Doppler
Doppler
Role
The single place every family secret is written, rotated, and
audited. Doppler then syncs each secret out to the runtime
mirrors that actually need it — GitHub Secrets for Actions, Worker
vars / secrets for Cloudflare, Firebase Auth provider credentials,
local dev via doppler run.
Free tier
- 5 users (the family uses 1).
- Unlimited projects, environments, secrets.
- Sync integrations included on free: GitHub Actions, Cloudflare, Vercel, AWS Parameter Store, GCP Secret Manager, Kubernetes, Heroku, Render, Fly.io, Netlify, and webhooks.
- Built-in secret rotation on supported integrations.
- Audit log of every read / write / sync.
- CLI:
dopplerfor local dev (doppler run -- pnpm dev).
Card / subscription required?
NO. Free tier doesn't ask for a card. Free Team plan limits seats to 5 and excludes some enterprise features (SAML, granular access policies) — none of which the family needs.
What lives in Doppler
| Project | Environments | Examples |
|---|---|---|
oriz-firebase |
dev, prod |
MICROSOFT_OAUTH_CLIENT_ID, MICROSOFT_OAUTH_CLIENT_SECRET, RECAPTCHA_ENTERPRISE_KEY, Firebase service account JSON |
oriz-worker |
dev, prod |
HOOKDECK_SIGNING_SECRET, RAZORPAY_KEY_ID, RAZORPAY_SECRET, RESEND_API_KEY |
oriz-omnipost |
prod |
OMNIPOST_DEVTO_TOKEN, OMNIPOST_HASHNODE_TOKEN, GH bot PAT for repo writeback |
oriz-monitoring |
prod |
SENTRY_DSN, AXIOM_TOKEN, BETTER_STACK_TOKEN |
oriz-cli |
dev |
local-only CLI auth tokens |
Alternatives
- GitHub Secrets only — current state pre-Doppler; loses cross-repo + cross-runtime sync, no audit log, no built-in rotation
- Infisical — newer, OSS, similar shape; Doppler has the better DX + integration coverage in 2026
- 1Password Secrets Automation — local-only signing model, no Worker / Firebase sync
- HashiCorp Vault — enterprise; too much for the family
- envpact — the user's home-grown vault, still kept around for personal use; Doppler covers the family-stack secrets
Swap cost
Medium — every site / Worker / GH workflow reads from Doppler. Swap means re-pointing each integration target. The secrets themselves are portable (Doppler exports JSON / .env). Most pain is in the rotation runbook + the per-runtime sync config.
Why this is our pick
- Best integration coverage of the three modern free options (Doppler / Infisical / 1Password) — covers GitHub Actions + Cloudflare + Firebase out of the box, which is exactly the family's runtime triangle.
- Built-in rotation for supported integrations — turns the rotate-leaked-secret runbook into "click rotate in Doppler, integrations update automatically".
- Audit log — every read / write / sync is timestamped + attributed; satisfies the family's secrets-handling policy.
- Best DX of the three (Infisical is newer with rougher edges; 1Password's automation is local-signing-model only).
- Free 5 users is permanent — we use 1; 4-user buffer for any future contributor.
Implementation notes
- Sign up at https://doppler.com with the user's GitHub identity. No card.
- Install CLI:
doppler login. - Create projects + environments per the table above.
- Wire integrations:
- GitHub Actions: install Doppler GitHub App → org / repo scope → Doppler pushes secrets to GH Secrets on every change.
- Cloudflare Workers: Doppler → Cloudflare integration writes Worker secrets via API.
- Firebase:
doppler run -- firebase functions:config:setin the deploy step (or via Cloud Build trigger when we move there).
- Local dev:
doppler run -- pnpm dev(per project) — no.envfiles committed, ever (perno-hardcoded-secrets.md). - Rotation: Doppler dashboard → secret → Rotate → integrations re-sync within seconds.