floomBeta
Secrets

Build

Secrets

Secrets are encrypted at rest. Only the names go in floom.yaml; the values are set separately and injected as environment variables at run time.

Set via CLI#

Terminal
# Set a secret via stdin (never echoed to shell history)
npx @floomhq/cli@latest secrets set my-app OPENAI_API_KEY --value-stdin
  • Use --value-stdin to keep the value out of shell history.
  • Names must be uppercase letters, digits, and underscores, e.g. OPENAI_API_KEY.
  • Undeclared secrets are never injected, even if the values exist.

Set via REST#

REST API
# REST equivalent
curl -X PUT https://floom.dev/api/apps/my-app/secrets \
  -H 'Authorization: Bearer YOUR_AGENT_TOKEN' \
  -H 'Content-Type: application/json' \
  -d '{"name":"OPENAI_API_KEY","value":"sk-..."}'

Requires an agent token with publish scope.

Delete a secret#

DELETE /api/apps/:slug/secrets with the secret name in the request body:

Delete a secret
curl -X DELETE https://floom.dev/api/apps/<slug>/secrets \
  -H "Authorization: Bearer <token>" \
  -H "Content-Type: application/json" \
  -d '{"name":"GMAIL_USER"}'

Rules#

  • Secret values are never visible in logs or the browser UI.
  • Values are scoped to a single app slug, not shared across apps.
  • Declaring a secret name in floom.yaml is required; the value must be set separately before the first run that needs it.

Last updated: 2026-05-04 · Floom v0.4