Feature
Secrets done the boring, correct way.
Encrypted env vars, one dialog to set, process.env to read. No KMS integration, no vault to learn, no plaintext in your repo.
export default async function (req) {
const res = await fetch("https://api.stripe.com/v1/charges", {
headers: { Authorization: `Bearer ${process.env.STRIPE_SECRET_KEY}` }
});
return res.json();
}How secrets work
Open a function, click Secrets, paste a name and value. The value is encrypted with a per-account key and stored in the database. On invocation, the worker that runs the function decrypts it into an environment variable that lives for the length of the request. It never appears in logs, never in build output, never in Git.
We intentionally do not support shared secret stores or cross-function inheritance. Every function declares what it needs. If that is annoying for one of your workflows, let us know — we would rather hear the use case than default to magic.
Rotation and audit
You can rotate a secret any time by editing it in the dashboard. The next invocation picks up the new value; there is no redeploy. The dashboard also shows the last time a secret was read, so you can see which functions are still live-dependent on a value before you rotate it.
Encrypted at rest
Secrets are stored encrypted. Values are decrypted only on the worker that runs the function, and only for the duration of the invocation.
Scoped per function
A secret belongs to one function. Sharing a Stripe key between two functions means adding it to both — intentionally.
Rotate without deploy
Update a secret value and the next invocation picks it up. No redeploy, no cache bust, no downtime.
Paste a key. Ship.
Stop worrying about where secrets live. nvoke handles the boring part.