← knowledge.oriz.in

Doppler

service secretsdopplersyncprimary

Doppler

Role

The single place every family secret is written, rotated, and audited. Doppler then syncs each secret out to the runtime mirrors that actually need it — GitHub Secrets for Actions, Worker vars / secrets for Cloudflare, Firebase Auth provider credentials, local dev via doppler run.

Free tier

Card / subscription required?

NO. Free tier doesn't ask for a card. Free Team plan limits seats to 5 and excludes some enterprise features (SAML, granular access policies) — none of which the family needs.

What lives in Doppler

Project Environments Examples
oriz-firebase dev, prod MICROSOFT_OAUTH_CLIENT_ID, MICROSOFT_OAUTH_CLIENT_SECRET, RECAPTCHA_ENTERPRISE_KEY, Firebase service account JSON
oriz-worker dev, prod HOOKDECK_SIGNING_SECRET, RAZORPAY_KEY_ID, RAZORPAY_SECRET, RESEND_API_KEY
oriz-omnipost prod OMNIPOST_DEVTO_TOKEN, OMNIPOST_HASHNODE_TOKEN, GH bot PAT for repo writeback
oriz-monitoring prod SENTRY_DSN, AXIOM_TOKEN, BETTER_STACK_TOKEN
oriz-cli dev local-only CLI auth tokens

Alternatives

Swap cost

Medium — every site / Worker / GH workflow reads from Doppler. Swap means re-pointing each integration target. The secrets themselves are portable (Doppler exports JSON / .env). Most pain is in the rotation runbook + the per-runtime sync config.

Why this is our pick

Implementation notes

Cross-refs