Config Vars
Config vars are encrypted environment variables attached to a project. They're injected into agent execution and preview containers, allowing your projects to use secrets (API keys, database URLs, etc.) without hardcoding them.
Setting Variables#
From Project Settings > Config Vars:
- Enter a key (e.g.,
DATABASE_URL,STRIPE_SECRET_KEY) - Enter a value
- Save — the value is encrypted with AES-256-GCM encryption and stored in the database
Permission required: project:settings
Viewing Variables#
By default, config var values are masked — displayed as **** followed by the last 4 characters. To reveal full values, use the Reveal action (requires project:settings permission).
Using Variables#
Config vars are automatically available as environment variables in:
- Agent execution containers — Agents can read them via standard environment variable access
- Preview containers — Your application can use them like any environment variable
Encryption#
All config var values are encrypted at rest using AES-256-GCM symmetric encryption (256-bit keys with 96-bit random nonces). The encryption key is configured server-side — it is never stored in the database.