What is Secret?

Any credential whose compromise would lead to abuse: API keys, database passwords, signing secrets, private keys.

Full explanation

Secrets management is the discipline of storing, accessing, rotating, and auditing these values. Tier-by-tier recommendations: Tier 0 (in code) is unsafe; Tier 1 (committed .env) is unsafe; Tier 2 (injected env vars) is the minimum; Tier 3 (secrets manager) is the standard; Tier 4 (short-lived credentials via OIDC) is the gold.

Example

A Stripe secret key (sk_live_...), a Supabase service-role JWT, a SendGrid API key — all secrets. An OpenAI API key is a secret. A Google publishable tag is not a secret.

Guide

Secrets management — where to actually store your API keys

Guide

API key rotation — how to rotate without downtime

FAQ

Is a Stripe publishable key a secret?

No. Publishable keys are designed to ship client-side. Secret keys (sk_*) and restricted keys (rk_*) must never ship client-side.

What is Secret?

Full explanation

Example

Related

FAQ