Secrets

An encrypted key-value store per project. Store API keys and sensitive config. Inject at runtime. Rotate without redeploying.

Overview

Flux Secrets is a per-project encrypted store for sensitive values — API keys, tokens, credentials. Secrets are stored encrypted, injected into your functions at runtime via ctx.secrets.get(key), and never included in your deployed code bundle.

Rotate without redeploying

Rotating a secret takes one CLI command. The new value is available to all running functions immediately — no redeploy required.

Managing secrets with the CLI

Set a secret

$ flux secrets set OPENAI_API_KEY sk-abc123...
# ✔ Secret set: OPENAI_API_KEY

List secrets (names only — values are never shown)

$ flux secrets list

  OPENAI_API_KEY     set 2 hours ago
  STRIPE_SECRET_KEY  set 3 days ago
  SENDGRID_API_KEY   set 1 week ago

Delete a secret

$ flux secrets delete OPENAI_API_KEY
# ✔ Secret deleted: OPENAI_API_KEY

Rotate a secret

$ flux secrets set OPENAI_API_KEY sk-newkey456...
# ✔ Secret updated: OPENAI_API_KEY
# New value is live immediately — no redeploy needed.

Accessing secrets in a function

import { defineFunction } from "@flux/functions";

export default defineFunction({
  name: "call_openai",

  handler: async ({ input, ctx }) => {
    // Secret is retrieved at runtime — not baked into the bundle
    const apiKey = await ctx.secrets.get("OPENAI_API_KEY");

    const res = await fetch("https://api.openai.com/v1/chat/completions", {
      method: "POST",
      headers: {
        "Authorization": `Bearer ${apiKey}`,
        "Content-Type": "application/json",
      },
      body: JSON.stringify({ model: "gpt-4o", messages: input.messages }),
    });

    return res.json();
  },
});

ctx.secrets reference

`ctx.secrets.get(key)`

Returns the decrypted value for the given secret key. Throws if the key does not exist.

const value = await ctx.secrets.get("MY_SECRET");
// value: string

`ctx.secrets.get(key, fallback)`

Returns the secret value, or the fallback if the key is not set. Useful for optional secrets with a default.

const region = await ctx.secrets.get("AWS_REGION", "us-east-1");

Environment variables vs secrets

	Secrets (`ctx.secrets`)	Env vars (`ctx.env`)
Encrypted at rest	✔	✗
Visible in dashboard	Names only	Yes
Rotate without redeploy	✔	✗ (requires redeploy)
Best for	API keys, tokens, credentials	Non-sensitive config (region, tier)

Never hardcode secrets

Don't put sensitive values in your function code or flux.json. Use flux secrets set and ctx.secrets.get(). Your code bundle is stored and should be treated as potentially readable.

Security model

Secrets are encrypted at rest using project-scoped keys.
Secret values are never returned over the API — only names are listed.
The runtime retrieves and decrypts secrets on-demand per invocation.
Deleting a project permanently deletes all associated secrets.

Working with secrets locally

When running functions with flux dev, secrets are read from a local .env file if present. This file is listed in the generated .gitignore.

# .env (local development only — never commit this)
OPENAI_API_KEY=sk-local-dev-key
STRIPE_SECRET_KEY=sk_test_xyz

In production (flux deploy), these values are not used. Only secrets stored with flux secrets set are injected.

← API Gateway Next: CLI Reference →