Using Your Project

Secrets & Environment Variables

Store API keys and configuration securely and expose them to your deployed project at runtime.

Zuletzt aktualisiert:

What are secrets?

Secrets are named values — API keys, tokens, database URLs, webhook signing keys — that your deployed project needs at runtime but that must never appear in your source code, chat history, or the generated bundle. FloopFloop stores them encrypted and injects them into your running project as environment variables.

Inside your deployed project you read them the same way you would in any Node.js app:

const stripe = new Stripe(process.env.STRIPE_SECRET_KEY);

Why use secrets instead of hardcoding?

  • Credentials never enter chat history.If you paste a key into chat, FloopFloop's server-side guard rejects the message before it is persisted or sent to the AI.
  • Credentials never enter the generated bundle. Your project code references process.env.MY_KEY; the value is only materialized inside the deployment runtime.
  • You can rotate without redeploying. Update a secret and the new value is picked up on the next request.

Managing secrets from the dashboard

Open your project, go to Settings, and scroll to the Secrets & Environment Variables section. From there you can add a new secret, update an existing one, or delete one. The list shows the key name and the last four characters of the value — the full value is never displayed after you save it.

In-chat prompts

When the AI generates code that needs a credential it doesn't yet have, it will ask you for it inline. A dialog opens with the key name pre-filled; you paste the value and click save. The value goes straight to encrypted storage — it is not written into the chat transcript and is not visible to the AI.

Key naming rules

  • UPPER_SNAKE_CASE only (letters, digits, underscores).
  • Must start with a letter.
  • 1–64 characters long.
  • Examples: STRIPE_SECRET_KEY, OPENAI_API_KEY,DATABASE_URL.

Limits

  • 25 secrets per project. Updating an existing secret never counts against the cap — only adding a new key does.
  • 4096 characters per value. This is well above the length of any standard API key or token; longer values almost always indicate a paste error.

How they are stored

Each value is encrypted with an AWS KMS customer-managed key before it leaves FloopFloop. The encryption context binds the ciphertext to the specific project and key name, so a ciphertext from one project cannot be decrypted in another. Only the SSR runtime that serves your project has permission to decrypt; the dashboard, the AI, and FloopFloop employees do not. Values are never logged.

Programmatic access

If you prefer to manage secrets from your own tooling, the public API exposes list, create/update, and delete endpoints. See Secrets API for request and response shapes.

ZurückProject SettingsWeiterProject Rollback