection

“Connect to my external database using the DATABASE_URL secret”

Security

Write-Only Storage

Secrets are write-only for security. Once saved:
  • You can see the secret name
  • You can see a SHA256 digest for verification
  • You cannot view the actual value
This ensures your API keys remain secure even if someone gains access to your dashboard.

Auto-Injected Secrets

These secrets are automatically available in all Edge Functions without adding them manually:
  • SUPABASE_URL - Your project URL
  • SUPABASE_ANON_KEY - Public (publishable) key
  • SUPABASE_SERVICE_ROLE_KEY - Admin key with full access
  • SUPABASE_DB_URL - Direct database connection string
Auto-injected secrets are not visible in the Secrets tab. They’re automatically available to your Edge Functions.

For Developers

Accessing Secrets in Edge Functions

Use Deno.env.get() to access secrets in your function code:
const stripeKey = Deno.env.get('STRIPE_SECRET_KEY')
const sendgridKey = Deno.env.get('SENDGRID_API_KEY')

Secret Naming Conventions

  • Use UPPERCASE_WITH_UNDERSCORES
  • Be descriptive: STRIPE_SECRET_KEY not SK
  • Include the service name: HUBSPOT_API_KEY, ZENDESK_TOKEN

No Redeployment Needed

Secrets are immediately available in Edge Functions after creation. You don’t need to redeploy your functions to use new secrets.

Encryption

All secrets are encrypted using AES-256-GCM before storage. The encryption key is derived from your workspace’s unique identifier, ensuring complete isolation between projects.