Skip to content
Soup

Secrets

The Secrets module replaces tools like Doppler, Infisical, and Vault for application secrets management.

Features

Section titled “Features”
  • Environment inheritance - Create basedevelopmentstagingproduction hierarchies
  • Variable references - Use ${OTHER_VAR} to build values from other secrets
  • Encrypted storage - AES-256-GCM encryption at rest
  • Export formats - Shell, JSON, YAML, .env files
  • Version history - Track changes over time

Quick Start

Section titled “Quick Start”
Terminal window
# Create a project
soup secrets project create my-app


# Create environments with inheritance
soup secrets env create my-app base
soup secrets env create my-app development --parent base
soup secrets env create my-app staging --parent development
soup secrets env create my-app production --parent base


# Set secrets
soup secrets set my-app base DATABASE_HOST localhost
soup secrets set my-app base DATABASE_PORT 5432
soup secrets set my-app base DATABASE_URL 'postgres://${DATABASE_HOST}:${DATABASE_PORT}/myapp'


# Override for production
soup secrets set my-app production DATABASE_HOST prod-db.internal


# Export for your app
eval $(soup secrets export my-app production)
echo $DATABASE_URL
# postgres://prod-db.internal:5432/myapp

Environment Inheritance

Section titled “Environment Inheritance”

Environments can inherit from parent environments. Child environments get all parent secrets, and can override specific values.

base
├── development (inherits from base)
│   └── staging (inherits from development)
└── production (inherits from base)

When you get secrets from staging:

  1. Start with base secrets
  2. Apply development overrides
  3. Apply staging overrides

Variable References

Section titled “Variable References”

Use ${VAR_NAME} syntax to reference other secrets:

Terminal window
soup secrets set my-app base DB_HOST localhost
soup secrets set my-app base DB_PORT 5432
soup secrets set my-app base DB_USER admin
soup secrets set my-app base DB_PASS secret
soup secrets set my-app base DATABASE_URL 'postgres://${DB_USER}:${DB_PASS}@${DB_HOST}:${DB_PORT}/myapp'

References are resolved at export time, so changing DB_HOST automatically updates DATABASE_URL.

CLI Commands

Section titled “CLI Commands”
Terminal window
# Projects
soup secrets project create <name>
soup secrets project list
soup secrets project delete <name>


# Environments
soup secrets env create <project> <name> [--parent <parent>]
soup secrets env list <project>
soup secrets env delete <project> <name>


# Secrets
soup secrets set <project> <env> <key> <value>
soup secrets get <project> <env> <key>
soup secrets delete <project> <env> <key>
soup secrets list <project> <env>


# Export
soup secrets export <project> <env> [--format shell|json|yaml|dotenv]
soup secrets run <project> <env> -- <command>

API

Section titled “API”

See the Secrets API reference for HTTP endpoints.

Pricing

Section titled “Pricing”
TierLimits
Free3 projects, 100 secrets
StandardUnlimited ($1/user/month)
Self-hostedUnlimited (free)