Overview
Theapplad security secrets commands manage secret values for your projects. Secret keys are stored encrypted in the admin database. Values are never shown in terminal output — only key names are displayed. All secret operations are recorded in the audit trail.
Commands
applad security secrets list
Lists all secret keys currently set for the active project. Keys only — values are never shown in any output. Use this to audit which secrets are configured without exposing them.applad security secrets set
Interactively sets a secret value. Prompts you to enter the value without echoing it to the terminal, so it never appears in shell history or logs. Stores it encrypted in the admin database.applad security secrets rotate
Rotates a secret — sets a new value, updates any references to it, and records the rotation event in the audit trail. The old value is immediately invalidated.applad security secrets delete
Permanently deletes a secret. Any config that references it via${VAR} will fail to validate until a new value is set or the reference is removed.
Environment Variables
Environment variables and secrets work together in Applad. Every${VAR} reference in your yaml files is tracked, and .env.example files are auto-generated.
applad env list
Lists all environment variable keys currently set for the active project. Values are never shown — keys only. This is intentional: secrets should never appear in terminal output.applad env set
Sets an environment variable for the running instance. Takes effect immediately without requiring a restart.applad env unset
Removes an environment variable from the running instance.applad env validate
Checks that every${VAR} reference in the config tree has a corresponding value set in the environment. Fails with a clear error message naming the missing variable and the exact config file that references it.
applad env generate
Scans all yaml files in the active project, extracts every${VAR} reference, and generates a .env.example file annotated with which config file uses each variable, what format it expects, and whether it should be treated as a secret.
applad env diff
Shows the difference between the variables referenced in your config files and what’s actually set in your.env. Highlights variables that are referenced but missing, and variables that are set in .env but not referenced anywhere in the config (potential dead config).
applad env pull
Pulls the environment variables from the running instance down to a local.env file. Values are included. Use with care — the resulting .env file contains real secrets and should never be committed to version control. Applad’s .gitignore excludes .env files automatically.
applad env push
Pushes your local.env file to the running instance, setting all variables in one operation. Variables not present in the .env file are left unchanged on the instance.
Examples
Set up secrets for a new project
Rotate an API key
Audit configured secrets
Prepare production environment variables
Best Practices
- Never commit
.envfiles: Applad’s generated.gitignoreexcludes them automatically - Use
${VAR}references: Always reference secrets via${VAR}in yaml files, never hardcode them - Rotate regularly: Use
applad security secrets rotateto update secrets periodically - Validate before deploy: Run
applad env validatebefore pushing to production - Use scoped keys in CI: Create deployment keys with limited scopes for CI/CD pipelines