Managing Secrets

In this guide, you'll learn how to manage secrets in your FastStore project using WebOps.

Secrets are sensitive information, such as API keys, passwords, and tokens, that must be securely managed during the FastStore project deployment.

WebOps centralizes and standardizes secrets management, ensuring a consistent and secure process across all deployment providers. This ensures that sensitive information is kept out of your project’s codebase and is retrieved securely by WebOps.

For stores not using WebOps, secrets is handled through the VTEX IO CLI secrets plugin. To enable secrets management, an empty vtex.env file need to be present in the project root. The key-value pairs is stored in the secrets.revealed.json file, then encrypted into secrets.hidden.json before being committed to the main branch. For stores using WebOps, this workflow has been deprecated, and secrets are managed directly through the WebOps interface.

Local development

For local development, you must use the vtex.env file to define secrets needed to run your FastStore project locally.

The vtex.env file is only used in local environments and should always be added to .gitignore to avoid leaking secrets through version control. By adding it to .gitignore, secrets defined in the vtex.env file will not be available in deployed environments via WebOps.

Instructions

To manage your secrets, access your FastStore WebOps dashboard and navigate to the Settings tab.

${"base64":" ","img":{"width":1558,"height":750,"type":"gif","mime":"image/gif","wUnits":"px","hUnits":"px","length":1229954,"url":"https://vtexhelp.vtexassets.com/assets/docs/src/secrets-settings-webops___c4cc35670f1faf9ecabd30447d1ee9b6.gif"}}$

In the Secrets section, you can create, update, or delete secrets following the steps below.

Creating secrets

In the Key field, enter the name of the secret, which serves as its unique identifier (example: VTEX_API_TOKEN, NEXT_SECRET_KEY). In the Value field, enter the corresponding sensitive information you want to store (example: the actual token, key, or password).

Secrets accessible in the browser (client-side) must start with the prefix NEXT_PUBLIC_. For all other secrets, use other names without this prefix.
Click Add. A pop-up with New Secret added successfully will open. Then, you'll see the message Secrets have changed. Changes will take effect in the next successful deployment. alongside a Redeploy button.

When creating multiple secrets, make sure you include all of them before proceeding to the next step. This prevents synchronization errors.
Click Redeploy to redeploy your website with the updated secret configuration. You’ll see the message Redeploying with secret changes, then a pop-up with Deployment created successfully will open.
Follow the deployment status in the Deploys tab of the WebOps dashboard.

During the build process, any secrets registered through WebOps will be transformed into environment variables within the code, automatically loading them into the process.env object. You can access these values in your code using process.env.VARIABLE_NAME. Remember to replace VARIABLE_NAME with the name you assigned to your secret in the Key field.

The secret created will be available in the Current Keys section.

${"base64":"data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAQAAAACCAIAAADwyuo0AAAACXBIWXMAAAPoAAAD6AG1e1JrAAAAIklEQVR4nGOIjY1tbmkpKiras3s3g4CAABc396zZsz09PAGBdQklbfyZFwAAAABJRU5ErkJggg==","img":{"src":"https://vtexhelp.vtexassets.com/assets/docs/src/creating-secrets___14633df5e1e1385934d7f0854f00d340.gif","width":1262,"height":726,"type":"gif"}}$

Updating secrets

Go to the Current Keys section.
Alongside the secret you need to update, click ⋮, then click Edit.
Click Update. A pop-up with Secret updated successfully will open. Then, you'll see the message Secrets have changed. Changes will take effect in the next successful deployment. alongside a Redeploy button.
Click Redeploy to redeploy your website with the updated secret configuration. You’ll see the message Redeploying with secret changes, then a pop-up with Deployment created successfully will open.
Follow the deployment status in the Deploys tab of the WebOps dashboard.

${"base64":" ","img":{"width":1262,"height":726,"type":"gif","mime":"image/gif","wUnits":"px","hUnits":"px","length":469565,"url":"https://vtexhelp.vtexassets.com/assets/docs/src/updating-secrets___41a012c6f441bf927d67a59448c19894.gif"}}$

Deleting secrets

Go to the Current Keys section.
Alongside the secret you need to update, click ⋮, then click Delete.
Validate the secret you want to remove.

This action can’t be undone.
Click Delete secret. A pop-up with Secret deleted successfully will open. Then, you'll see the message Secrets have changed. Changes will take effect in the next successful deployment. alongside a Redeploy button.
Click Redeploy to redeploy your website with the updated secret configuration. You’ll see the message Redeploying with secret changes, then a pop-up with Deployment created successfully will open.
Follow the deployment status in the Deploys tab of the WebOps dashboard.

${"base64":" ","img":{"width":1262,"height":726,"type":"gif","mime":"image/gif","wUnits":"px","hUnits":"px","length":337087,"url":"https://vtexhelp.vtexassets.com/assets/docs/src/deleting-secrets___c5b464f532114c9895ce49af2fd8c76b.gif"}}$

If you tried to create, update, or delete a secret and received the error Failed to create/update/delete secret. Please, try again., repeat the process. If the problem persists, open a ticket to VTEX support.