← v16 index

Secrets · /studio/:slug/secrets

per-secret policy · creator-override vs user-vault (PR #53)
v16 · Studio
DESKTOP · 1440px · TAB: SECRETS
floom.dev/studio/flyfast/secrets
studio flyfast Secrets
LIVE
Overview Runs 712 Secrets 4 Access Renderer Analytics v1.1
SECRETS · 4 CONFIGURED · 0 MISSING

Environment variables

Each secret has a policy. Creator vault = you provide the key, all users share it (and your cost). User vault = each user provides their own (zero cost to you, more friction for them). Values are encrypted at rest with AES-256-GCM.

Policy rule · PR #53. If a secret has user-vault, the /p/:slug run surface shows a "Connect your API key" step on first run. If creator-vault, your users don't see anything — they just run.
Docs →
SECRET NAME
POLICY
LAST USED
OPENAI_API_KEY
sk-pro****************************************8b2a
12s ago
AMADEUS_API_KEY
amd_*****************************e82f
2m ago
STRIPE_SECRET_KEY
Per-user. Each user supplies their own on first run.
218 users · last 7d
SUPABASE_SERVICE_KEY
eyJ******************************yIJ9
4m ago
ADD A SECRET

New env var

PASTE .ENV · BULK IMPORT
lines starting with # ignored · values encrypted before leaving your browser
AES-256-GCM at rest. Keys are scoped per-app and never exposed in logs, error messages, or client responses. Rotation triggers a 5-minute grace period where both old and new values work.
Read security →
MOBILE · 390px
floom.dev/studio/flyfast/secrets
flyfast / Secrets
F
4 CONFIGURED

Secrets

OPENAI_API_KEY
sk-pro****************8b2a
Creator vault 12s ago
AMADEUS_API_KEY
amd_*****************e82f
Creator vault 2m ago
STRIPE_SECRET_KEY
User vault 218 users
SUPABASE_SERVICE_KEY
eyJ******************yIJ9
Creator vault 4m ago
v16 notes — PR #53 UI
  • One row per env var. Policy toggle is the primary interaction — it changes cost ownership.
  • User-vault secrets show the count of users who provided them, not your key (you don't have one for those).
  • .env paste box encrypts values in the browser before POST. Lines with # are skipped. No diff tool — this page appends only.
  • Rotate triggers 5-min overlap. Old runs in flight finish with old value, new runs use new value.
  • Missing-secrets state (not shown): a yellow bar at the top reads "OPENAI_API_KEY is missing. First run will fail until set." with a pointer to the add-secret form.