Replit stores API keys and sensitive credentials as AES-256 encrypted Secrets accessible from Tools in the left sidebar. Use App Secrets for per-project values and Account Secrets for keys shared across multiple projects. Access them in code via process.env or os.getenv, and always add them separately to your deployment configuration because workspace secrets do not carry over automatically.
Secure API Key Management in Replit: App Secrets, Account Secrets, and Deployment Rules
Hardcoding API keys into source code is one of the fastest ways to compromise a project. Replit provides a dedicated Secrets tool that encrypts values with AES-256 and transmits them over TLS, keeping credentials out of your codebase entirely. This tutorial explains how to create, organize, and reference secrets safely across development and production environments, with special attention to the visibility rules that control what collaborators and remixers can see.
Prerequisites
- A Replit account on any plan (Starter, Core, or Pro)
- A project that requires at least one API key or token
- Basic understanding of environment variables in your chosen language
- Familiarity with the Replit workspace layout (file tree, Tools dock, Shell)
Step-by-step guide
Open the Secrets tool from the Tools dock
Open the Secrets tool from the Tools dock
In your Replit workspace, locate the Tools dock on the left sidebar. Click Secrets or use the search icon at the top of the sidebar and type Secrets. The Secrets panel opens with two tabs: App Secrets and Account Secrets. App Secrets are scoped to the current project. Account Secrets are available across all your projects but must be explicitly linked before they work in a specific app.
Expected result: The Secrets panel opens showing the App Secrets tab with an empty list or your existing secrets.
Add an App Secret for your current project
Add an App Secret for your current project
In the App Secrets tab, click the Add Secret button. Enter a key name using uppercase letters and underscores, like OPENAI_API_KEY or STRIPE_SECRET_KEY. Paste your actual API key into the value field. Click Add Secret to save. The value is immediately encrypted and stored. You can edit or delete secrets at any time from this panel. For bulk editing, click the three-dot menu and select Edit as JSON or Edit as .env to paste multiple key-value pairs at once.
Expected result: Your secret appears in the App Secrets list with the key name visible and the value hidden behind a show/hide toggle.
Access secrets in your application code
Access secrets in your application code
Replit injects secrets as standard environment variables. In Node.js, use process.env.YOUR_KEY_NAME. In Python, use os.getenv('YOUR_KEY_NAME') or os.environ['YOUR_KEY_NAME']. The values are available immediately at runtime without importing any Replit-specific library. Never log secret values to the console or return them in API responses. If you add a new secret while the app is running, you may need to stop and re-run the app for the new value to appear.
1// Node.js2const apiKey = process.env.OPENAI_API_KEY;3if (!apiKey) {4 throw new Error('OPENAI_API_KEY is not set. Add it in Tools > Secrets.');5}67# Python8import os9api_key = os.getenv('OPENAI_API_KEY')10if not api_key:11 raise ValueError('OPENAI_API_KEY is not set. Add it in Tools > Secrets.')Expected result: Your code reads the secret value from the environment and uses it for API calls without exposing the raw key in source files.
Set up Account Secrets for cross-project reuse
Set up Account Secrets for cross-project reuse
Switch to the Account Secrets tab in the Secrets panel. Add a secret here the same way you added an App Secret. Account Secrets are stored at your account level and are not automatically available in any project. To use one, go back to the App Secrets tab, click Link Account Secret, and select the secret you want to connect. This creates a reference rather than a copy, so updating the Account Secret updates it everywhere it is linked. This is ideal for keys you use across many projects, like a shared OpenAI or Stripe API key.
Expected result: The Account Secret appears in your App Secrets list with an indicator showing it is linked rather than locally defined.
Understand visibility rules for collaborators and remixers
Understand visibility rules for collaborators and remixers
Replit applies different visibility levels depending on the viewer's relationship to the project. Collaborators who are invited to your project can see both secret names and values. Cover page visitors who simply view your project's public page see nothing about your secrets. Remixers who fork your project see the secret key names but not the values, which means they know which secrets to set up but cannot access your actual credentials. Organization members without the Owner role cannot view secret values in the UI but can print them from code if they have edit access.
Expected result: You understand which users can see your secret names and values, and you have assessed the risk level for your project.
Add secrets to your deployment configuration separately
Add secrets to your deployment configuration separately
This is the single most important step and the most common source of deployment failures. Workspace secrets do not automatically transfer to deployed apps. Open the Deployments pane, navigate to Settings or Configuration, and add every secret your production app needs. Without this step, process.env.YOUR_KEY will return undefined in production even though it works perfectly in development. Static deployments do not support secrets at all, so only Autoscale, Reserved VM, and Scheduled deployment types can use them.
Expected result: Your deployed app reads all secrets correctly and does not throw undefined errors for environment variables.
Verify secrets are loaded correctly in Shell
Verify secrets are loaded correctly in Shell
After adding or changing secrets, you can verify they are available from the Shell. However, Shell access to environment variables requires a reboot of the Replit environment. Run kill 1 in the Shell to restart the environment, then use echo $YOUR_KEY_NAME to confirm the value is loaded. Be cautious with this approach in shared workspaces since the value will be visible in the terminal output. For a safer check, write a small script that prints a masked version of the key, showing only the first and last few characters.
1# Restart environment to load new secrets2kill 134# After restart, verify (be careful in shared workspaces)5echo $OPENAI_API_KEY67# Safer: use a script to mask the value8node -e "const k = process.env.OPENAI_API_KEY; console.log(k ? k.slice(0,4) + '...' + k.slice(-4) : 'NOT SET')"Expected result: The Shell outputs the secret value or a masked version confirming the secret is loaded in the environment.
Complete working example
1// config/secrets.js2// Centralized secret validation for Replit projects3// Validates all required secrets exist at startup45const REQUIRED_SECRETS = [6 'OPENAI_API_KEY',7 'STRIPE_SECRET_KEY',8 'DATABASE_URL',9];1011const OPTIONAL_SECRETS = [12 'SENTRY_DSN',13 'LOGROCKET_APP_ID',14];1516function validateSecrets() {17 const missing = [];18 const loaded = [];1920 for (const key of REQUIRED_SECRETS) {21 if (!process.env[key]) {22 missing.push(key);23 } else {24 loaded.push(key);25 }26 }2728 for (const key of OPTIONAL_SECRETS) {29 if (process.env[key]) {30 loaded.push(`${key} (optional)`);31 }32 }3334 if (missing.length > 0) {35 console.error('Missing required secrets:', missing.join(', '));36 console.error('Add them in Tools > Secrets in the Replit workspace.');37 if (process.env.REPLIT_DEPLOYMENT === '1') {38 console.error('This is a deployed app. Add secrets in the Deployments pane.');39 }40 process.exit(1);41 }4243 console.log(`All ${loaded.length} secrets loaded successfully.`);44 return true;45}4647function getSecret(key) {48 const value = process.env[key];49 if (!value) {50 throw new Error(51 `Secret "${key}" is not set. Add it in Tools > Secrets.`52 );53 }54 return value;55}5657module.exports = { validateSecrets, getSecret };Common mistakes when managing API keys in Replit
Why it's a problem: Forgetting to add secrets to the deployment configuration
How to avoid: Workspace secrets do not transfer to deployments automatically. Open the Deployments pane and add every required secret there before publishing.
Why it's a problem: Expecting secrets to work in Static Deployments
How to avoid: Static deployments serve only HTML, CSS, and JS files and do not support environment variables. Use Autoscale, Reserved VM, or Scheduled deployment types instead.
Why it's a problem: Trying to access a newly added secret without restarting the app
How to avoid: Stop and re-run your app after adding a new secret. For Shell access, run kill 1 to restart the environment.
Why it's a problem: Using REPLIT_DEV_DOMAIN in production code
How to avoid: This variable exists only in the development workspace. Use REPLIT_DOMAINS instead, which is available in both development and deployment environments.
Why it's a problem: Assuming remixers cannot see your secret key names
How to avoid: Remixers see the names of all your secrets but not the values. Avoid putting sensitive information in the key name itself.
Best practices
- Never hardcode API keys, tokens, or passwords directly in source code files
- Use App Secrets for project-specific credentials and Account Secrets for keys shared across multiple projects
- Always add secrets to the deployment configuration separately from workspace secrets
- Validate all required secrets at app startup with clear error messages indicating where to add missing values
- Use the REPLIT_DEPLOYMENT environment variable to detect production and adjust behavior accordingly
- Rotate API keys periodically and update both workspace and deployment secrets when you do
- Prefix secret names by service for clear organization (STRIPE_SECRET_KEY, STRIPE_WEBHOOK_SECRET)
- Never log, return in API responses, or expose secret values in client-side code
Still stuck?
Copy one of these prompts to get a personalized, step-by-step explanation.
I'm building a Node.js app on Replit that uses API keys for OpenAI and Stripe. How do I store these securely using Replit Secrets, access them in code, and make sure they work in both development and deployed environments?
Set up environment variables for my OpenAI and Stripe API keys using Replit Secrets. Add validation at startup that checks all required keys exist and shows a clear error if any are missing. Make sure the secrets work in both the development workspace and Autoscale deployment.
Frequently asked questions
Yes. Replit encrypts all secrets with AES-256 encryption and transmits them over TLS. Values are stored encrypted at rest and only decrypted when accessed by your running application.
Yes. Collaborators who are invited to your project can see both secret names and values. Cover page visitors see nothing, and remixers see only the key names without values.
Workspace secrets are not automatically copied to deployments. You must add each secret separately in the Deployments pane configuration. This is the most common cause of deployment failures on Replit.
No. Static deployments serve only HTML, CSS, and JS files and do not support server-side environment variables. Use Autoscale, Reserved VM, or Scheduled deployment types if your app needs secrets.
App Secrets are scoped to a single project. Account Secrets are stored at the account level and can be linked to multiple projects. Updating an Account Secret updates the value everywhere it is linked.
In Python, use os.getenv('KEY_NAME') or os.environ['KEY_NAME']. In Node.js, use process.env.KEY_NAME. Both approaches read standard environment variables injected by Replit at runtime.
Yes. Stop and re-run your app to pick up newly added secrets. For Shell access, run kill 1 to restart the Replit environment, then verify with echo $KEY_NAME.
Yes. In the Secrets panel, click the three-dot menu and select Edit as JSON or Edit as .env to paste multiple key-value pairs at once. This is much faster for projects with many secrets.
Talk to an Expert
Our team has built 600+ apps. Get personalized help with your project.
Book a free consultation