Skip to main content
Secrets management screen in SteerCode

Manage project secrets in one place

Use Settings → Secrets to securely store configuration for your project. Secrets are encrypted at rest and scoped to a single project. You never need to write code—SteerCode and its integrations use your saved secrets automatically.
Prefix rules: Only variables starting with VITE_ (web) or EXPO_PUBLIC_ (mobile) are exposed to the front end. All other variables remain server-only and are used by backend integrations such as Supabase. See Integrations.

Add a secret

1

Open the Secrets tab

Go to Settings → Secrets in your project.
2

Create a key/value

Add a clear key name and value. - Use VITE_* for web variables visible to the UI - Use EXPO_PUBLIC_* for mobile variables visible to the UI - Omit these prefixes for server-only secrets
3

Save & apply

Click Save. If you change secrets for a live site/app, republish or restart your session to apply updates.
Never store private credentials with VITE_ or EXPO_PUBLIC_. These are delivered to the client and can be inspected by end users.

Visibility & access

  • Front-end visible: Keys starting with VITE_ or EXPO_PUBLIC_ are readable by the UI (safe for public, non-sensitive values like URLs).
  • Server-only: Unprefixed keys stay private and are used by backend flows (e.g., payments, webhooks, or AI calls).

Rotating or removing secrets

1

Rotate at the provider

Create a new key/secret in your third-party provider (e.g., Stripe, Google).
2

Update in SteerCode

Replace the old value in Settings → Secrets and save.
3

Republish or restart

Republish your site/app or restart your environment to ensure the new secret is in use.
Keep consistent names across environments (dev/staging/prod) to simplify management, and document what each secret controls in your Project Plan.

Troubleshooting

  • Confirm the secret exists in Settings → Secrets and is spelled correctly
  • Verify whether it should be front-end visible (VITE_ / EXPO_PUBLIC_) or server-only
  • Republish/restart after changes
  • Remove or rename it without public prefixes - Rotate the credential with the provider immediately - Republish your site/app
  • Double-check provider redirect URLs and app settings
  • Ensure required client IDs/secrets are saved in Secrets
  • See Integrations for provider-specific steps
I