Environment variables & secrets

Read all your config from environment variables. Plain values go in the dashboard. Secrets go in the Vault.

Your app should read its configuration from environment variables, never from a committed .env file (that file is not deployed). There are two places to set them, depending on how sensitive the value is.

Plain variables

For non-sensitive config (feature flags, a public URL, a log level), add a variable in your app's dashboard. It is injected into your app at runtime.

Secrets: the Vault

For anything sensitive, an API key, a token, a password, use the Vault. Secrets are encrypted at rest with a key unique to your account, and they are only ever available to the apps you choose.

Add the secret in Settings, then Vault.
It is encrypted and isolated to your account.
Bind it to the apps that need it, under any variable name you like.
It shows up as an environment variable in just those apps.

Dockhold does not inject every secret into every app. You bind each secret to specific apps. If one app is ever compromised, it can only see the secrets you bound to it, nothing else.

Reading them in your app

Bound secrets and variables are plain environment variables. Read them the usual way:

import os

# Set in the dashboard or bound from the Vault
OPENAI_API_KEY = os.getenv("OPENAI_API_KEY")
DATABASE_URL = os.getenv("DATABASE_URL")  # injected by Dockhold

A note for front-end builds

A build can't see your dashboard variables, and a browser bundle is public. So never put a secret behind a public build-time prefix. For a front-end single-page app, read browser config at runtime from window.__APP_CONFIG__ rather than baking it into the build. See Missing environment variables if a value isn't showing up.

Every change is logged

Access to the Vault is written to a tamper-evident audit trail. The trail is integrity-checked nightly, and you are alerted if a platform administrator ever touches your secrets.