# aerostack secrets > Manage encrypted secrets for staging and production environments. Secrets are injected into your Worker at runtime, never exposed in code. Manage secrets for your staging and production environments. Secrets are encrypted at rest and injected into your Worker at runtime. ## Local development For local dev, store secrets in `.dev.vars` at the project root: ``` # .dev.vars DATABASE_URL=postgres://... STRIPE_SECRET_KEY=sk_test_... OPENAI_API_KEY=sk-... ``` Never commit `.dev.vars` to git. Add it to `.gitignore`. --- ## List secrets ```bash aerostack secrets list [flags] ``` | Flag | Default | Description | |------|---------|-------------| | `-e, --env` | `staging` | Environment to list from | ```bash # List staging secrets aerostack secrets list # List production secrets aerostack secrets list --env production ``` Secret values are never shown — only names are returned. --- ## Set a secret ```bash aerostack secrets set [flags] ``` | Flag | Default | Description | |------|---------|-------------| | `-e, --env` | `staging` | Target environment | ```bash # Set a staging secret aerostack secrets set STRIPE_SECRET_KEY sk_test_abc123 # Set a production secret aerostack secrets set STRIPE_SECRET_KEY sk_live_abc123 --env production # Read value from stdin (safer — hides value from shell history) echo "sk_live_abc123" | aerostack secrets set STRIPE_SECRET_KEY --env production ``` --- ## Sync all secrets at deploy time Use `--sync-secrets` during deploy to push all non-standard keys from `.dev.vars` to the target environment automatically: ```bash aerostack deploy --env production --sync-secrets ``` --- ## Production secret checklist Before deploying to production, set these secrets: ```bash aerostack secrets set JWT_SECRET $(openssl rand -base64 32) --env production aerostack secrets set STRIPE_SECRET_KEY sk_live_... --env production aerostack secrets set OPENAI_API_KEY sk-... --env production aerostack secrets set RESEND_API_KEY re_... --env production ```