The Doppler API is organized around REST. Our API has predictable resource-oriented URLs, accepts JSON-encoded request bodies, returns JSON-encoded responses, and uses standard HTTP response codes, authentication, and verbs.


The API uses Doppler tokens to authenticate requests. You can generate and manage your tokens in the dashboard on the Tokens page.


Tokens carry many privileges, so be sure to keep them secure! Do not store your secret tokens in an .env file or share them in publicly accessible areas such as GitHub, client-side code, etc.

There are four types of tokens:

Personal Token

  • Full read/write access to all resources on your account
  • Generated from the Doppler Dashboard > Tokens > Personal

Service Tokens

  • Access to secrets for a specific config
  • Generated from the Doppler Dashboard > Project > Config > Access

Authentication to the API is performed via HTTP Basic Access Authentication. Provide your token as the basic auth username. You do not need to provide a password but you may provide any value if your HTTP client requires it.

curl --request GET \
    --url '' \
    --user "<TOKEN>:"

SCIM Token:

  • Full read/write access to users and groups for your workplace. Used by SSO providers
  • Generated from the Doppler Dashboard > Tokens > SCIM (requires SCIM to be enabled)

Audit Token

  • Read only access to the workplace activity log used for auditing purposes by partner integrations
  • Generated from the Doppler Dashboard > Tokens > Audit

All API requests must be made over HTTPS. Calls made over plain HTTP will redirect to HTTPS. API requests without authentication may also fail.

Rate Limits

Doppler's servers enforce rate limits to ensure our APIs are responsive as we grow. The first rate limit is tied to an individual IP address and set to 240 requests per minute. The second rate limit is tied to an individual API key and set to 240 requests per minute. Most of the time these rate limits overlap but can differ when you take into account failed authorization attempts. If your team would like a higher rate limit, please reach out to our sales team.


Doppler uses conventional HTTP response codes to indicate the success or failure of an API request. In general: Codes in the 2xx range indicate success. Codes in the 4xx range indicate an error that failed given the information provided (e.g., a required parameter was omitted, etc.). Codes in the 5xx range indicate an error with Doppler's servers (these are rare).