Doppler Secrets Management
Comprehensive assistance for the Doppler secrets management platform: CLI operations, project and config management, secrets injection, integration syncs, and security best practices.
Triggers
Use this skill when the user mentions: "doppler", "secrets management", "doppler cli", "doppler secrets", "doppler run", "doppler setup", "doppler configs", "doppler projects", "secret injection", "doppler environments", "service tokens".
Quick Start
Install CLI
macOS
brew install gnupg && brew install dopplerhq/cli/doppler
Linux (Debian/Ubuntu)
apt-get update && apt-get install -y apt-transport-https ca-certificates curl gnupg
curl -sLf --retry 3 --tlsv1.2 --proto "=https"
'https://packages.doppler.com/public/cli/gpg.DE2A7741A397C129.key' |
gpg --dearmor -o /usr/share/keyrings/doppler-archive-keyring.gpg
echo "deb [signed-by=/usr/share/keyrings/doppler-archive-keyring.gpg] https://packages.doppler.com/public/cli/deb/debian any-version main" |
tee /etc/apt/sources.list.d/doppler-cli.list
apt-get update && apt-get install doppler
Shell script (any OS)
curl -sLf --retry 3 --tlsv1.2 --proto "=https" https://get.doppler.com | sh
Authenticate & Setup
Login (opens browser for auth)
doppler login
Setup project in current directory (interactive)
doppler setup
Non-interactive setup
doppler setup --project my-app --config dev --no-interactive
Common Tasks by Intent
Developer wants to... Action
List all secrets doppler secrets -p <project> -c <config>
Get a single secret doppler secrets get SECRET_NAME -p <project> -c <config>
Set a secret doppler secrets set KEY=value -p <project> -c <config>
Set multiple secrets doppler secrets set KEY1=val1 KEY2=val2
Delete a secret doppler secrets delete SECRET_NAME
Run command with secrets doppler run -- your-command --flags
Run with specific config doppler run -p backend -c dev -- npm start
Download secrets as file doppler secrets download --format env --no-file
List projects doppler projects
List configs doppler configs -p <project>
List environments doppler environments -p <project>
Clone a config doppler configs clone -p <project> -c <source> --name <new>
View activity logs doppler activity
Check current setup doppler configure debug
Open dashboard doppler open
View who is authenticated doppler me
Secrets Injection Patterns
Environment Variable Injection
Inject secrets as env vars for any command
doppler run -- node server.js doppler run -- docker compose up doppler run -- terraform apply
Run a shell command string
doppler run --command "echo $DATABASE_URL && npm start"
Only inject specific secrets
doppler run --only-secrets DATABASE_URL,API_KEY -- node server.js
Mount Secrets to File
Mount as JSON file (ephemeral, cleaned up after process exits)
doppler run --mount secrets.json -- cat secrets.json
Mount as .env file
doppler run --mount .env --mount-format env -- your-command
Mount with template
doppler run --mount config.yaml --mount-template template.yaml -- your-command
Template Substitution
Substitute secrets into a template file
doppler secrets substitute template.env.tpl > .env
Fallback for Offline/Resilience
Run with fallback file (writes encrypted secrets on success, reads on failure)
doppler run --fallback ./fallback.encrypted -- npm start
Read-only fallback (never update the fallback file)
doppler run --fallback ./fallback.encrypted --fallback-readonly -- npm start
Offline mode (read directly from fallback, no API contact)
doppler run --fallback-only --fallback ./fallback.encrypted -- npm start
Project & Config Hierarchy
Doppler organizes secrets in a hierarchy:
Workplace └── Project (e.g. "backend", "frontend") └── Environment (e.g. "development", "staging", "production") └── Config (e.g. "dev", "stg", "prd") └── Branch Config (e.g. "dev_feature-x")
Config Inheritance
-
Root configs (dev, stg, prd) inherit from their environment
-
Branch configs inherit from their parent config
-
Overrides cascade: Environment → Config → Branch Config
-
Personal configs allow individual developer overrides without affecting the team
Integration Syncs
Doppler can automatically sync secrets to external platforms:
Platform Use Case
AWS Secrets Manager / SSM ECS, Lambda, EC2 deployments
GCP Secret Manager GKE, Cloud Run, Cloud Functions
Azure Key Vault AKS, App Service, Functions
Cloudflare Pages / Workers Edge & Jamstack deployments
Vercel Frontend/fullstack deployments
Firebase Functions / Hosting Functions config & build-time secrets
Serverless Framework Lambda/serverless function secrets
GitHub Actions CI/CD secrets
Docker / Docker Compose Container environment injection
Kubernetes Secret objects via Doppler Operator
Terraform Infrastructure as Code
Webapp.io CI/CD Layerfile secrets
Heroku PaaS deployments
Service Tokens
For CI/CD and production, use service tokens (read-only, scoped to a single config):
Generate a service token via dashboard or API
Use in CI/CD:
DOPPLER_TOKEN=dp.st.xxx doppler run -- your-command
Or set as environment variable
export DOPPLER_TOKEN=dp.st.xxx doppler secrets
Security Best Practices
-
Never commit secrets to version control — use Doppler as the single source of truth
-
Use service tokens in production (read-only, config-scoped)
-
Use personal configs for local development overrides
-
Enable change requests for production configs (requires approval before changes)
-
Rotate secrets regularly — use Doppler's rotation reminders
-
Use OIDC authentication where possible for short-lived tokens
-
Audit access via doppler activity and dashboard audit logs
-
Use branch configs to isolate feature branch secrets
-
Never use --no-verify-tls in production
Reference Documents
For deep dives, consult these references:
Reference Content
CLI.md Complete CLI command reference with all subcommands and flags
INTEGRATIONS.md CI/CD, Docker, Kubernetes, cloud platform integration patterns
Troubleshooting
Authentication Issues
-
Run doppler me to check current auth status
-
Run doppler configure debug to see active configuration
-
Re-authenticate with doppler login
-
Check scope: doppler configure get token --scope /path/to/project
Wrong Secrets Loaded
-
Check which project/config is active: doppler configure debug
-
Verify scope: doppler setup in the project directory
-
Use explicit flags: doppler secrets -p project -c config
-
Check for environment variable overrides: doppler run --preserve-env=false
Fallback File Issues
-
Ensure fallback path is writable
-
Check passphrase hasn't changed (config-dependent by default)
-
Use doppler run clean to remove old fallback files
-
Regenerate with a fresh doppler run --fallback ./path -- echo ok
Service Token Not Working
-
Verify token is for the correct project and config
-
Service tokens are read-only — cannot set/delete secrets
-
Check token hasn't been revoked in the dashboard
-
Ensure DOPPLER_TOKEN env var is set correctly
Workflow
When helping with Doppler:
-
Identify the task: Setup, secret management, injection, integration, or debugging
-
Check prerequisites: Is doppler CLI installed? Is user authenticated?
-
Determine scope: Which project and config are we working with?
-
Consult references: Use reference docs for detailed CLI flags and integration patterns
-
Security first: Never output secret values in logs; use --only-names for listing