Env Vars And Secrets
BeamUp injects runtime env vars and secrets as literal UTF-8 strings when a runtime starts. Your Gleam application owns parsing, validation, and defaults. BeamUp does not generate compiler-checked configuration modules in SLC v1.
Configuration changes apply to future runtime starts. Updating or deleting a key does not mutate an already-running process; redeploy to start with the new configuration.
Keys And Values
Section titled “Keys And Values”Keys must:
- Be 1-128 bytes.
- Use uppercase ASCII letters, digits, and underscores.
- Start with an uppercase ASCII letter or underscore.
Values must be non-empty UTF-8 strings from 1 to 4,096 bytes.
PORT and PATH are platform-owned. Do not set them as app configuration.
Env Vars
Section titled “Env Vars”Set an env var:
beamup --app hello-gleam env set FEATURE_FLAG=enabledList env var keys:
beamup --app hello-gleam env listDelete an env var:
beamup --app hello-gleam env delete FEATURE_FLAGList and mutation output includes key metadata only. Values are accepted on set and are not returned by CLI output, dashboard lists, JSON output, API errors, or server logs.
Secrets
Section titled “Secrets”Set a secret:
beamup --app hello-gleam env set DATABASE_URL=<database-url> --secretList secret keys:
beamup --app hello-gleam env list --secretDelete a secret:
beamup --app hello-gleam env delete DATABASE_URL --secretSecrets are write-only after submit. The CLI and dashboard list only metadata: key, creation time, and update time. Plaintext, ciphertext, nonces, tags, and encryption key IDs are not returned.
If shell history is a concern, use the dashboard secret form for manual entry.
In automation, provide auth through BEAMUP_TOKEN and read secret values from a
secure secret manager without printing them. Do not commit secrets to
beamup.toml, .env, issue comments, or logs.
Conflict And Failure Behavior
Section titled “Conflict And Failure Behavior”The runtime fails closed instead of guessing when:
- A stored key is invalid.
- The same key appears in both env vars and secrets.
- A reserved key such as
PORTorPATHis present. - A protected value cannot be decrypted.
The candidate deployment becomes unhealthy and the previous healthy active deployment remains active.
Logs And Redaction
Section titled “Logs And Redaction”BeamUp exact-match redacts currently configured secret values and non-empty multiline secret fragments before runtime log events are stored. This is a defense, not permission to log secrets. Application logs may still contain sensitive data in transformed or partial forms, so review logs before sharing.
