spx

secrets

store project secrets and environment variables for deployed SPX services

SPX stores project-scoped secrets and environment variables for deployed services. Values are reused on redeploy unless you explicitly change or remove them.

Key decisions

  • spx env set KEY=value stores a persisted project value.
  • spx env set KEY --from-stdin reads the value from stdin without putting it in the command.
  • spx env set KEY --from-env reads the value from the local process environment variable named KEY.
  • spx env load .env explicitly bulk imports values from a file.
  • Persisted values are scoped to the SPX project and reused on redeploy.
  • Remote project state is authoritative; local project state does not store secret values.
  • Secret values are redacted from CLI output, logs, API responses, and errors by default.
  • Secret updates affect the next spx run; they do not automatically redeploy the service.
  • SPX stores the latest value only; secrets are not versioned for rollback.

Non-interactive input

All SPX CLI commands are non-interactive. Commands either include the value directly or specify an explicit input source.

This is valid:

spx env set DATABASE_URL=postgres://user:pass@example.com/db
printf %s "$DATABASE_URL" | spx env set DATABASE_URL --from-stdin
spx env set DATABASE_URL --from-env

This is invalid:

spx env set DATABASE_URL

The CLI prints a clear error instead of prompting:

error: missing value for DATABASE_URL

Use one of:
  spx env set DATABASE_URL=value
  spx env set DATABASE_URL --from-stdin
  spx env set DATABASE_URL --from-env

Use --from-stdin when you do not want the value to appear in shell history.

Updating a deployed service

Changing a persisted value does not redeploy the service automatically. Run spx run <file> after setting or removing values to deploy with the new environment.

On this page