Every app has secrets - API keys, passwords, credentials etc... Managing secrets can be a bit of a pain, so we've built secret management into Keel that is both secure and easy to to use.


For non-sensitive configuration values use environment variables.

Defining Secrets

Secrets are defined in a keelconfig.yaml file which should be in the root of your project.

  - name: MY_SECRET


Secrets must be named in UPPER_SNAKE_SNAKE and cannot start with the prefix KEEL_. In the keelconfig.yaml file you only provide the names of your secrets - this is enough to enable type-safe access of your secrets in your schema and your functions.


For deployed environments you can set secret values in the console by going to the Secrets section in the console.

Adding a secret in the Keel console


Secret values are set separately for each environment, however you don't need to set a value in every environment if you don't need to.

Secrets in development

To set a secret value for use in development, for example when using keel run to run your app locally, you can use keel secrets set. For example:

keel secrets set development MY_SECRET 'my-value'

Make sure to run keel generate after adding a secret, for ctx.secrets to recognise the new field

Using Secrets

There are two ways you will use your secrets - from your Keel schema or from your function code.

From a Keel schema

Secrets can be accessed with ctx.secrets.MY_SECRET from within any expression in your schema.

model Person {
    fields {
        name Text
      expression: ctx.headers.API_KEY == ctx.secrets.API_KEY,
      actions: [get]

From a function

You can access your secrets in a type-safe way through the ctx argument that is passed to your functions, for example ctx.secrets.MY_SECRET.

export default MyFunction(async (ctx, inputs) => {
  // "some-vale"
  // TypeScript will catch this with the error:
  // ts(2339) Property 'FOO' does not exist on type 'Secrets'.