Defining a “secret”

The following is a single key-value pair: 
API=https://api.example.com
However, the entire array comprising of all key-value pairs in an environment (of a project) is considered a single “secret.”
This is in-line without how GCP and AWS define secrets as well.
For example, the following payload is a single secret. 
API=https://api.example.com
AUTH_URL=https://api.example.com/auth
STORAGE_URL=https://api.example.com/storage

Versioning

What is a “version” of a secret?

To update the aforementioned definition of a secret: the entire array comprising of all key-value pairs in an environment (of a project) is considered a single version of a “secret.”

Example

Rollbacks

  • You cannot edit existing version of a secret.
  • Everytime you create/mutate your secrets, that change is reflected in a new version of your secret.
  • In case you made a mistake, you can rollback the secret to a previous version with older values.
In the get, ls and run commands of the CLI, you can use the --version flag to filter the version of the secret you want to execute the command for.
Changelogs are auto-generated whenever your team members mutate the secrets. This helps in auditing.