Features

Provider Import

Pull existing environment variables from external platforms into secr. Connect to Render, Vercel, Heroku, Netlify, Supabase, or Railway — preview what you'll get, then import with one click.

How It Works

Connect — provide your provider API key and service/project identifier
Preview — secr fetches all variables and shows them in a table
Select — choose which variables to import (all selected by default)
Import — selected variables are encrypted and stored as secr secrets

Security: Your provider credentials are used once to fetch variables, then immediately discarded. They are never stored in the database or written to logs.

Supported Providers

Provider	ID Field	Where to Find It	Notes
Render	Service ID	Service settings page (srv-...)	All env vars readable
Vercel	Project ID	Project settings > General	Sensitive vars show as empty
Heroku	App Name	Your app's URL slug	All config vars readable
Netlify	Site ID	Site configuration > General	Uses 'all' context, falls back to 'production'
Supabase	Project Ref	Project settings > General	All secrets readable
Railway	Project ID	Project settings	Sealed vars show as ***

CLI Usage

Use secr import to import from a provider. Requires a linked project (.secr.json).

Basic usage

secr import --from <provider> --key <api-key> --service-id <id>

Examples

Render

secr import --from render \
  --key rnd_xxxxxxxxxxxx \
  --service-id srv-abc123def456

Vercel

secr import --from vercel \
  --key tok_xxxxxxxxxxxx \
  --service-id prj-abc123def456

Heroku

secr import --from heroku \
  --key h_xxxxxxxxxxxx \
  --service-id my-app-name

Netlify

secr import --from netlify \
  --key nfp_xxxxxxxxxxxx \
  --service-id abc123-def456-ghi789

Supabase

secr import --from supabase \
  --key sbp_xxxxxxxxxxxx \
  --service-id abcdefghijklmnop

Railway (with optional env & service scoping)

secr import --from railway \
  --key rw_xxxxxxxxxxxx \
  --service-id project-uuid \
  --railway-env env-uuid \
  --railway-service service-uuid

Option	Required	Description
--from <provider>	Yes	Provider name: render, vercel, heroku, netlify, supabase, railway
--key <apiKey>	Yes	Provider API key or access token
--service-id <id>	Yes	Provider-specific service/project identifier
--env <environment>	No	Target environment (defaults to .secr.json setting)
--all	No	Import all variables without confirmation prompt
--railway-env <id>	No	Railway environment ID (Railway only)
--railway-service <id>	No	Railway service ID (Railway only)

The CLI shows a preview table before importing. Use --all to skip the confirmation prompt (useful for CI scripts).

Dashboard Usage

Navigate to your project's environment page
Click “Import from Provider”
Select your provider from the grid
Enter your API key and service/project identifier
Review the variable list — check or uncheck individual variables
Click “Import”

Variables that the provider marks as sensitive or unreadable are shown but cannot be imported (they have no value). These are typically secrets that the provider encrypts and never exposes via API.

API Endpoints

Two endpoints power the import flow. Both require authentication and a verified email.

Method	Path	Description
POST	/v1/import/preview	Test connection and list available variables (no writes)
POST	/v1/import/execute	Import selected variables as encrypted secrets

Preview Request Body

POST /v1/import/preview

{
  "config": {
    "provider": "heroku",
    "apiKey": "your-api-key",
    "appName": "my-app"
  },
  "orgSlug": "my-org",
  "projectSlug": "my-project",
  "envSlug": "development"
}

Preview Response

200 OK

{
  "provider": "heroku",
  "vars": [
    { "key": "DATABASE_URL", "value": "postgres://...", "sensitive": false },
    { "key": "SECRET_KEY", "value": "", "sensitive": true }
  ],
  "count": 2,
  "skipped": 1
}

Execute Request Body

POST /v1/import/execute

{
  "config": {
    "provider": "heroku",
    "apiKey": "your-api-key",
    "appName": "my-app"
  },
  "orgSlug": "my-org",
  "projectSlug": "my-project",
  "envSlug": "development",
  "selectedKeys": ["DATABASE_URL"]
}

Execute Response

200 OK

{
  "created": 1,
  "updated": 0,
  "total": 1
}

Provider Config Shapes

The config object varies by provider. Each uses a discriminated union on the provider field.

Provider configs

// Render
{ "provider": "render", "apiKey": "...", "serviceId": "srv-..." }

// Vercel
{ "provider": "vercel", "apiKey": "...", "projectId": "prj-..." }

// Heroku
{ "provider": "heroku", "apiKey": "...", "appName": "my-app" }

// Netlify
{ "provider": "netlify", "apiKey": "...", "siteId": "..." }

// Supabase
{ "provider": "supabase", "apiKey": "...", "projectRef": "..." }

// Railway
{ "provider": "railway", "apiKey": "...", "projectId": "...",
  "environmentId": "...",   // optional
  "serviceId": "..."        // optional
}

Sensitive Variables

Some providers restrict access to certain variable values:

Vercel — variables of type sensitive return empty values
Railway — sealed variables return *** instead of the actual value

These variables appear in the preview with a “sensitive” label but cannot be imported since the provider does not expose the plaintext value. You'll need to set those manually.

Migrate your secrets in seconds

Stop copying environment variables by hand. Import them from your existing platform.

Create Free Account Back to Docs