When deploying to a live environment such as production, you should use a Doppler Service Token for ease of configuration and additional security.
Unlike a CLI token created by running doppler setup
, a service token provides read-only access for a single project and config, adhering to the principle of least privilege in ensuring an application only has access to the secrets it needs.
Doppler CLI required
The Doppler CLI is also required in live environments for accessing secrets from Doppler's API
Generating a Service Token
To generate a Service Token:
- Go to a project, then select a config.
- Click the Access tab.
- Click on Generate Service Token, giving it a name.
- Click the Generate Service Token button and the service token will be revealed.
- Copy the token to your clipboard and store somewhere secure as it will not be shown again.


Using a Sevice Token
When the DOPPLER_TOKEN
environment variable is set with the value of the Service Token, the Doppler CLI uses it to fetch the latest version of the secrets for a specific project and config with no manual configuration of the environment required.
The DOPPLER_TOKEN
environment variable will typically be set in the build or deployment phase for the application to access at runtime, e.g. via a Terraform variable.
# Expects `DOPPLER_TOKEN` to be set with the service token value
doppler run -- ./server-start
Revoking a Token
Revoking a service token is non-reversible and will immediately prevent all access to the config. To revoke a token, click the Revoke button for the token you'd like to remove.
Revoking a token and the secrets fallback file
If a token is revoked, this will prevent access to the latest version of the secrets, but the CLI will continue to provide the last accessed version of the secrets (if it has previously been able to access the secrets) due to the encrypted fallback file being stored on disk.
Updated about a month ago
What's Next
Root Configs |
Branch Configs |
Trusted IPs |