Secrets Management

Where to put API keys, DB URLs, and signing keys — safely.

Hosted secrets / config platforms

★ Doppler — config + secrets across environments, sync to every cloud / CI / Vercel / Cloudflare. Generous free tier; the default for small/medium teams.
★ Infisical — open-source Doppler alternative; self-hostable, also has a hosted free tier. The most popular OSS choice in 2026.
1Password Secrets Automation / op CLI — if you already use 1Password.
Vault by HashiCorp — heavyweight, enterprise-standard self-host.
AWS Secrets Manager / Parameter Store, GCP Secret Manager, Azure Key Vault — cloud-provider native.

Vercel Environment Variables + Vercel's Doppler / Infisical integrations.
Cloudflare Workers wrangler secret put — encrypted-at-rest, scoped per-Worker.
Fly Secrets (fly secrets set).
Railway Variables, Render Environment Groups.

.env files — universal, but easy to leak (don't commit; add to .gitignore).
★ dotenv-vault / @dotenvx/dotenvx — encrypted .env.vault checked into the repo; team can decrypt with one private key.
direnv — auto-loads env when you cd into a project.
@t3-oss/env-nextjs — Zod-validated env vars; catches typos at boot.
envalid — simpler env validation.

★ SOPS (Mozilla) — encrypt YAML/JSON/.env files in-place with KMS / age / GPG. Standard for GitOps shops.
age — modern replacement for GPG; pairs with SOPS.
git-crypt — transparent encryption of specific files.
SealedSecrets — Kubernetes-specific.

TruffleHog — scan git history and live filesystems for secrets.
gitleaks — fast pre-commit scanner.
GitHub Push Protection — default-on for new repos; blocks pushing detected secrets.
detect-secrets (Yelp) — pre-commit hook.