Secrets
Store API keys, credentials, and other sensitive values encrypted at rest. Secrets are per-environment and never logged.
How secrets work
Secrets are injected as environment variables into every process (web, worker, cron) on each deploy. They are available as os.environ['KEY'], process.env.KEY, etc.
Managing secrets
MCP (Claude Code / Cursor)
set_secret(
app_name: "my-api",
environment: "prod",
key: "STRIPE_API_KEY",
value: "sk_live_..."
)
list_secrets(app_name: "my-api", environment: "prod")
delete_secret(app_name: "my-api", environment: "prod", key: "STRIPE_API_KEY")CLI
promptship secrets set STRIPE_API_KEY=sk_live_... --app my-api --env prod
promptship secrets list --app my-api --env prod
promptship secrets delete STRIPE_API_KEY --app my-api --env prodSecrets are per-environment. Set them separately for dev and prod. For web apps, changes take effect on the next deploy.
Reserved keys
The following keys are managed by the platform and cannot be set as secrets:
| Key | Reason |
|---|---|
PORT | Set by the platform for web processes |
DATABASE_URL | Injected when Postgres is attached |
REDIS_URL | Injected when Valkey is attached |
VALKEY_URL | Injected when Valkey is attached |