secrets
store project secrets and environment variables for deployed SPX services
SPX stores project-scoped secrets and environment variables for deployed services. Values are reused on redeploy unless you explicitly change or remove them.
Key decisions
spx env set KEY=valuestores a persisted project value.spx env set KEY --from-stdinreads the value from stdin without putting it in the command.spx env set KEY --from-envreads the value from the local process environment variable namedKEY.spx env load .envexplicitly bulk imports values from a file.- Persisted values are scoped to the SPX project and reused on redeploy.
- Remote project state is authoritative; local project state does not store secret values.
- Secret values are redacted from CLI output, logs, API responses, and errors by default.
- Secret updates affect the next
spx run; they do not automatically redeploy the service. - SPX stores the latest value only; secrets are not versioned for rollback.
Non-interactive input
All SPX CLI commands are non-interactive. Commands either include the value directly or specify an explicit input source.
This is valid:
spx env set DATABASE_URL=postgres://user:pass@example.com/db
printf %s "$DATABASE_URL" | spx env set DATABASE_URL --from-stdin
spx env set DATABASE_URL --from-envThis is invalid:
spx env set DATABASE_URLThe CLI prints a clear error instead of prompting:
error: missing value for DATABASE_URL
Use one of:
spx env set DATABASE_URL=value
spx env set DATABASE_URL --from-stdin
spx env set DATABASE_URL --from-envUse --from-stdin when you do not want the value to appear in shell history.
Updating a deployed service
Changing a persisted value does not redeploy the service automatically.
Run spx run <file> after setting or removing values to deploy with the new environment.