Coder Secrets Management

Securely manage API keys, passwords, and other sensitive data in your workspaces.

What are Secrets?

Secrets are sensitive information:

API keys (GitHub, Stripe, etc.)
Database passwords
Private tokens
SSH keys
OAuth credentials
Encryption keys

Never hardcode secrets in code!

Adding Secrets to Workspace

Store in Workspace

Click workspace
Click Settings
Click Secrets
Click Add Secret
Enter details:
- Name: GITHUB_TOKEN
- Value: ghp_abc123...
- Type: Token
Click Save

Now available in workspace.

Secret Types

Token

API keys
Auth tokens
OAuth credentials

Password

Database passwords
Service passwords
Admin passwords

Key

SSH private keys
Encryption keys
RSA keys

File

Private certificate
Configuration file
Binary data

Using Secrets in Code

Environment Variables

Access secrets as environment variables:

# In terminal
echo $GITHUB_TOKEN
ghp_abc123...

# In code
export TOKEN=$GITHUB_TOKEN

Node.js

const token = process.env.GITHUB_TOKEN;

// Fetch from GitHub
const response = await fetch('https://api.github.com/user', {
  headers: {
    'Authorization': `token ${token}`
  }
});

Python

import os

token = os.environ.get('GITHUB_TOKEN')

# Use in request
headers = {
    'Authorization': f'token {token}'
}
response = requests.get('https://api.github.com/user', headers=headers)

Bash

#!/bin/bash

TOKEN=$GITHUB_TOKEN

# Use token
curl -H "Authorization: token $TOKEN" \
  https://api.github.com/user

Secret Security

Encryption

Secrets stored:

✓ Encrypted at rest (AES-256)
✓ Encrypted in transit (HTTPS)
✓ Not visible in workspace
✓ Not saved in logs
✓ Not backed up as plain text

Access Control

Only you can:

✓ Add secrets
✓ Use secrets
✓ View secret names (not values)
✓ Delete secrets

Others (even with workspace access):

✗ Can't see secret values
✗ Can't extract secrets from code
✗ Secrets only work in that workspace

Audit Trail

Every secret access logged:

2024-06-12 14:30:22 - Secret created: GITHUB_TOKEN
2024-06-12 14:31:01 - Secret used: GITHUB_TOKEN (app.js:12)
2024-06-12 15:45:30 - Secret accessed: DATABASE_URL
2024-06-12 16:00:00 - Secret updated: GITHUB_TOKEN

Common Secrets to Store

GitHub Integration

Secret: GITHUB_TOKEN
Value: ghp_abc123...
Used for: Clone private repos, push code

Database Connection

Secret: DATABASE_URL
Value: postgresql://user:pass@host:5432/db
Used for: Connect to production database

API Credentials

Secret: STRIPE_API_KEY
Value: sk_live_abc123...

Secret: MAILGUN_API_KEY
Value: key_abc123...

Used for: Billing, email sending

SSH Keys

Secret: SSH_PRIVATE_KEY
Type: File (paste SSH key content)
Used for: SSH into other servers

Environment Config

Secret: NODE_ENV
Value: production

Secret: DEBUG
Value: false

Used for: App configuration

Best Practices

Secret Naming

Use clear, descriptive names:

Good:
- GITHUB_TOKEN
- DATABASE_PASSWORD
- STRIPE_API_KEY
- AWS_SECRET_ACCESS_KEY

Avoid:
- secret123
- key
- password1
- temp

Secret Rotation

Rotate regularly:

Generate new secret
Update in Coder
Update the service (GitHub, etc.)
Test works
Delete old secret

Example schedule:

API keys: Every 90 days
Passwords: Every 6 months
OAuth tokens: As needed (they expire)

Never Log Secrets

Don't write secrets to output:

// ✗ BAD - DO NOT DO THIS
console.log('Token:', process.env.GITHUB_TOKEN);

// ✓ GOOD - Use safely
const token = process.env.GITHUB_TOKEN;
if (!token) {
  console.log('Error: GITHUB_TOKEN not set');
} else {
  console.log('Token loaded successfully');
}

Debugging Secrets

Secret Not Working

Check secret name:

# Is secret defined?
env | grep GITHUB

# If not shown, double-check name
# Must exactly match in code
# Case sensitive!

Secret Not Visible in Logs

This is correct! Secrets never appear in logs:

# Even if you echo it
echo $GITHUB_TOKEN
# Output: (blank)

# Logs show secret was used, not the value

Can't Use Secret

Error: "GITHUB_TOKEN not found"

Reasons:
1. Typo in secret name
2. Case mismatch
3. Secret not added to this workspace
4. Terminal needs restart

Fix:
1. Check spelling exactly
2. Verify in workspace settings
3. Restart terminal or workspace

Important Security Note

When sharing workspace:

With View permission:
- Can see your code
- Can NOT see secret values
- Can NOT use secrets
- Secrets invisible to them

With Edit permission:
- Can see your code
- Can access secrets (in code running)
- Can NOT see secret values directly
- When using shared workspace, their code can use the secrets

With Admin permission:
- Can see everything including secrets
- Only share with trusted people!

Credential Leak Prevention

Even if code is shared:

// Code visible to reviewer:
const token = process.env.GITHUB_TOKEN;
fetch('https://api.github.com/user', {
  headers: { 'Authorization': `token ${token}` }
});

// Reviewer sees code but NOT token value
// Only the variable name shows

Workspace Template Secrets

Pre-populate Secrets

Template maintainers can suggest needed secrets:

When creating workspace from template:
"This template needs these secrets:"
- GITHUB_TOKEN
- DATABASE_URL
- API_KEY

User must add these manually
Security: New user adds their own credentials

Documentation

Document needed secrets:

# My Template

Requires these secrets:
- GITHUB_TOKEN: GitHub API token for private repos
- DATABASE_URL: PostgreSQL connection string
- STRIPE_API_KEY: Stripe API key for payments

To use:
1. Create workspace
2. Go to Settings > Secrets
3. Add the above secrets
4. Restart terminal
5. Ready to use!

Export and Backup

Can't Export Secrets

For security, you can't:

Export all secrets
See all secret values
Backup secrets as plain text

You can:

✓ Delete and re-create (if you have values)
✓ List secret names (not values)
✓ Rotate and update

Advanced: Custom Secret Service

Store in External Service

For enterprise teams:

Use HashiCorp Vault
Or AWS Secrets Manager
Or Azure Key Vault
Workspace fetches at startup

# At workspace startup
curl https://vault.company.com/api/secret \
  -H "Auth: $VAULT_TOKEN" \
  | jq -r 'to entries | .[] | "\(.key)=\(.value)"' \
  | export

API Keys - Manage account API keys
Coder Workspaces - Create workspaces
Activity Logs - See secret usage