Skip to main content
Secrets are encrypted environment values for build steps and Rust Workers. They are never served to static frontends and must never be committed.

Agent commands

tovuk env list --service service_1 --json
tovuk env set --service service_1 STRIPE_SECRET_KEY=sk_live_xxx --json
tovuk env delete --service service_1 STRIPE_SECRET_KEY --json

API

  • GET /v1/services/{service_id}/env
  • PUT /v1/services/{service_id}/env
  • DELETE /v1/services/{service_id}/env/{name}
Secret values are write-only. List responses show names and metadata, not plain secret values.

Dashboard

The dashboard Secrets view is available at https://tovuk.com/account/secrets or https://tovuk.com/<handle>/secrets. It lists secret names, stores write-only secret values, and deletes secrets through the same API routes and rate limits as the CLI.

Meters and caps

Secrets have no direct usage meter. Worker and build activity still count against their normal meters.

Rules

  • Put secrets in Tovuk env vars, not in source control.
  • Do not print secrets in logs.
  • Do not expose secrets to browser code.
  • Rotate secrets after accidental disclosure.
  • Use separate keys for development, staging, and production Services.

Agent loop

1

Find the missing env name

Check logs and tovuk.toml for missing env names.
2

Ask only when needed

Ask the human for a secret only when it is not available from their secure local environment.
3

Store the secret

Store the secret with tovuk env set.
4

Verify without printing

Deploy and verify the Worker without printing the value.
Last modified on June 3, 2026