type: service
status: active
timestamp: 2026-06-20
tags: [secrets, doppler, sync, primary]

Doppler

Single source of truth for secrets — syncs to GH, CF, Firebase, local

Doppler

Role

The single place every family secret is written, rotated, and audited. Doppler then syncs each secret out to the runtime mirrors that actually need it — GitHub Secrets for Actions, Worker vars / secrets for Cloudflare, Firebase Auth provider credentials, local dev via doppler run.

Free tier

Card / subscription required?

NO. Free tier doesn’t ask for a card. Free Team plan limits seats to 5 and excludes some enterprise features (SAML, granular access policies) — none of which the family needs.

What lives in Doppler

ProjectEnvironmentsExamples
oriz-firebasedev, prodMICROSOFT_OAUTH_CLIENT_ID, MICROSOFT_OAUTH_CLIENT_SECRET, RECAPTCHA_ENTERPRISE_KEY, Firebase service account JSON
oriz-workerdev, prodHOOKDECK_SIGNING_SECRET, RAZORPAY_KEY_ID, RAZORPAY_SECRET, RESEND_API_KEY
oriz-omnipostprodOMNIPOST_DEVTO_TOKEN, OMNIPOST_HASHNODE_TOKEN, GH bot PAT for repo writeback
oriz-monitoringprodSENTRY_DSN, AXIOM_TOKEN, BETTER_STACK_TOKEN
oriz-clidevlocal-only CLI auth tokens

Alternatives

Swap cost

Medium — every site / Worker / GH workflow reads from Doppler. Swap means re-pointing each integration target. The secrets themselves are portable (Doppler exports JSON / .env). Most pain is in the rotation runbook + the per-runtime sync config.

Why this is our pick

Implementation notes

Cross-refs


Edit on GitHub · Back to index