Secret Generation
Secrets can be declared with type and generate to be auto-generated when missing. This is useful for passwords, tokens, and keys that do not need to be shared across developers.
Basic Usage
Section titled “Basic Usage”[profiles.default]DB_PASSWORD = { description = "Database password", type = "password", generate = true }API_TOKEN = { description = "API token", type = "hex", generate = { bytes = 32 } }SESSION_KEY = { description = "Session key", type = "base64", generate = { bytes = 64 } }REQUEST_ID = { description = "Request ID prefix", type = "uuid", generate = true }Generation Types
Section titled “Generation Types”| Type | Default Output | Options |
|---|---|---|
password | 32 alphanumeric chars | length (int), charset ("alphanumeric" or "ascii") |
hex | 64 hex chars (32 bytes) | bytes (int) |
base64 | 44 chars (32 bytes) | bytes (int) |
uuid | UUID v4 (36 chars) | none |
command | stdout of command | command (string, required) |
rsa_private_key | 2048-bit RSA private key (PKCS1 PEM) | bits (int) |
Command type
Section titled “Command type”The command type runs a shell command and uses its stdout as the generated value:
MONGO_KEY = { description = "MongoDB keyfile", type = "command", generate = { command = "openssl rand -base64 765" } }command requires generate = { command = "..." } rather than just generate = true.
How it works
Section titled “How it works”- Generation only triggers when a secret is missing. Existing secrets are never overwritten.
- Generated values are stored via the secret’s configured provider (or the default provider).
- Subsequent runs find the stored value and skip generation (idempotent).
generateanddefaultcannot both be set on the same secret.- Setting
typewithoutgenerateis informational only and does not trigger auto-generation.
Example
Section titled “Example”[profiles.default]# Auto-generated on first run, reused after thatDB_PASSWORD = { description = "Database password", type = "password", generate = true }
# Custom length and character setADMIN_PASSWORD = { description = "Admin password", type = "password", generate = { length = 64, charset = "ascii" } }
# 64-byte key encoded as base64ENCRYPTION_KEY = { description = "Encryption key", type = "base64", generate = { bytes = 64 } }
# RSA private key (default 2048-bit)JWT_SIGNING_KEY = { description = "JWT signing key", type = "rsa_private_key", generate = true }
# RSA private key with custom key sizeTLS_KEY = { description = "TLS private key", type = "rsa_private_key", generate = { bits = 4096 } }
# Informational type only, no generationEXTERNAL_API_KEY = { description = "Provided by vendor", type = "password" }See the configuration reference for the full specification.