Skip to main content

cubby secrets

Manage secrets (environment variables) for your app. Secrets can be set for local development or production environments.

Subcommands


cubby secrets set

Set a secret for an app. The value is entered securely (hidden input).

Usage

Arguments

Flags

Examples

Naming Convention

Secret names must be:
  • Uppercase letters, numbers, and underscores
  • Start with a letter
Examples: API_KEY, DATABASE_URL, STRIPE_SECRET_KEY

Production Secrets Workflow

Production secrets require the app to exist on the platform:
Setting a production secret does not update already-running containers by itself. Run cubby secrets apply --env prod to restart the app and apply changes without rebuilding.

cubby secrets list

List all secrets for an app.

Usage

Flags

Examples

Output


cubby secrets delete

Delete a secret from an app.

Usage

Arguments

Flags

Examples


cubby secrets apply

Apply saved production secret changes to the running app without rebuilding the image.

Usage

Flags

Examples


Reserved Names

Some environment variables are reserved and managed by Cubby: Do not set these manually.

How Secrets Work

Local Development

Local secrets are stored on your machine and injected into the cubby dev container:

Production

Production secrets are:
  • Encrypted at rest
  • Injected at container startup
  • Never logged or exposed
The workflow:
  1. Deploy creates the app
  2. Set secrets via cubby secrets set --env prod
  3. Apply secrets via cubby secrets apply --env prod to restart the app without rebuilding

Accessing Secrets in Code

Secrets are available as environment variables:

Best Practices

  1. Never commit secrets - Use cubby secrets, not .env files in production
  2. Use descriptive names - STRIPE_SECRET_KEY not SK
  3. Apply after changes - Run cubby secrets apply --env prod after changing production secrets
  4. Keep local and prod separate - Different values for each environment