Devpilot
Servers

Script Secrets

Store API keys, passwords, and tokens encrypted at rest and reference them from scripts with a simple placeholder syntax.

Script Secrets

Script Secrets are encrypted key/value pairs your scripts can use without pasting the raw value into a script body. Devpilot encrypts every secret at rest, masks it in the UI after creation, and substitutes the real value into the command only at execution time.

Typical uses:

  • API keys (Slack, PagerDuty, Stripe, cloud providers)
  • Database passwords
  • Short-lived tokens fetched from a vault
  • Auth headers for internal services

Secrets live alongside your scripts, but they're separate records. Editing a script never changes its referenced secrets, and rotating a secret never requires editing a script.

What You Configure

Every secret has a key — the reference name your scripts use, like DB_PASSWORD or SLACK_WEBHOOK_URL — plus a value (the real secret) and an optional description so teammates know what it's for. Keys must start with a capital letter and use only capital letters, numbers, and underscores; lowercase letters, dashes, or leading digits are rejected so your keys stay easy to reference in scripts. Descriptions are capped at 500 characters.

The value is encrypted the moment you save and Devpilot never displays the plain text back. The UI shows ***masked*** whenever the secret is listed, and the value can always be overwritten with a new one but never read back.

Scopes

Create the secret from a server's dashboard and it's scoped to that server only. Ideal for per-environment credentials like a database password that differs between staging and production hosts.

Create the secret from the workspace-level secrets screen and every script in the workspace can reference it. Ideal for shared API keys that are the same across all environments — a single Slack webhook URL, for instance.

When a script runs, Devpilot looks up secrets in both scopes at once. The secrets manager shows them in two labelled groups — Server Secrets and Workspace Secrets — so you can see at a glance which scope a key lives in.

Creating a Secret

Open the Secrets manager

From a server's dashboard, open Secrets and click Add Secret. Creating it here scopes it to that server. To make a workspace-wide secret, create it from the workspace-level secrets screen instead.

Provide key, value, and description

Pick a stable key like SLACK_WEBHOOK_URL. Secret keys must start with a capital letter and use only capital letters, numbers, and underscores — if you try lowercase or a dash you'll see a validation error. Type or paste the value, and optionally add a short description so teammates know what it's for.

Save

Devpilot encrypts and stores the record. From this point on, the UI only shows ***masked*** for the value. You can always update or replace the value, but you can't read the plain text back — so save it somewhere else too if you'll need it later.

Referencing a Secret in a Script

Use the placeholder {{secret.KEY}} anywhere in your script body. At execution time, Devpilot scans the command for these placeholders, decrypts the matching secrets, and substitutes the real values just before the script is handed off to run.

#!/bin/bash
set -euo pipefail

curl -X POST https://hooks.slack.com/services/xxx \
  -H 'Content-Type: application/json' \
  -d '{"text":"Deploy completed"}' \
  -H "Authorization: Bearer {{secret.SLACK_TOKEN}}"

mysqldump -u app -p"{{secret.DB_PASSWORD}}" app_production > /tmp/db.sql

Placeholders are resolved just before the command runs. The saved script content always contains {{secret.X}} rather than the raw value, so your Script Versions history never exposes secrets.

Quoting Tips

  • Wrap placeholders in double quotes when the value may contain spaces or special characters: "{{secret.API_KEY}}".
  • For passwords passed to CLIs like mysql, use the tool's password flag without a space (-p"{{secret.DB_PASSWORD}}"), or use a defaults file so the value never appears in process lists.
  • For JSON bodies, build the payload with jq or a templating step and inject the secret from an environment variable set inside the script.

Updating and Rotating

Open a secret and type a new value — the next run of any script that references it picks up the fresh value automatically, no script edits needed.

To rotate a key name (for example, renaming SLACK_TOKEN to SLACK_WEBHOOK_URL):

  1. Create the new secret with the new key.
  2. Update any scripts that reference the old key to use the new one.
  3. Delete the old secret once nothing references it.

Deleting a Secret

Deleting a secret removes the encrypted value permanently. Scripts that still reference the deleted key will fail at runtime because the placeholder has nothing to substitute with — it stays in the command as literal text like {{secret.MISSING_KEY}}. Audit your scripts before deleting shared secrets.

Viewing Secrets

The Secrets list shows every key the caller can see, grouped by scope, with every value displayed as ***masked*** so no one can screen-share their way into a leak. Use the copy button next to each key to drop the {{secret.KEY}} placeholder straight into your editor.

Limits and Constraints

  • Key format — Keys must start with a capital letter and use only capital letters, numbers, and underscores.
  • Key maximum length — 255 characters.
  • Description maximum length — 500 characters.
  • Scope — A secret is either tied to a single server or applies workspace-wide. There's no per-group scope today.
  • Values aren't readable after creation — Save them somewhere else if you need the plain text elsewhere.

Troubleshooting

ProblemLikely cause
Validation error on the keyThe key has lowercase letters, a dash, or a leading digit. Use capital letters, digits, and underscores only, starting with a letter.
Script runs with literal {{secret.X}}No secret with that key exists in the script's scope. Create one and re-run.
Wrong value injectedA server-level secret with the same key is overriding the workspace-wide one. Check both scopes.
Value shows ***masked***That's intentional. Rotate the secret if you need a known-plaintext value elsewhere.

Secrets are intended for short sensitive values — API keys, passwords, tokens. They're not a general-purpose vault. For long text, files, or binary data, use a dedicated secret manager and fetch it from inside the script at runtime.

Next Steps

Scripts and Automation

Learn the basics of writing and running scripts that consume secrets.

Script Webhooks

Expose a script as an HTTP endpoint — secrets stay resolved on the server.

Script Versions

Safely edit scripts that reference secrets, with full rollback history.

Multi-Server Execution

Use workspace-wide secrets for consistent fleet-wide runs.

Script Webhooks

Turn any script into a secure HTTP endpoint. Trigger scripts from GitHub, monitoring services, or any external system with token auth, IP allowlists, and HMAC signatures.

Script Versions

Every script edit is saved to history. Review previous versions, compare changes, and roll back with one click.

On this page

Script SecretsWhat You ConfigureScopesCreating a SecretOpen the Secrets managerProvide key, value, and descriptionSaveReferencing a Secret in a ScriptQuoting TipsUpdating and RotatingDeleting a SecretViewing SecretsLimits and ConstraintsTroubleshootingNext Steps