Doppler Secrets Management Setup
Centralized secrets with auto-sync to Vercel, Railway, and GitHub
Created: January 15, 2026
Why Doppler?
- Single source of truth - All secrets in one place
- Auto-sync - Changes propagate to Vercel, Railway, GitHub automatically
- Audit logs - Git-style history with rollback
- No more .env files - Inject secrets at runtime
Architecture
┌─────────────────────────────────────────────────────────────┐
│ DOPPLER │
│ ┌─────────────┐ ┌─────────────┐ ┌─────────────┐ │
│ │ dev │ │ staging │ │ prod │ │
│ │ config │ │ config │ │ config │ │
│ └──────┬──────┘ └──────┬──────┘ └──────┬──────┘ │
└─────────┼────────────────┼────────────────┼─────────────────┘
│ │ │
│ auto-sync │ auto-sync │ auto-sync
▼ ▼ ▼
┌──────────┐ ┌──────────┐ ┌──────────┐
│ Local │ │ Vercel │ │ Railway │
│ Dev │ │ Preview │ │ Prod │
└──────────┘ └──────────┘ └──────────┘
│
│ auto-sync
▼
┌──────────┐
│ GitHub │
│ Actions │
└──────────┘
Initial Setup
1. Create Doppler Account
2. Create Project
# Create project named "fulcrum"
doppler projects create fulcrum
# Or via dashboard: https://dashboard.doppler.com
3. Configure Local CLI
# In the Fulcrum repo root
cd /Users/td/ConceptDev/Projects/Fulcrum
# Setup Doppler for this directory
doppler setup
# Select:
# Project: fulcrum
# Config: dev
Environment Structure
Create these configs in Doppler:
| Config | Purpose | Syncs To |
|---|---|---|
dev |
Local development | Local CLI |
stg |
Staging/Preview | Vercel Preview |
prd |
Production | Vercel Prod, Railway |
ci |
CI/CD pipelines | GitHub Actions |
# Create environments via CLI
doppler environments create --project fulcrum --name stg --slug stg
doppler environments create --project fulcrum --name prd --slug prd
doppler environments create --project fulcrum --name ci --slug ci
Add Secrets to Doppler
Via CLI
# Set secrets for dev config
doppler secrets set --project fulcrum --config dev \
POSTGRES_CONN_STR="postgresql://fulcrum:fulcrum@localhost:5432/fulcrum_dev" \
REDIS_URL="localhost:6379" \
NATS_URL="nats://localhost:4222"
# Set secrets for production
doppler secrets set --project fulcrum --config prd \
POSTGRES_CONN_STR="postgresql://user:pass@host:5432/fulcrum?sslmode=require" \
REDIS_URL="redis://default:pass@host:6379" \
CLERK_SECRET_KEY="sk_live_xxx" \
NEXT_PUBLIC_CLERK_PUBLISHABLE_KEY="pk_live_xxx"
Via Dashboard
- Go to dashboard.doppler.com
- Select project → config
- Click "Add Secret" or import from
.envfile
Integration Setup
Vercel Integration (Auto-Sync)
- Authorize Doppler
- Go to Doppler → Project → Integrations → Vercel
-
Authorize the Doppler app in Vercel
-
Configure Each Environment
| Doppler Config | Vercel Environment |
|---|---|
dev |
Development |
stg |
Preview |
prd |
Production |
- Setup Integration
- Select Team → Vercel Project → Environment → Doppler Config
- Click "Setup Integration"
-
Repeat for each environment
-
Verify
- Changes in Doppler now auto-sync to Vercel
- Check Vercel dashboard to confirm variables
Railway Integration (Auto-Sync)
- Get Railway API Token
- Railway Dashboard → Account Settings → Tokens
-
Create new token with full access
-
Configure in Doppler
- Go to Doppler → Project → Integrations → Railway
- Paste Railway API Token
- Select Railway Project & Environment
-
Map to Doppler
prdconfig -
Sync Options
- Choose how to handle existing Railway variables
-
Enable auto-sync
-
Verify
- Railway variables now managed by Doppler
- Changes propagate automatically
GitHub Actions Integration (Auto-Sync)
- Create GitHub Environment in Doppler
- Project → Options → Create Environment
-
Name:
ci, Slug:ci -
Authorize GitHub App
- Go to Doppler → Project → Integrations → GitHub
- Install Doppler GitHub App
-
Grant access to
fulcrumrepository -
Configure Sync
- Feature: Actions
- Repository: Fulcrum
-
Config:
ci -
What Gets Synced
- All secrets from
ciconfig - Plus 3 Doppler-specific secrets:
DOPPLER_TOKENDOPPLER_PROJECTDOPPLER_CONFIG
Local Development
Option 1: Inject Secrets at Runtime
# Run any command with secrets injected
doppler run -- go run cmd/server/main.go
# Run with specific config
doppler run --config dev -- npm run dev
# In dashboard directory
cd dashboard && doppler run -- npm run dev
Option 2: Generate .env File (Not Recommended)
# Generate .env from Doppler (for tools that require it)
doppler secrets download --no-file --format env > .env
# Note: This defeats the purpose of Doppler
# Prefer doppler run instead
Option 3: Use doppler.yaml
Create doppler.yaml in repo root:
Now doppler run uses these defaults automatically.
Docker Integration
Docker Compose
# docker-compose.yml
services:
server:
build: .
environment:
# Doppler injects at runtime
- DOPPLER_TOKEN=${DOPPLER_TOKEN}
command: doppler run -- ./fulcrum-server
Dockerfile
# Install Doppler CLI
RUN curl -sLf https://cli.doppler.com/install.sh | sh
# Run with secrets
CMD ["doppler", "run", "--", "./fulcrum-server"]
CI/CD Usage
GitHub Actions (with auto-sync)
If using the GitHub integration, secrets are already available:
jobs:
build:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Build
env:
DATABASE_URL: ${{ secrets.POSTGRES_CONN_STR }}
run: go build ./...
GitHub Actions (with Doppler Action)
For more control, use the Doppler action:
jobs:
build:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Fetch Doppler Secrets
uses: dopplerhq/secrets-fetch-action@v1
with:
doppler-token: ${{ secrets.DOPPLER_TOKEN }}
doppler-project: fulcrum
doppler-config: ci
- name: Build
run: go build ./...
# All secrets now in environment
Secrets Organization
Recommended Structure
fulcrum/
├── dev/
│ ├── POSTGRES_CONN_STR (local)
│ ├── REDIS_URL (local)
│ ├── NATS_URL (local)
│ ├── CLERK_SECRET_KEY (test keys)
│ └── STRIPE_SECRET_KEY (test keys)
│
├── stg/
│ ├── [inherits from dev]
│ ├── POSTGRES_CONN_STR (staging db)
│ └── NEXT_PUBLIC_APP_URL (preview url)
│
├── prd/
│ ├── POSTGRES_CONN_STR (production)
│ ├── REDIS_URL (production)
│ ├── NATS_URL (production)
│ ├── CLERK_SECRET_KEY (live keys)
│ ├── STRIPE_SECRET_KEY (live keys)
│ └── [all production secrets]
│
└── ci/
├── RAILWAY_TOKEN
├── VERCEL_TOKEN
├── VERCEL_ORG_ID
├── VERCEL_PROJECT_ID
├── PYPI_TOKEN
└── NPM_TOKEN
Complete Secrets List for Doppler
Dev Config
POSTGRES_CONN_STR=postgresql://fulcrum:fulcrum@localhost:5432/fulcrum_dev
REDIS_URL=localhost:6379
NATS_URL=nats://localhost:4222
OLLAMA_HOST=http://localhost:11434
CLERK_SECRET_KEY=sk_test_xxx
NEXT_PUBLIC_CLERK_PUBLISHABLE_KEY=pk_test_xxx
STRIPE_SECRET_KEY=sk_test_xxx
NEXT_PUBLIC_STRIPE_PUBLISHABLE_KEY=pk_test_xxx
Prd Config
POSTGRES_CONN_STR=<from-database-provider>
REDIS_URL=<from-redis-provider>
NATS_URL=<from-nats-service>
CLERK_SECRET_KEY=sk_live_xxx
NEXT_PUBLIC_CLERK_PUBLISHABLE_KEY=pk_live_xxx
CLERK_WEBHOOK_SECRET=whsec_xxx
STRIPE_SECRET_KEY=sk_live_xxx
NEXT_PUBLIC_STRIPE_PUBLISHABLE_KEY=pk_live_xxx
STRIPE_WEBHOOK_SECRET=whsec_xxx
STRIPE_PRICE_PRO=price_xxx
STRIPE_PRICE_TEAM=price_xxx
NEXT_PUBLIC_APP_URL=https://fulcrumlayer.io
NEXT_PUBLIC_FULCRUM_API_URL=https://api.fulcrumlayer.io
FULCRUM_GRPC_ENDPOINT=api.fulcrumlayer.io:443
ENVIRONMENT=production
CI Config
RAILWAY_TOKEN=xxx
VERCEL_TOKEN=xxx
VERCEL_ORG_ID=xxx
VERCEL_PROJECT_ID=xxx
PYPI_TOKEN=pypi-xxx
NPM_TOKEN=npm_xxx
SLACK_WEBHOOK_URL=https://hooks.slack.com/xxx
Useful Commands
# View all secrets (masked)
doppler secrets
# View specific secret
doppler secrets get POSTGRES_CONN_STR
# Set a secret
doppler secrets set KEY=value
# Delete a secret
doppler secrets delete KEY
# View activity log
doppler activity
# Switch config
doppler configure set config prd
# Run command with different config
doppler run --config prd -- echo $POSTGRES_CONN_STR
Troubleshooting
"Config not found"
Secrets not syncing
- Check integration status in Doppler dashboard
- Verify API tokens haven't expired
- Check activity log for errors
Local development without Doppler
References
Back to Credentials Setup | Runbooks