Skip to main content
Variables and Secrets Management

Overview

Every application needs configuration — API endpoints, feature flags, database passwords, third-party API keys. Variables & Secrets let you manage all of this without hardcoding values in your code.
Cerebrum manages variables. Just say “add the OpenAI API key” or “set DEBUG to true” — Cerebrum will configure it. The details below explain how variables and secrets work.

Variables

Plain text configuration visible in the UI. Use for non-sensitive settings like endpoints, flags, and paths.

Secrets

Encrypted values hidden from view. Use for passwords, API keys, tokens, and anything sensitive.
Variables and Secrets are configured per service and injected as environment variables at runtime — both in dev containers and production deployments.

Why Use Variables & Secrets

Keep secrets out of code

Never commit passwords or API keys to your repository. Store them securely in Ardor.

Environment-specific config

Same code, different configs. Switch between dev/staging/prod without changing code.

Easy updates

Change a value once in the UI — no redeployment needed for dev containers.

Team-friendly

Share configuration without sharing actual secret values. Team members see masked data.

Variables vs Secrets

VariablesSecrets
VisibilityVisible in UIMasked (••••••••)
StoragePlain textEncrypted
Use forEndpoints, flags, pathsPasswords, API keys, tokens
EditableView and edit freelyEdit without seeing current value
Rule of thumb: Passwords, API keys, tokens? Always a Secret. They’re stored encrypted in Ardor and never touch your code — only references to them do. Your GitHub repo stays clean.

Adding Variables & Secrets

1

Open Service Settings

Navigate to your service and open the Variables & Secrets section
2

Add Variable or Secret

Click Add Variable or Add Secret, enter a name and value
3

Save

Changes apply to dev container immediately. For production, redeploy your service.

Naming Conventions

Environment variable names should be:
  • UPPERCASE with underscores: DATABASE_URL, API_KEY, DEBUG_MODE
  • Descriptive: POSTGRES_PASSWORD not PW
  • Prefixed for clarity: REDIS_HOST, REDIS_PORT, REDIS_PASSWORD
Some names are reserved by the system (like PORT). Ardor will warn you if you try to use a reserved name.

Common Use Cases

Connect to PostgreSQL, MySQL, or other databases:
VariableTypeExample
DATABASE_HOSTVariablepostgres-service.internal
DATABASE_PORTVariable5432
DATABASE_NAMEVariablemyapp
DATABASE_USERVariableadmin
DATABASE_PASSWORDSecret••••••••
import os

db_url = f"postgresql://{os.environ['DATABASE_USER']}:{os.environ['DATABASE_PASSWORD']}@{os.environ['DATABASE_HOST']}:{os.environ['DATABASE_PORT']}/{os.environ['DATABASE_NAME']}"

Reading Variables in Code

Variables and Secrets are injected as environment variables. Here’s how to read them: 
import os

# Required variable (raises error if missing)
api_key = os.environ['API_KEY']

# Optional with default
debug = os.environ.get('DEBUG', 'false')
port = int(os.environ.get('PORT', 8080))

Frontend Services

For frontend services (React, Vue, Next.js, etc.), variables and secrets are composed into a .env file at build time. Use them in your Dockerfile:
ARG VITE_API_URL
ENV VITE_API_URL=$VITE_API_URL

RUN npm run build
Frontend variables typically need a prefix depending on your framework:
  • Vite: VITE_
  • Create React App: REACT_APP_
  • Next.js: NEXT_PUBLIC_
Frontend variables are embedded in the built code and visible to users. Never put secrets in frontend variables!

When Changes Apply

EnvironmentVariablesSecrets
Dev ContainerRestart containerRestart container
ProductionRedeploy serviceRedeploy service
Dev containers restart automatically when you save variable changes. For production, you need to trigger a new deployment.

Security

How Secrets Are Protected

  • Encrypted at rest — Secrets are stored encrypted in the database
  • Masked by default — Shown as ••••••••, but you can reveal them by clicking the eye icon
  • Secure injection — Passed to containers via secure environment, never logged
  • No export — Cannot be exported or downloaded in bulk

Best Practices

API keys, passwords, tokens, private keys — if it grants access to something, it’s a secret.
Be careful with debug logging. Never print environment variables that might contain secrets.
Change passwords and API keys periodically. Update the secret in Ardor, redeploy, done.
STRIPE_SECRET_KEY is better than KEY1. Future you will thank present you.
Only add secrets that a service actually needs. Don’t share database passwords with services that don’t use the database.

Troubleshooting

Cause: Container hasn’t restarted after adding the variable.Solution: Restart the dev container or redeploy the service.
Cause: Typo in variable name or old cached value.Solution:
  • Check the exact variable name (case-sensitive!)
  • Restart container to pick up latest values
Cause: Your code is logging environment variables.Solution: Review your logging code. Never log os.environ or similar dumps.
Cause: Missing framework prefix or variable added after build.Solution:
  • Add required prefix (VITE_, REACT_APP_, etc.)
  • Rebuild and redeploy the frontend

What’s Next

Service Configuration

Learn about all service settings including resources and networking

Development Container

Use the dev container to test your variables in real-time

Connecting Services

Connect multiple services and share configuration

Build with Cerebrum

Let Cerebrum set up variables and secrets for you automatically