Secrets & Env Vars

PaaS Runtime distinguishes between config (non-sensitive env vars) and secrets (sensitive values, sealed). Both are injected as process.env.VAR (or equivalent) at runtime.

Set a config var

Config vars are stored in plain text in the control-plane DB. Use them for non-sensitive runtime tuning:

paas config:set NODE_ENV=production
paas config:set LOG_LEVEL=info
paas config:set API_BASE_URL=https://api.example.com

List:

$ paas config
NODE_ENV=production
LOG_LEVEL=info
API_BASE_URL=https://api.example.com
DATABASE_URL=postgres://...   (managed by addon)

Setting a config triggers a new release (rolling restart). To set multiple vars in one release:

paas config:set NODE_ENV=production LOG_LEVEL=info SENTRY_DSN=https://...

Set a secret

Secrets are AES-256 encrypted at rest with a tenant-specific key (KMS-backed). The control-plane never logs secret values:

paas secrets:set STRIPE_API_KEY=sk_live_...
paas secrets:set DATABASE_PASSWORD="$(openssl rand -base64 32)"

List (values masked):

$ paas secrets
STRIPE_API_KEY=••••••••••••••••
DATABASE_PASSWORD=••••••••••••••••

Reveal a single value (audit-logged):

$ paas secrets:get STRIPE_API_KEY
sk_live_xxxxxxxxxxxxxxxxxxxx

Config vs Secrets — when to use what

Use case	Type
Runtime mode (NODE_ENV, RAILS_ENV)	config
Log level	config
Feature flags	config
External API URLs	config
API keys, tokens, passwords	secrets
Encryption keys	secrets
OAuth client secrets	secrets
DATABASE_URL (managed addon)	injected — don't set manually

Secrets show as •••• in dashboard/CLI output and the control-plane API. They're injected into pods as Kubernetes Secret-mounted env vars, never as ConfigMap.

Bulk import / export

Export config only (safe to commit to git CI):

$ paas config:export > .env.production
$ cat .env.production
NODE_ENV=production
LOG_LEVEL=info

Import from a file:

paas config:import .env.production

Secrets are never exportable in cleartext. Use paas secrets:rotate to issue a new value for an existing secret name.

Unset

paas config:unset SENTRY_DSN
paas secrets:unset OLD_API_KEY

Authentication & SSO

PaaS uses Keycloak for tenant SSO. To get a JWT for an external CI/CD system:

paas tokens:create --name "github-ci" --ttl 90d
$ paas tokens:create --name "github-ci" --ttl 90d
✓ Created token  (expires 2026-08-04T13:42Z)
  PAAS_TOKEN=paas_pat_AbCdEf1234...

Store this in your CI secret store, then:

PAAS_TOKEN=paas_pat_... paas apps:list

Audit log

Every secrets:get, secrets:set, tokens:create is logged to the audit stream (visible at https://ma30.di2amp.com/runtime/dashboard/account/audit).

See also

• Concepts → Apps
• Guides → Provision a Database
• API Reference — /v1/secrets/* endpoints