SecretSpec

SecretSpec separates secret declaration from secret provisioning. You define the secrets that your application needs in a secretspec.toml file and each developer, CI system, and production environment can provide those secrets from their preferred secure provider.

Quick Start

Follow the SecretSpec quickstart guide.

Runtime Loading (Best Practice)

While you can enable SecretSpec in devenv to load secrets into the secretspec.secrets option, we recommend that you:

a) Use the Rust SDK to load secrets in your application code

b) Load secrets at runtime and expose them only to the processes that need them

$ devenv shell
$ secretspec run -- npm start

This approach:

• Keeps secrets out of your shell environment
• Reduces exposure of sensitive data
• Makes secret rotation easier
• Follows the principle of least privilege

Configuration (Optional)

If you do need secrets in your devenv environment:

devenv.yaml

secretspec:
  enable: true
  provider: keyring  # keyring, dotenv, env, 1password, lastpass
  profile: default   # profile from secretspec.toml

Then access in devenv.nix:

devenv.nix

{ config, ... }:

{
  env.DATABASE_URL = config.secretspec.secrets.DATABASE_URL or "";
}

Learn More

• SecretSpec
• Providers - Keyring, 1Password, dotenv, and more
• Profiles - Environment-specific configurations
• Rust SDK - Type-safe