Documentation
Feedback
Guides
API Reference
App Development
Storefront Development
VTEX IO Apps
Troubleshooting
Release Notes
Storefront Development
Getting started with storefront solutions
FastStore
Store Framework
(Legacy) CMS Portal
Storefront best practices
Storefront development

Managing variables and secrets

In this guide, you'll learn how to manage variables and secrets in your FastStore project using WebOps.
Variables and secrets are sensitive information, such as API keys, passwords, and tokens, that must be securely managed during the FastStore project deployment.
WebOps centralizes and standardizes variable and secret management, providing a consistent and secure process across all deployment providers. This ensures that sensitive information is kept outside the project codebase and is retrieved securely by WebOps.
Variables and secrets of stores that don't use WebOps are handled through the VTEX IO CLI secrets plugin. To enable secret management, you need to have an empty vtex.env file in the project root. The key-value pairs are stored in the secrets.revealed.json file, which is then encrypted into secrets.hidden.json before being committed to the main branch. For stores using WebOps, this workflow has been deprecated, and variables and secrets are managed directly through the WebOps interface.

Local development

For local development, you must use the vtex.env file to define the variables and secrets needed to run your FastStore project locally.
The vtex.env file is only used in local environments and should always be added to .gitignore to avoid leaking variables and secrets through version control. By adding it to .gitignore, variables and secrets defined in the vtex.env file won't be available in deployed environments via WebOps.

Before you begin

VTEX has a permissions system, and only users assigned to a role with the required License Manager resources can manage variables and secrets.
The permissions system is in open beta. To enable it, open a ticket with VTEX Support.
After enabling the feature, make sure you have a user associated with a role that contains the following License Manager resources:
  • Product: FastStore
  • Category: Secrets
  • Resources: View Secrets and Edit Secrets
{"base64":"data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAQAAAACCAIAAADwyuo0AAAACXBIWXMAABYlAAAWJQFJUiTwAAAAH0lEQVR4nGM4ceLEEjDYsGEDw8+fP52cnGRkZCwsLADLewzu7Y6WnAAAAABJRU5ErkJggg==","img":{"src":"https://vtexhelp.vtexassets.com/assets/docs/src/resources-secrets___02a8de499a7d29e3a94002e0dd016174.png","width":1400,"height":616,"type":"png"}}

Instructions

To manage variables and secrets, go to your FastStore WebOps dashboard and navigate to the Settings tab.
{"base64":"data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAQAAAACCAIAAADwyuo0AAAACXBIWXMAAAPoAAAD6AG1e1JrAAAAH0lEQVR4nGPIzc21s3f4BQYMubm58vLyJ0+ezM3NBQCuOQ0nx5cH6gAAAABJRU5ErkJggg==","img":{"src":"https://cdn.jsdelivr.net/gh/vtexdocs/dev-portal-content@main/images/webops-settings.gif","width":1355,"height":624,"type":"gif"}}
In the Variables and Secrets section, you can create, update, or delete variables and secrets following the steps below.
After you create, update, or delete a variable or secret, it may take a few minutes for the change to propagate. Wait 5 minutes before triggering a new deployment.
If you deployed your storefront immediately after creating, updating, or deleting a variable or secret and the change isn't reflected in your store, wait a few minutes and run another deployment before opening a support ticket.

Creating variables and secrets

  1. In the Type field, click Select... to open the dropdown menu, then choose text for non-sensitive values that can be viewed later (for example, public URLs), or secret for sensitive values that must be hidden after saving (for example, API tokens and passwords).
  2. In the Key field, enter the name of the variable or secret, which serves as its unique identifier (for example, VTEX_API_TOKEN, NEXT_SECRET_KEY).
Variables accessible in the browser (client-side) must start with the prefix NEXT_PUBLIC_. Use names without this prefix for all other variables and secrets.
  1. In the Value field, enter the corresponding information you want to store (for example, the actual token, key, or password).
  2. Click Add. A pop-up with New secret added successfully will open, and you'll see the message Variables have changed. Changes will take effect in the next successful deployment. alongside a Redeploy button.
When creating multiple variables and secrets, make sure you include all of them before proceeding to the next step. This prevents sync errors.
  1. Wait 5 minutes, then click Redeploy to redeploy your website with the updated variable and secret configuration. You'll see the message Redeploying with secret changes, and a pop-up with Deployment created successfully will open.
  2. Track the deployment status in the Deploys tab of the WebOps dashboard.
During the build process, any variables and secrets added through WebOps will be transformed into environment variables within the code, which are automatically loaded into the process.env object. You can access these values in your code using process.env.VARIABLE_NAME. Remember to replace VARIABLE_NAME with the name you assigned to your variable or secret in the Key field.
The created variable or secret will be available in the Current Keys section.
{"base64":"data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAQAAAACCAIAAADwyuo0AAAACXBIWXMAAAPoAAAD6AG1e1JrAAAAI0lEQVR4nGOoratfsnzF5ClTT58+zeDk7GJkbNrc0jZnzhwAqCwMT0rqHbQAAAAASUVORK5CYII=","img":{"src":"https://cdn.jsdelivr.net/gh/vtexdocs/dev-portal-content@main/images/create-secret.gif","width":1311,"height":734,"type":"gif"}}

Updating variables and secrets

  1. Go to the Current Keys section.
  2. Next to the variable or secret you need to update, click and then click Edit.
  3. Click Update. A pop-up with Secret updated successfully will open, and you'll see the message Variables have changed. Changes will take effect in the next successful deployment. alongside a Redeploy button.
  4. Wait 5 minutes, then click Redeploy to redeploy your website with the updated variable and secret configuration. You'll see the message Redeploying with secret changes, and a pop-up with Deployment created successfully will open.
  5. Track the deployment status in the Deploys tab of the WebOps dashboard.
{"base64":"data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAQAAAACCAIAAADwyuo0AAAACXBIWXMAAAPoAAAD6AG1e1JrAAAAI0lEQVR4nGNobW09ffr0nDlznjx5wmBpYSkiLJKYkDhnzhwAsusMTF9iLvoAAAAASUVORK5CYII=","img":{"src":"https://cdn.jsdelivr.net/gh/vtexdocs/dev-portal-content@main/images/update-secret.gif","width":1311,"height":734,"type":"gif"}}

Deleting variables and secrets

  1. Go to the Current Keys section.
  2. Next to the variable or secret you need to delete, click and then click Delete.
  3. Confirm the variable or secret you want to remove.
This action can't be undone.
  1. Click Delete secret. A pop-up with Secret deleted successfully will open, and you'll see the message Variables have changed. Changes will take effect in the next successful deployment. alongside a Redeploy button.
  2. Wait 5 minutes, then click Redeploy to redeploy your website with the updated variable and secret configuration. You'll see the message Redeploying with secret changes, and a pop-up with Deployment created successfully will open.
  3. Track the deployment status in the Deploys tab of the WebOps dashboard.
{"base64":" ","img":{"width":1311,"height":734,"type":"gif","mime":"image/gif","wUnits":"px","hUnits":"px","length":494193,"url":"https://cdn.jsdelivr.net/gh/vtexdocs/dev-portal-content@main/images/delete-secrets.gif"}}
If you tried to create, update, or delete a variable or secret and got the error Failed to create/update/delete secret. Please, try again., repeat the process. If the problem persists, open a ticket with VTEX support.
Contributors
1
Photo of the contributor
Was this helpful?
Yes
No
Suggest Edits (GitHub)
Contributors
1
Photo of the contributor
Was this helpful?
Suggest edits (GitHub)
On this page