SecretSpec separates secret declaration from secret provisioning. You define the secrets your application needs in aDocumentation Index
Fetch the complete documentation index at: https://mintlify.com/cachix/devenv/llms.txt
Use this file to discover all available pages before exploring further.
secretspec.toml file, and each developer, CI system, and production environment can supply those secrets from their own preferred secure provider — keyring, 1Password, dotenv, environment variables, and more — without any changes to your application code.
Quick start
Follow the SecretSpec quickstart guide to create your firstsecretspec.toml and connect a provider.
Runtime loading (best practice)
The recommended way to use SecretSpec with devenv is to load secrets at runtime, scoped only to the processes that need them:secretspec run inside the devenv shell keeps secrets out of your broader shell environment and limits exposure to only the processes that actually require them.
You can also load secrets directly in your application using the Rust SDK for type-safe secret access.
Configuration (optional)
If you need secrets available in the devenv shell environment itself, you can enable SecretSpec via CLI flags ordevenv.yaml.
Via CLI flags (devenv 2.0+)
Override the provider and profile directly on the command line:Via devenv.yaml
devenv.yaml values.
Accessing secrets in devenv.nix
Once SecretSpec is enabled, loaded secrets are available under config.secretspec.secrets:
Cachix auth token from a non-default secret name
When resolving the Cachix auth token from SecretSpec, devenv looks up a secret namedCACHIX_AUTH_TOKEN by default. If your provider’s policy (e.g. an OpenBao/Vault policy) only grants access to a secret under a different name, set secretspec.cachix_auth_token to that name:
cachix_auth_token is a secret name declared in secretspec.toml, not the token value itself. The environment variable and the cachix push daemon still use CACHIX_AUTH_TOKEN — that is what the Cachix CLI reads.Learn more
- SecretSpec documentation
- Providers — Keyring, 1Password, dotenv, and more
- Profiles — Environment-specific configurations
- Rust SDK — Type-safe secret loading in application code
