Secret Management with Doppler

NextDeploy is Doppler-first for managing secrets. No .env files, no git commits with secrets, just secure, encrypted secret management.

Why Doppler?

  • 🔐Encrypted - Secrets encrypted at rest and in transit
  • 🌍Environment-scoped - dev, staging, prod configs
  • 👥Team-friendly - Share secrets securely
  • 🔄Auto-sync - Update secrets without redeploying
  • 📊Audit logs - Track who changed what

Setup

1. Create Doppler Account

Sign up at doppler.com (free tier available).

2. Install Doppler CLI

# macOS
brew install dopplerhq/cli/doppler

# Linux
curl -Ls https://cli.doppler.com/install.sh | sh

# Windows
scoop install doppler

3. Login

doppler login

4. Create Project

doppler projects create my-app

5. Set Up Environments

# Development
doppler setup --project my-app --config dev

# Staging
doppler setup --project my-app --config stg

# Production
doppler setup --project my-app --config prd

Adding Secrets

Via CLI

# Switch to production config
doppler setup --project my-app --config prd

# Add secrets
doppler secrets set DATABASE_URL="postgresql://..."
doppler secrets set API_KEY="sk_live_..."
doppler secrets set STRIPE_SECRET="sk_..."

Via Dashboard

  1. Go to dashboard.doppler.com
  2. Select your project
  3. Select environment (dev/stg/prd)
  4. Click "Add Secret"
  5. Enter name and value

Using Secrets Locally

Development

# Run Next.js with Doppler
doppler run -- npm run dev

# Or export to shell
eval $(doppler secrets download --no-file --format env-no-quotes)
npm run dev

Build with Secrets

doppler run -- nextdeploy build

Using Secrets in Production

Method 1: Doppler Service Token (Recommended)

  1. Generate service token:
    doppler configs tokens create production --project my-app
  2. Add to server:
    ssh deploy@your-server echo "DOPPLER_TOKEN=dp.st.xxx" | sudo tee -a /etc/environment
  3. Update nextdeploy.yml:
    secrets:
  provider: doppler
  project: my-app
  config: prd
  4. Deploy:
    nextdeploy ship

Common Secrets

Database

doppler secrets set DATABASE_URL="postgresql://user:pass@host:5432/db"
doppler secrets set REDIS_URL="redis://localhost:6379"

Authentication

doppler secrets set NEXTAUTH_SECRET="your-secret-here"
doppler secrets set NEXTAUTH_URL="https://myapp.com"
doppler secrets set GITHUB_CLIENT_ID="..."
doppler secrets set GITHUB_CLIENT_SECRET="..."

APIs

doppler secrets set STRIPE_SECRET_KEY="sk_live_..."
doppler secrets set SENDGRID_API_KEY="SG...."
doppler secrets set AWS_ACCESS_KEY_ID="..."
doppler secrets set AWS_SECRET_ACCESS_KEY="..."

Best Practices

1. Never Commit Secrets

# .gitignore
.env
.env.*
!.env.example
master.key
*.encrypted

2. Use .env.example

# .env.example
DATABASE_URL=postgresql://localhost/myapp_dev
API_KEY=your_api_key_here
STRIPE_SECRET=sk_test_...

3. Rotate Secrets Regularly

# Generate new secret
doppler secrets set API_KEY="new_key_here"

# Restart app to pick up changes
nextdeploy restart

Troubleshooting

Secrets not loading

# Check current config
doppler configure get

# Download secrets to verify
doppler secrets download --no-file

Invalid token

# Re-login
doppler login

# Verify setup
doppler setup
PreviousConfiguration Guide
NextFirst Deployment