Secrets allow you to securely store and inject sensitive data into your environments. These include API keys, access tokens, credentials, and certificates that your applications need but shouldn’t be exposed in your source code. Secrets are configured at three levels: organization, project, or user. They are automatically made available to any environment launched from that project. This ensures consistent and secure access to sensitive data across your development workflow.

Secret Precedence

When secrets with the same name exist at different levels, they follow a strict precedence order:
  1. User Secrets - Highest precedence
  2. Project Secrets - Middle precedence
  3. Organization Secrets - Lowest precedence
This means:
  • User secrets override both project and organization secrets with the same name and mount
  • Project secrets override organization secrets with the same name
  • Organization secrets have the lowest priority
Learn more about managing organization secrets, project secrets, or user secrets.

Encryption of Secrets

All secrets you create are protected with industry-standard encryption. Secrets can only be retrieved by environments created from your projects (for Project secrets) or your user (for User secrets). We use AES256-GCM to encrypt all secrets at rest in the database, with an additional layer of protection through AWS RDS encryption. This dual-layer approach ensures your sensitive data remains secure both at the application level and infrastructure level. In transit, all secrets are encrypted using TLS. Ona employees do not have access to the encryption keys and cannot decrypt your secrets.

Types of Secrets

Ona supports multiple types of secrets to accommodate different needs: Each type of secret serves a specific purpose in your development workflow. Click the links above to learn more about how to use each type effectively.