aerostack secrets

Manage secrets for your staging and production environments. Secrets are encrypted at rest and injected into your Worker at runtime.

Local development

For local dev, store secrets in .dev.vars at the project root:

# .dev.vars
DATABASE_URL=postgres://...
STRIPE_SECRET_KEY=sk_test_...
OPENAI_API_KEY=sk-...

⚠️

Never commit .dev.vars to git. Add it to .gitignore.

List secrets

aerostack secrets list [flags]

Flag	Default	Description
`-e, --env`	`staging`	Environment to list from

# List staging secrets
aerostack secrets list
 
# List production secrets
aerostack secrets list --env production

Secret values are never shown — only names are returned.

Set a secret

aerostack secrets set <KEY> <value> [flags]

Flag	Default	Description
`-e, --env`	`staging`	Target environment

# Set a staging secret
aerostack secrets set STRIPE_SECRET_KEY sk_test_abc123
 
# Set a production secret
aerostack secrets set STRIPE_SECRET_KEY sk_live_abc123 --env production
 
# Read value from stdin (safer — hides value from shell history)
echo "sk_live_abc123" | aerostack secrets set STRIPE_SECRET_KEY --env production

Sync all secrets at deploy time

Use --sync-secrets during deploy to push all non-standard keys from .dev.vars to the target environment automatically:

aerostack deploy --env production --sync-secrets

Production secret checklist

Before deploying to production, set these secrets:

aerostack secrets set JWT_SECRET $(openssl rand -base64 32) --env production
aerostack secrets set STRIPE_SECRET_KEY sk_live_... --env production
aerostack secrets set OPENAI_API_KEY sk-... --env production
aerostack secrets set RESEND_API_KEY re_... --env production

aerostack generate types aerostack test