# How to manage API keys in Replit

- Tool: Replit
- Difficulty: Intermediate
- Time required: 15 minutes
- Compatibility: All Replit plans (Starter, Core, Pro, Enterprise)
- Last updated: March 2026

## TL;DR

Replit stores API keys and sensitive credentials as AES-256 encrypted Secrets accessible from Tools in the left sidebar. Use App Secrets for per-project values and Account Secrets for keys shared across multiple projects. Access them in code via process.env or os.getenv, and always add them separately to your deployment configuration because workspace secrets do not carry over automatically.

## Secure API Key Management in Replit: App Secrets, Account Secrets, and Deployment Rules

Hardcoding API keys into source code is one of the fastest ways to compromise a project. Replit provides a dedicated Secrets tool that encrypts values with AES-256 and transmits them over TLS, keeping credentials out of your codebase entirely. This tutorial explains how to create, organize, and reference secrets safely across development and production environments, with special attention to the visibility rules that control what collaborators and remixers can see.

## Before you start

- A Replit account on any plan (Starter, Core, or Pro)
- A project that requires at least one API key or token
- Basic understanding of environment variables in your chosen language
- Familiarity with the Replit workspace layout (file tree, Tools dock, Shell)

## Step-by-step guide

### 1. Open the Secrets tool from the Tools dock

In your Replit workspace, locate the Tools dock on the left sidebar. Click Secrets or use the search icon at the top of the sidebar and type Secrets. The Secrets panel opens with two tabs: App Secrets and Account Secrets. App Secrets are scoped to the current project. Account Secrets are available across all your projects but must be explicitly linked before they work in a specific app.

**Expected result:** The Secrets panel opens showing the App Secrets tab with an empty list or your existing secrets.

### 2. Add an App Secret for your current project

In the App Secrets tab, click the Add Secret button. Enter a key name using uppercase letters and underscores, like OPENAI_API_KEY or STRIPE_SECRET_KEY. Paste your actual API key into the value field. Click Add Secret to save. The value is immediately encrypted and stored. You can edit or delete secrets at any time from this panel. For bulk editing, click the three-dot menu and select Edit as JSON or Edit as .env to paste multiple key-value pairs at once.

**Expected result:** Your secret appears in the App Secrets list with the key name visible and the value hidden behind a show/hide toggle.

### 3. Access secrets in your application code

Replit injects secrets as standard environment variables. In Node.js, use process.env.YOUR_KEY_NAME. In Python, use os.getenv('YOUR_KEY_NAME') or os.environ['YOUR_KEY_NAME']. The values are available immediately at runtime without importing any Replit-specific library. Never log secret values to the console or return them in API responses. If you add a new secret while the app is running, you may need to stop and re-run the app for the new value to appear.

```
// Node.js
const apiKey = process.env.OPENAI_API_KEY;
if (!apiKey) {
  throw new Error('OPENAI_API_KEY is not set. Add it in Tools > Secrets.');
}

# Python
import os
api_key = os.getenv('OPENAI_API_KEY')
if not api_key:
    raise ValueError('OPENAI_API_KEY is not set. Add it in Tools > Secrets.')
```

**Expected result:** Your code reads the secret value from the environment and uses it for API calls without exposing the raw key in source files.

### 4. Set up Account Secrets for cross-project reuse

Switch to the Account Secrets tab in the Secrets panel. Add a secret here the same way you added an App Secret. Account Secrets are stored at your account level and are not automatically available in any project. To use one, go back to the App Secrets tab, click Link Account Secret, and select the secret you want to connect. This creates a reference rather than a copy, so updating the Account Secret updates it everywhere it is linked. This is ideal for keys you use across many projects, like a shared OpenAI or Stripe API key.

**Expected result:** The Account Secret appears in your App Secrets list with an indicator showing it is linked rather than locally defined.

### 5. Understand visibility rules for collaborators and remixers

Replit applies different visibility levels depending on the viewer's relationship to the project. Collaborators who are invited to your project can see both secret names and values. Cover page visitors who simply view your project's public page see nothing about your secrets. Remixers who fork your project see the secret key names but not the values, which means they know which secrets to set up but cannot access your actual credentials. Organization members without the Owner role cannot view secret values in the UI but can print them from code if they have edit access.

**Expected result:** You understand which users can see your secret names and values, and you have assessed the risk level for your project.

### 6. Add secrets to your deployment configuration separately

This is the single most important step and the most common source of deployment failures. Workspace secrets do not automatically transfer to deployed apps. Open the Deployments pane, navigate to Settings or Configuration, and add every secret your production app needs. Without this step, process.env.YOUR_KEY will return undefined in production even though it works perfectly in development. Static deployments do not support secrets at all, so only Autoscale, Reserved VM, and Scheduled deployment types can use them.

**Expected result:** Your deployed app reads all secrets correctly and does not throw undefined errors for environment variables.

### 7. Verify secrets are loaded correctly in Shell

After adding or changing secrets, you can verify they are available from the Shell. However, Shell access to environment variables requires a reboot of the Replit environment. Run kill 1 in the Shell to restart the environment, then use echo $YOUR_KEY_NAME to confirm the value is loaded. Be cautious with this approach in shared workspaces since the value will be visible in the terminal output. For a safer check, write a small script that prints a masked version of the key, showing only the first and last few characters.

```
# Restart environment to load new secrets
kill 1

# After restart, verify (be careful in shared workspaces)
echo $OPENAI_API_KEY

# Safer: use a script to mask the value
node -e "const k = process.env.OPENAI_API_KEY; console.log(k ? k.slice(0,4) + '...' + k.slice(-4) : 'NOT SET')"
```

**Expected result:** The Shell outputs the secret value or a masked version confirming the secret is loaded in the environment.

## Complete code example

File: `config/secrets.js`

```javascript
// config/secrets.js
// Centralized secret validation for Replit projects
// Validates all required secrets exist at startup

const REQUIRED_SECRETS = [
  'OPENAI_API_KEY',
  'STRIPE_SECRET_KEY',
  'DATABASE_URL',
];

const OPTIONAL_SECRETS = [
  'SENTRY_DSN',
  'LOGROCKET_APP_ID',
];

function validateSecrets() {
  const missing = [];
  const loaded = [];

  for (const key of REQUIRED_SECRETS) {
    if (!process.env[key]) {
      missing.push(key);
    } else {
      loaded.push(key);
    }
  }

  for (const key of OPTIONAL_SECRETS) {
    if (process.env[key]) {
      loaded.push(`${key} (optional)`);
    }
  }

  if (missing.length > 0) {
    console.error('Missing required secrets:', missing.join(', '));
    console.error('Add them in Tools > Secrets in the Replit workspace.');
    if (process.env.REPLIT_DEPLOYMENT === '1') {
      console.error('This is a deployed app. Add secrets in the Deployments pane.');
    }
    process.exit(1);
  }

  console.log(`All ${loaded.length} secrets loaded successfully.`);
  return true;
}

function getSecret(key) {
  const value = process.env[key];
  if (!value) {
    throw new Error(
      `Secret "${key}" is not set. Add it in Tools > Secrets.`
    );
  }
  return value;
}

module.exports = { validateSecrets, getSecret };
```

## Common mistakes

- **Forgetting to add secrets to the deployment configuration** — undefined Fix: Workspace secrets do not transfer to deployments automatically. Open the Deployments pane and add every required secret there before publishing.
- **Expecting secrets to work in Static Deployments** — undefined Fix: Static deployments serve only HTML, CSS, and JS files and do not support environment variables. Use Autoscale, Reserved VM, or Scheduled deployment types instead.
- **Trying to access a newly added secret without restarting the app** — undefined Fix: Stop and re-run your app after adding a new secret. For Shell access, run kill 1 to restart the environment.
- **Using REPLIT_DEV_DOMAIN in production code** — undefined Fix: This variable exists only in the development workspace. Use REPLIT_DOMAINS instead, which is available in both development and deployment environments.
- **Assuming remixers cannot see your secret key names** — undefined Fix: Remixers see the names of all your secrets but not the values. Avoid putting sensitive information in the key name itself.

## Best practices

- Never hardcode API keys, tokens, or passwords directly in source code files
- Use App Secrets for project-specific credentials and Account Secrets for keys shared across multiple projects
- Always add secrets to the deployment configuration separately from workspace secrets
- Validate all required secrets at app startup with clear error messages indicating where to add missing values
- Use the REPLIT_DEPLOYMENT environment variable to detect production and adjust behavior accordingly
- Rotate API keys periodically and update both workspace and deployment secrets when you do
- Prefix secret names by service for clear organization (STRIPE_SECRET_KEY, STRIPE_WEBHOOK_SECRET)
- Never log, return in API responses, or expose secret values in client-side code

## Frequently asked questions

### Are Replit Secrets encrypted?

Yes. Replit encrypts all secrets with AES-256 encryption and transmits them over TLS. Values are stored encrypted at rest and only decrypted when accessed by your running application.

### Can collaborators see my secret values?

Yes. Collaborators who are invited to your project can see both secret names and values. Cover page visitors see nothing, and remixers see only the key names without values.

### Why does my API key work in development but not in the deployed app?

Workspace secrets are not automatically copied to deployments. You must add each secret separately in the Deployments pane configuration. This is the most common cause of deployment failures on Replit.

### Can I use secrets in a Static Deployment?

No. Static deployments serve only HTML, CSS, and JS files and do not support server-side environment variables. Use Autoscale, Reserved VM, or Scheduled deployment types if your app needs secrets.

### What is the difference between App Secrets and Account Secrets?

App Secrets are scoped to a single project. Account Secrets are stored at the account level and can be linked to multiple projects. Updating an Account Secret updates the value everywhere it is linked.

### How do I access secrets in Python versus Node.js?

In Python, use os.getenv('KEY_NAME') or os.environ['KEY_NAME']. In Node.js, use process.env.KEY_NAME. Both approaches read standard environment variables injected by Replit at runtime.

### Do I need to restart my app after adding a new secret?

Yes. Stop and re-run your app to pick up newly added secrets. For Shell access, run kill 1 to restart the Replit environment, then verify with echo $KEY_NAME.

### Can I bulk-edit secrets instead of adding them one at a time?

Yes. In the Secrets panel, click the three-dot menu and select Edit as JSON or Edit as .env to paste multiple key-value pairs at once. This is much faster for projects with many secrets.

---

Source: https://www.rapidevelopers.com/replit-tutorial/how-to-manage-api-keys-and-secrets-in-replit-without-risking-exposure
© RapidDev — https://www.rapidevelopers.com/replit-tutorial/how-to-manage-api-keys-and-secrets-in-replit-without-risking-exposure
