cubby secrets

Manage secrets (environment variables) for your app. Secrets can be set for local development or production environments.

Subcommands

Command	Description
`cubby secrets set <name>`	Set a secret
`cubby secrets list`	List secrets
`cubby secrets delete <name>`	Delete a secret

cubby secrets set

Set a secret for an app. The value is entered securely (hidden input).

Usage

cubby secrets set <name> [flags]

Arguments

Argument	Description
`name`	Secret name (e.g., `API_KEY`, `STRIPE_SECRET`)

Flags

Flag	Short	Description	Default
`--env`	`-e`	Environment (`local` or `prod`)	`local`

Examples

# Set local secret
cubby secrets set OPENAI_API_KEY

# Set production secret
cubby secrets set STRIPE_SECRET_KEY --env prod

Naming Convention

Secret names must be:

Uppercase letters, numbers, and underscores
Start with a letter

Examples: API_KEY, DATABASE_URL, STRIPE_SECRET_KEY

Production Secrets Workflow

Production secrets require the app to exist on the platform:

# 1. Deploy first (creates the app)
cubby deploy

# 2. Set secrets
cubby secrets set OPENAI_API_KEY --env prod

# 3. Redeploy to pick up new secrets
cubby deploy

Setting a production secret does not restart your running container. You must redeploy for changes to take effect.

cubby secrets list

List all secrets for an app.

Usage

cubby secrets list [flags]

Flags

Flag	Short	Description	Default
`--reveal`	`-r`	Show secret values (hidden by default)	`false`
`--env`	`-e`	Environment (`local` or `prod`)	`local`

Examples

# List local secrets
cubby secrets list

# Show values
cubby secrets list --reveal

# List production secrets
cubby secrets list --env prod

Output

Secrets for myapp (local):

  OPENAI_API_KEY=********************
  STRIPE_SECRET_KEY=********************

  Use --reveal to show values

cubby secrets delete

Delete a secret from an app.

Usage

cubby secrets delete <name> [flags]

Arguments

Argument	Description
`name`	Secret name to delete

Flags

Flag	Short	Description	Default
`--env`	`-e`	Environment (`local` or `prod`)	`local`
`--force`	`-f`	Skip confirmation prompt	`false`

Examples

# Delete local secret
cubby secrets delete API_KEY

# Delete production secret
cubby secrets delete API_KEY --env prod

# Delete without confirmation
cubby secrets delete API_KEY --force

Reserved Names

Some environment variables are reserved and managed by Cubby:

Name	Description
`DATABASE_URL`	Automatically provisioned for apps with Prisma
`PORT`	Set by the container runtime (default: 3000)

Do not set these manually.

How Secrets Work

Local Development

Local secrets are stored on your machine and injected into the cubby dev container:

cubby secrets set API_KEY
cubby dev  # API_KEY available in container

Production

Production secrets are:

Encrypted at rest
Injected at container startup
Never logged or exposed

The workflow:

Deploy creates the app
Set secrets via cubby secrets set --env prod
Redeploy to inject secrets into the running container

Accessing Secrets in Code

Secrets are available as environment variables:

// API route
export async function GET() {
  const apiKey = process.env.OPENAI_API_KEY
  // Use the secret
}

Best Practices

Never commit secrets - Use cubby secrets, not .env files in production
Use descriptive names - STRIPE_SECRET_KEY not SK
Redeploy after changes - Production secrets require a redeploy
Keep local and prod separate - Different values for each environment

cubby dev - Uses local secrets
cubby deploy - Uses production secrets

Getting Started

CLI Reference

Platform

cubby secrets

cubby secrets

Subcommands

cubby secrets set

Usage

Arguments

Flags

Examples

Naming Convention

Production Secrets Workflow

cubby secrets list

Usage

Flags

Examples

Output

cubby secrets delete

Usage

Arguments

Flags

Examples

Reserved Names

How Secrets Work

Local Development

Production

Accessing Secrets in Code

Best Practices

Getting Started

CLI Reference

Platform

​cubby secrets

​Subcommands

​cubby secrets set

​Usage

​Arguments

​Flags

​Examples

​Naming Convention

​Production Secrets Workflow

​cubby secrets list

​Usage

​Flags

​Examples

​Output

​cubby secrets delete

​Usage

​Arguments

​Flags

​Examples

​Reserved Names

​How Secrets Work

​Local Development

​Production

​Accessing Secrets in Code

​Best Practices

​Related Commands

cubby secrets

Subcommands

cubby secrets set

Usage

Arguments

Flags

Examples

Naming Convention

Production Secrets Workflow

cubby secrets list

Usage

Flags

Examples

Output

cubby secrets delete

Usage

Arguments

Flags

Examples

Reserved Names

How Secrets Work

Local Development

Production

Accessing Secrets in Code

Best Practices

Related Commands