Skip to content

Env Vars And Secrets

BeamUp injects runtime env vars and secrets as literal UTF-8 strings when a runtime starts. Your Gleam application owns parsing, validation, and defaults. BeamUp does not generate compiler-checked configuration modules in SLC v1.

Configuration changes apply to future runtime starts. Updating or deleting a key does not mutate an already-running process; redeploy to start with the new configuration.

Keys must:

  • Be 1-128 bytes.
  • Use uppercase ASCII letters, digits, and underscores.
  • Start with an uppercase ASCII letter or underscore.

Values must be non-empty UTF-8 strings from 1 to 4,096 bytes.

PORT and PATH are platform-owned. Do not set them as app configuration.

Set an env var:

Terminal window
beamup --app hello-gleam env set FEATURE_FLAG=enabled

List env var keys:

Terminal window
beamup --app hello-gleam env list

Delete an env var:

Terminal window
beamup --app hello-gleam env delete FEATURE_FLAG

List and mutation output includes key metadata only. Values are accepted on set and are not returned by CLI output, dashboard lists, JSON output, API errors, or server logs.

Set a secret:

Terminal window
beamup --app hello-gleam env set DATABASE_URL=<database-url> --secret

List secret keys:

Terminal window
beamup --app hello-gleam env list --secret

Delete a secret:

Terminal window
beamup --app hello-gleam env delete DATABASE_URL --secret

Secrets are write-only after submit. The CLI and dashboard list only metadata: key, creation time, and update time. Plaintext, ciphertext, nonces, tags, and encryption key IDs are not returned.

If shell history is a concern, use the dashboard secret form for manual entry. In automation, provide auth through BEAMUP_TOKEN and read secret values from a secure secret manager without printing them. Do not commit secrets to beamup.toml, .env, issue comments, or logs.

The runtime fails closed instead of guessing when:

  • A stored key is invalid.
  • The same key appears in both env vars and secrets.
  • A reserved key such as PORT or PATH is present.
  • A protected value cannot be decrypted.

The candidate deployment becomes unhealthy and the previous healthy active deployment remains active.

BeamUp exact-match redacts currently configured secret values and non-empty multiline secret fragments before runtime log events are stored. This is a defense, not permission to log secrets. Application logs may still contain sensitive data in transformed or partial forms, so review logs before sharing.