> ## Documentation Index
> Fetch the complete documentation index at: https://docs.steercode.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Secrets

> Learn how to manage secrets in SteerCode

<Frame caption="Manage project secrets in one place">
  <img src="https://mintcdn.com/steercode/l9csF7jAQiR_B1h5/images/secrets-web.png?fit=max&auto=format&n=l9csF7jAQiR_B1h5&q=85&s=baf988873516a327a1e53ca47b141e42" alt="Secrets management screen in SteerCode" width="2054" height="1110" data-path="images/secrets-web.png" />
</Frame>

Use **Settings → Secrets** to securely store configuration for your project. Secrets are **encrypted at rest** and scoped to a single project. You never need to write code—SteerCode and its integrations use your saved secrets automatically.

<Info>
  **Prefix rules:** Only variables starting with **`VITE_`** (web) or
  **`EXPO_PUBLIC_`** (mobile) are exposed to the front end. All other variables
  remain **server-only** and are used by backend integrations such as Supabase.
  See <a href="/how-to/integrations">Integrations</a>.
</Info>

## Add a secret

<Steps>
  <Step title="Open the Secrets tab">
    Go to **Settings → Secrets** in your project.
  </Step>

  <Step title="Create a key/value">
    Add a clear key name and value. - Use **`VITE_*`** for web variables visible
    to the UI - Use **`EXPO_PUBLIC_*`** for mobile variables visible to the UI -
    Omit these prefixes for **server-only** secrets
  </Step>

  <Step title="Save & apply">
    Click **Save**. If you change secrets for a live site/app, **republish** or **restart** your session to apply updates.
  </Step>
</Steps>

<Warning>
  Never store private credentials with `VITE_` or `EXPO_PUBLIC_`. These are
  delivered to the client and can be inspected by end users.
</Warning>

## Visibility & access

* **Front-end visible:** Keys starting with `VITE_` or `EXPO_PUBLIC_` are readable by the UI (safe for public, non-sensitive values like URLs).
* **Server-only:** Unprefixed keys stay private and are used by backend flows (e.g., payments, webhooks, or AI calls).

## Rotating or removing secrets

<Steps>
  <Step title="Rotate at the provider">
    Create a new key/secret in your third-party provider (e.g., Stripe, Google).
  </Step>

  <Step title="Update in SteerCode">
    Replace the old value in **Settings → Secrets** and save.
  </Step>

  <Step title="Republish or restart">
    Republish your site/app or restart your environment to ensure the new secret
    is in use.
  </Step>
</Steps>

<Tip>
  Keep consistent names across environments (dev/staging/prod) to simplify
  management, and document what each secret controls in your Project Plan.
</Tip>

## Troubleshooting

<AccordionGroup>
  <Accordion title="A feature relying on a secret isn’t working">
    * Confirm the secret exists in **Settings → Secrets** and is spelled correctly
    * Verify whether it should be **front-end visible** (`VITE_` / `EXPO_PUBLIC_`) or **server-only**
    * Republish/restart after changes
  </Accordion>

  <Accordion title="I accidentally exposed a private key">
    * Remove or rename it without public prefixes - **Rotate the credential** with
      the provider immediately - Republish your site/app
  </Accordion>

  <Accordion title="OAuth or callback errors">
    * Double-check provider redirect URLs and app settings
    * Ensure required client IDs/secrets are saved in **Secrets**
    * See <a href="/how-to/integrations">Integrations</a> for provider-specific steps
  </Accordion>
</AccordionGroup>
