Skip to content
FlareX
Working with apps & bots

Secrets

Environment variables for your app or bot — how they're encrypted, injected, and rotated.

Updated

Secrets are environment variables your bot reads at runtime. Typical examples: Discord bot tokens, API keys for external services (OpenWeather, Stripe, etc.), webhook URLs, AI provider API keys if your bot talks to an AI service.

How storage works

When you save a secret:

  1. The value is encrypted using the platform encryption key before it leaves the API.
  2. The ciphertext is stored in Postgres. The plaintext is never persisted.
  3. When a runner picks up a deploy, it decrypts secrets in-memory and passes them to the bot container as environment variables.
  4. The secret tab never shows the plaintext again. Only the key and the last-updated timestamp.
Lost plaintext = rotate

If you lose the plaintext value of a third-party secret, rotate it on the third-party side (generate a new token in the provider's dashboard) and save the new one in FlareX. FlareX can't recover the original for you.

Required secret: DISCORD_BOT_TOKEN

Every bot needs this. It's the token from the Discord Developer Portal Bot tab (not the client secret from OAuth2). See Discord Developer Portal → Step 3 if you need a refresher on getting it.

Optional: DATABASE_URL

If you enable the per-bot Postgres schema, FlareX automatically injects DATABASE_URL as a secret pointing at the bot's schema with a scoped role. You don't need to add it manually. See Databases.

Adding your own secrets

Key:   OPENWEATHER_API_KEY
Value: <your key>

Keys must be uppercase with underscores (standard env-var naming). The panel validates this.

You can set a key once and reuse it across versions — secrets don't version with the bot source.

Rotating a secret

Click the secret row → Edit. Paste the new value. Save. The change takes effect on the next deploy (FlareX doesn't hot-swap secrets into a running container — a restart is required).

Heads up

If a secret is compromised (e.g., leaked in a git repo), rotate it on the third-party side first, then update FlareX. Otherwise attackers keep working until you update the value here.

Deleting a secret

Click the row → Delete. The next deploy won't include this variable. Your bot code should handle missing env vars gracefully (typically with a startup sanity check that fails fast with a clear error).

What's not allowed

  • Binary secrets (certificates, keystores). Use base64 encoding + decode at runtime if you must.
  • Secrets larger than 64 KB. Store the secret externally and fetch on boot.
  • Secrets with names that collide with reserved FlareX runtime variables (we prefix those — you'll see a validation error).

Audit trail

Every secret create, update, and delete writes an audit_events entry with the actor, bot, key name, and timestamp (values themselves are not logged). Workspace owners can review the log under Settings → Audit.

PreviousManaging apps & botsNextDeployments
Secrets · FlareX