When deploying to a live environment such as production, you should use a Doppler Service Token for ease of configuration and additional security.

Unlike a CLI token created by running doppler setup, a service token provides read-only access for a single project and config, adhering to the principle of least privilege in ensuring an application only has access to the secrets it needs.

🚧

Doppler CLI required

The Doppler CLI is also required in live environments for accessing secrets from Doppler's API

Generating a Service Token

To generate a Service Token:

1. Go to a project, then select a config.
2. Click the Access tab.
3. Click on Generate Service Token, giving it a name.
4. Click the Generate Service Token button and the service token will be revealed.
5. Copy the token to your clipboard and store somewhere secure as it will not be shown again.

Using a Sevice Token

When the DOPPLER_TOKEN environment variable is set with the value of the Service Token, the Doppler CLI uses it to fetch the latest version of the secrets for a specific project and config with no manual configuration of the environment required.

The DOPPLER_TOKEN environment variable will typically be set in the build or deployment phase for the application to access at runtime, e.g. via a Terraform variable.

# Expects `DOPPLER_TOKEN` to be set with the service token value
doppler run -- ./server-start

Revoking a Token

Revoking a service token is non-reversible and will immediately prevent all access to the config. To revoke a token, click the Revoke button for the token you'd like to remove.

🚧

Revoking a token and the secrets fallback file

If a token is revoked, this will prevent access to the latest version of the secrets, but the CLI will continue to provide the last accessed version of the secrets (if it has previously been able to access the secrets) due to the encrypted fallback file being stored on disk.