hepgg-secrets package

A small Node library that pulls your Hep.gg Secrets into process.env at app launch, like dotenv, with an encrypted last-good cache so a brief outage can't stop your app from booting.

hepgg-secrets#

hepgg-secrets pulls your Hep.gg Secrets into process.env when your app starts. It is a one-shot injector (like dotenv), not a daemon: each boot fetches the current values for one environment and sets process.env. If Hep.gg is briefly unreachable it falls back to the last successful pull (encrypted on disk) so an outage can't stop your app from booting.

Install#

npm install hepgg-secrets --registry https://npm.hep.gg

echo 'registry=https://npm.hep.gg' >> .npmrc
npm install hepgg-secrets

Use#

Call config() as the very first thing your app runs, before anything reads process.env.

import { config } from "hepgg-secrets";
 
await config({
  env: "production",
  token: process.env.HEPGG_SECRETS_TOKEN, // hsk_...
});
console.log(process.env.DATABASE_URL);

const { config } = require("hepgg-secrets");
(async () => {
  await config();
  require("./server");
})();

Zero-config via environment#

Every option has an env-var fallback, so you can keep code clean:

url defaults to https://hep.gg/api/v1/secrets/pull, so usually just a token (and an env for project-wide tokens) is enough.

import { config } from "hepgg-secrets";
await config(); // reads HEPGG_SECRETS_URL / ENV / TOKEN

End-to-end encrypted projects#

If your project is E2EE, supply the passphrase (or recovery key) so the package can decrypt locally. The key is never sent to Hep.gg.

await config({
  env: "production",
  token: process.env.HEPGG_SECRETS_TOKEN,
  key: process.env.HEPGG_SECRETS_KEY, // your passphrase or recovery key
});

Options#

Accessors#

import { config, get, all } from "hepgg-secrets";
await config();
get("DATABASE_URL"); // string | undefined
all();               // { DATABASE_URL: "...", ... }