cubby secrets
Manage secrets (environment variables) for your app. Secrets can be set for local development or production environments.Subcommands
cubby secrets set
Set a secret for an app. The value is entered securely (hidden input).Usage
Arguments
Flags
Examples
Naming Convention
Secret names must be:- Uppercase letters, numbers, and underscores
- Start with a letter
API_KEY, DATABASE_URL, STRIPE_SECRET_KEY
Production Secrets Workflow
Production secrets require the app to exist on the platform:cubby secrets list
List all secrets for an app.Usage
Flags
Examples
Output
cubby secrets delete
Delete a secret from an app.Usage
Arguments
Flags
Examples
cubby secrets apply
Apply saved production secret changes to the running app without rebuilding the image.Usage
Flags
Examples
Reserved Names
Some environment variables are reserved and managed by Cubby:
Do not set these manually.
How Secrets Work
Local Development
Local secrets are stored on your machine and injected into thecubby dev container:
Production
Production secrets are:- Encrypted at rest
- Injected at container startup
- Never logged or exposed
- Deploy creates the app
- Set secrets via
cubby secrets set --env prod - Apply secrets via
cubby secrets apply --env prodto restart the app without rebuilding
Accessing Secrets in Code
Secrets are available as environment variables:Best Practices
- Never commit secrets - Use
cubby secrets, not.envfiles in production - Use descriptive names -
STRIPE_SECRET_KEYnotSK - Apply after changes - Run
cubby secrets apply --env prodafter changing production secrets - Keep local and prod separate - Different values for each environment
Related Commands
cubby dev- Uses local secretscubby deploy- Uses production secrets