Secrets
A developer secrets vault. Organize secrets as Project, Environment, and Secret, and pull an environment into your app at launch, across every machine, with optional end-to-end encryption.
Secrets
Secrets is a developer vault for your environment variables and credentials. You organize them as Project -> Environment -> Secret, then pull an environment into your app at launch, on every machine, from one account. No more copying .env files around. Projects can optionally be end-to-end encrypted, so not even Hep.gg can read their values.
Concepts
A top-level container, usually one per app or service. Free plans get 15 projects, Hep.gg Prime gets 100.
A named set of values inside a project, like development and production. Free plans get 2 per project, Prime gets 5. The same secret name can hold different values in different environments.
A NAME and its value. Values can be up to 64 KB and multiline (handy for certificates or JSON service-account files).
A read-only credential an app uses to fetch secrets over the network. Either project-wide (reads any environment) or locked to one environment.
Quick start
- Open Dashboard -> Secrets and create a project.
- Add a secret: type a
NAME, fill its value under one or more environments, and the checkmark saves it instantly. - Open the Pull Tokens tab and create a token.
- In your app:
npm install hepgg-secrets --registry https://npm.hep.ggimport { config } from "hepgg-secrets";
await config({
env: "production",
token: process.env.HEPGG_SECRETS_TOKEN,
});
// your secrets are now in process.envEvery time your app starts it pulls the latest values. Edit a value in the dashboard and the next launch picks it up. See the pull API and the hepgg-secrets package for details.
Importing existing config
The dashboard's Import tab accepts:
.envfiles (KEY=value, quotes andexporthandled)..json(nested objects are flattened, e.g.db.hostbecomesDB_HOST).- pm2 ecosystem
config.json(each app'senvblock becomes an importable group).
Paste or upload the file, pick which variables to import, choose the target environment, and commit. Existing names can be overwritten or skipped.
Copying between environments
The Copy environment button duplicates every secret from one environment into another within the same project, the fast way to seed production from development.
End-to-end encryption
When you create a project you can turn on end-to-end encryption. Values are then encrypted in your browser with a passphrase Hep.gg never sees; we store only ciphertext. You also get a one-time recovery key, save it, because if you lose both the passphrase and the recovery key, the data is unrecoverable.
To pull an E2EE project, give the package your key (see the pull API). E2EE is chosen when the project is created and cannot be switched later.
Plans
| Free | Hep.gg Prime | |
|---|---|---|
| Projects | 15 | 100 |
| Environments per project | 2 | 5 |
| Secrets per environment | unlimited | unlimited |
| End-to-end encryption | yes | yes |