Skip to main content
Core Concept

Type-safe config.
Zero guesswork.

Declare secrets and variables with Zod schemas. Every value is validated, typed, and manageable from the Console or environment.

Secrets DocsVariables Docs

Secrets

Secrets with superpowers

Declare once with wireSecret. Read anywhere with full type safety and runtime validation.

Schema-validated secrets

Every secret is declared with a Zod schema. If a value is missing or the wrong shape, your app fails fast at startup — not at 3 AM.

TypedSecretService

The generated service knows every secret name and its shape. getSecretJSON returns the exact type — no casting, no as any.

secrets.tswireSecret
// Declare a secret with a Zod schema
wireSecret({
  name: 'STRIPE_CONFIG',
  schema: z.object({
    apiKey: z.string().startsWith('sk_'),
    webhookSecret: z.string()
  })
})

// In your function — fully typed
const config = await secrets.getSecretJSON('STRIPE_CONFIG')
// config.apiKey   → string (autocompleted)
// config.webhookSecret → string (autocompleted)

Variables

Config that types itself

Same wireVariable pattern, same Zod schemas — but for non-sensitive configuration you can safely log and inspect.

variables.tswireVariable
// Declare a variable
wireVariable({
  name: 'FEATURE_FLAGS',
  schema: z.object({
    darkMode: z.boolean(),
    maxUploadMB: z.number().default(10)
  })
})

// Read it — typed and validated
const flags = await variables.getVariableJSON('FEATURE_FLAGS')
// flags.darkMode    → boolean
// flags.maxUploadMB → number

Secrets

  • Encrypted at rest
  • Never logged or exposed
  • API keys, passwords, tokens

Variables

  • Plain-text config
  • Safe to log and inspect
  • Feature flags, limits, URLs

OAuth2

Managed OAuth2 tokens

Declare credentials with wireOAuth2Credential — app secrets, token storage, authorization and token URLs. The OAuth2Client handles refresh, caching, and expiry automatically.

Two secrets, clear roles

secretId holds your app's clientId and clientSecret. tokenSecretId stores access and refresh tokens — updated automatically whenever a token is refreshed.

Console integration

Manage secrets, variables, and OAuth2 credentials per environment from the Console UI — no .env juggling.

oauth2.tswireOAuth2Credential
wireOAuth2Credential({
  name: 'slackOAuth',
  displayName: 'Slack OAuth',
  // Holds { clientId, clientSecret }
  secretId: 'SLACK_OAUTH_APP',
  // Updated automatically on token refresh
  tokenSecretId: 'SLACK_OAUTH_TOKENS',
  authorizationUrl: 'https://slack.com/oauth/v2/authorize',
  tokenUrl: 'https://slack.com/api/oauth.v2.access',
  scopes: ['chat:write', 'channels:read'],
})

// In your function — tokens refresh automatically
const response = await slackOAuth.request(
  'https://slack.com/api/chat.postMessage',
  {
    method: 'POST',
    body: JSON.stringify({ channel, text }),
  }
)
const data = await response.json()

Config done right

Type-safe secrets and variables with Zod validation. Manage everything from code or the Console.

Secrets Docs Variables Docs