Vulcan

Appearance

Secrets & API Keys

If your app connects to an external service — Google, a third-party API — you'll need to give it credentials. Vulcan handles this securely through secrets.

What are secrets?

Secrets are sensitive values like API keys, tokens, and passwords that your app needs but that should never be visible in the code or chat history. Vulcan stores them encrypted and makes them available to your app at runtime.

Common examples:

  • A Google OAuth client secret
  • A third-party API key (OpenAI, Stripe, Twilio, etc.)
  • A database connection string for an external DB

Setting a secret

When the AI determines your app needs a secret, it will prompt you to set one. It does this through a secure input — you enter the value directly, and it's never pasted into the chat or stored in your code.

You can also ask the AI to set up a secret at any time:

"I need to add my Google API key as a secret" "Set up an environment variable for my Stripe API key"

The AI will ask for the secret name and then prompt you to enter the value securely.

Using secrets in your app

Once set, your secret is available in your backend code as env.YOUR_SECRET_NAME. For example, if you set a secret named STRIPE_API_KEY, your backend can access it as env.STRIPE_API_KEY.

The AI wires this up for you — you just provide the value. Secrets are only accessible server-side (in handlers.ts, data.ts, etc.) and are never exposed to the frontend or browser.

Preview vs production secrets

When you set a secret, it is applied to both your preview and production app simultaneously — both environments get the same value. You don't need to set secrets twice.

One edge case: if your app has never been deployed to production when you first set a secret, Vulcan can't write the secret to the production Worker yet (it doesn't exist). In that case, the secret is saved and applied automatically the first time you deploy to production. You don't need to re-enter it.

Rotating or updating a secret

To update a secret (e.g. you need to rotate an API key), ask the AI:

"I need to update my Stripe API key"

It will prompt you to enter the new value securely and apply the update.

Security notes

  • Secrets are never visible in your code files or chat history
  • Don't paste API keys directly into the chat — always use the secure secret prompt
  • If you accidentally expose a key in chat, rotate it immediately in the third-party service

Built by the Veho Developer Platform team