Secrets management — where to actually store your API keys

What it is

A secret is any credential whose compromise would lead to abuse — API keys, database passwords, signing secrets, private keys. 'Secrets management' is where you store them, how you access them, and who can rotate them.

Vulnerable example

// Tier 0: in code
const stripeKey = "sk_live_...";

// Tier 1: .env committed
// .env
STRIPE_SECRET_KEY=sk_live_...

// These both leak the moment git history goes public.

Fixed example

// Tier 2: environment variables injected at runtime (Vercel, Fly, Railway)
const stripeKey = process.env.STRIPE_SECRET_KEY!;
// .env is in .gitignore; .env.local is in .gitignore; only .env.example is committed.

// Tier 3: secrets manager (1Password, Doppler, Vault)
import { getSecret } from "./secrets";
const stripeKey = await getSecret("STRIPE_SECRET_KEY");

// Tier 4: short-lived credentials via OIDC / Workload Identity
// No secrets checked in anywhere; your app assumes an identity and gets tokens.

How Securie catches it

Securie's secret scanner detects keys at Tier 0 and Tier 1 immediately. It also validates that your production deploy actually uses Tier 2+ by checking the live bundle for any pattern that matches a known secret shape.

Checklist

• No secrets in source (Tier 0) — ever
• No secrets in committed .env files (Tier 1)
• Production uses injected env vars (Tier 2) at minimum
• Small teams on Tier 3 (Doppler / 1Password / Vercel env)
• Regulated / larger teams on Tier 4 (Vault + OIDC + short-lived credentials)
• Rotation automated (not 'we will rotate if someone leaves')

FAQ