Secret Visibility
Learn about secret visibility β how it works and how to use it!
While we secure every value we receive in the same manner, we recognize that organizations store many types of data in Doppler, ranging from non-sensitive values, such as database ports, to highly sensitive values, like database passwords. The difference in sensitivity means organizations often want to interact with the values differently. For instance, database passwords may not be intended to be viewable once they're saved, while a port can always be viewed without requiring an action to reveal it. That's where secret visibility comes in.
Overview
Visibility | Dashboard Retrieval | Programmatic Retrieval | Integration Syncs |
---|---|---|---|
Unmasked | Always displayed - does not require an intention to reveal | Retrievable via any token type | Supported |
Masked | Masked - **** - by default. Value can be revealed by clicking on it | Retrievable via any token type | Supported |
Restricted | Not viewable in the dashboard after it is saved | Retrievable only via non-user tokens (e.g. a service token) | Supported |
Unmasked Visibility
Unmasked values are always visible in the dashboard - their value is never masked or hidden in any retrieval mechanism.
Masked Visibility
Masked values are not displayed in the dashboard until there is an intent performed by the user to reveal the value - typically a mouse click.
Restricted Visibility
Once a value is set to Restricted, you will never be able to view it in the dashboard again.
Restricted values are not visible in the dashboard once they are saved; as well, they are only visible when retrieved programmatically if the authentication method is a service token. The value is not returned if the authentication method is tied to a user identity (like a personal token or CLI token). Restricted values are also supported in integration syncs.
CLI
CLI behavior varies depending on the version of the Doppler CLI that you're using. We recommend using v3.58.0 or higher.
- All CLI versions when using a personal token or CLI token
- Will return a
403
when usingdoppler secrets download
ordoppler run
- Will return a
- CLI version
v3.58.0
, or newer, when using a personal token or CLI token- Restricted secret values will appear as
[RESTRICTED]
in the printed table - Restricted secret values will be
null
when outputting json (via the--json
flag, withdoppler secrets
ordoppler secrets get
)
- Restricted secret values will appear as
- CLI version
v3.57.1
, or older, when using a personal token or CLI token- Restricted secret values will appear as an empty cell in the printed table
- Restricted secret values will be an empty string (
""
) when outputting json (via the--json
flag, withdoppler secrets
ordoppler secrets get
)
Empty Values
Empty values will be displayed as 'empty', regardless of the visibility. This allows you to distinguish between restricted secrets with and without a value.
Visibility Filters
At the top of each config, clicking Filter allows you to filter by specific visibility.
Changing a Secret's Visibility
A secret's visibility can be adjusted by clicking the visibility icon next to the secret's name.
- An unmasked or masked value can be set to any visibility at any time
- A restricted value can only changed to a more permissive visbility (masked or unmasked) when also changing its value. This limitation is to prevent leaking the restricted value
Cascading Changes
Learn more about how the visibility of a secret is handled when cascading changes to other environments on save in our Secrets page.
Updated 13 days ago