Guide

How to Import Secrets from Any Provider

Already have environment variables in Supabase, Vercel, Railway, or another platform? This guide walks you through finding your API tokens and project identifiers so you can import everything into secr in under a minute.

How It Works

Whether you use the dashboard or the CLI, importing follows three steps:

1

Connect

Enter your provider API key and project/service ID.

2

Preview

secr fetches all variables and shows you what's available.

3

Import

Select the variables you want and import them — encrypted and versioned.

Save Connections for Reuse

After importing, the dashboard offers to save your connection credentials (encrypted with KMS) so you don't need to re-enter them next time. Saved connections appear at the top of the import modal — click one to skip straight to the preview step.

Security: Saved connection credentials are encrypted at rest using a KMS-wrapped data encryption key — the same envelope encryption used for your secrets. Only org members can use them, and owners/admins can delete them.

About Sensitive Variables

Some providers restrict access to certain variable values. When this happens, secr shows a warning banner during the preview step. These variables appear in the list but can't be imported — you'll need to add them manually in secr.

ProviderSensitive Behavior
VercelVariables of type "sensitive" return empty values. Common for database passwords and API secrets.
RailwaySealed variables return *** instead of the actual value.
SupabaseAll variables are readable — no restrictions.
RenderAll variables are readable — no restrictions.
HerokuAll config vars are readable — no restrictions.
NetlifyAll variables are readable — no restrictions.

Provider-by-Provider Walkthrough

Jump to your provider: Supabase · Vercel · Railway · Render · Heroku · Netlify

Supabase

Find Your API Token

  1. 1
    Go to app.supabase.com

    Open the Supabase dashboard in your browser.

  2. 2
    Click your avatar in the top right

    This opens the user menu.

  3. 3
    Click Account Preferences

    Navigate to your account settings.

  4. 4
    Click Access Tokens

    You'll see a list of your personal access tokens.

  5. 5
    Generate a new token

    Give it a descriptive name like "secr import". Copy the token — you won't see it again.

Find Your Project Ref

  1. 1
    Open your project in Supabase

    Select the project you want to import secrets from.

  2. 2
    Go to Project Settings

    Click the gear icon in the sidebar.

  3. 3
    Under General, find Project ID

    This is the short alphanumeric string (e.g. abcdefghijklmnop). This is your Project Ref.

Import via Dashboard

  1. Navigate to your project's environment page and click “Import from Provider”
  2. Select Supabase from the provider grid
  3. Paste your API token and Project Ref
  4. Review the variable list — uncheck any you don't want
  5. Click “Import”
  6. Optionally save the connection for next time

Import via CLI

Terminal
secr import --from supabase \
  --key sbp_your_access_token \
  --service-id abcdefghijklmnop
Supabase exposes all secret values through the API, so every variable will be importable.

Vercel

Find Your API Token

  1. 1
    Go to vercel.com/account/tokens

    Or: click your avatar > Settings > Tokens.

  2. 2
    Click Create Token

    Give it a name like "secr import" and set a scope (Full Account or specific team).

  3. 3
    Copy the token

    This is your API key. Store it somewhere safe — Vercel only shows it once.

Find Your Project ID

  1. 1
    Open your project in Vercel

    Select the project from your dashboard.

  2. 2
    Go to Settings > General

    Scroll down to the Project ID section.

  3. 3
    Copy the Project ID

    It looks like prj_abc123... or can be the project name slug.

Import via Dashboard

  1. Navigate to your project's environment page and click “Import from Provider”
  2. Select Vercel from the provider grid
  3. Paste your API token and Project ID
  4. Review the variable list — uncheck any you don't want
  5. Click “Import”
  6. Optionally save the connection for next time

Import via CLI

Terminal
secr import --from vercel \
  --key your_vercel_token \
  --service-id prj_abc123
Heads up: Vercel marks some variables as "sensitive" — these return empty values from the API and cannot be imported. You'll see them flagged in the preview and will need to add them manually in secr.

Railway

Find Your API Token

  1. 1
    Go to railway.com/account/tokens

    Or: click your avatar > Account Settings > Tokens.

  2. 2
    Create a new token

    Name it "secr import" and copy it.

Find Your Project ID

  1. 1
    Open your project in Railway

    Select the project from your dashboard.

  2. 2
    Go to Settings

    Click the Settings tab at the top.

  3. 3
    Copy the Project ID

    It's a UUID displayed under the project name.

Import via Dashboard

  1. Navigate to your project's environment page and click “Import from Provider”
  2. Select Railway from the provider grid
  3. Paste your API token and Project ID
  4. Review the variable list — uncheck any you don't want
  5. Click “Import”
  6. Optionally save the connection for next time

Import via CLI

Terminal
secr import --from railway \
  --key rw_your_api_token \
  --service-id your-project-uuid

# Optionally scope to a specific environment and service:
secr import --from railway \
  --key rw_your_api_token \
  --service-id your-project-uuid \
  --railway-env environment-uuid \
  --railway-service service-uuid
Heads up: Railway "seals" some variables — these show as *** and cannot be imported. You'll need to add them manually.

Render

Find Your API Token

  1. 1
    Go to dashboard.render.com/settings

    Or: click your avatar > Account Settings.

  2. 2
    Scroll to API Keys

    Click Create API Key.

  3. 3
    Copy the key

    It starts with rnd_. This is your API key.

Find Your Service ID

  1. 1
    Open your service in Render

    Select the web service, worker, or cron job.

  2. 2
    Check the URL

    The Service ID is in the URL: dashboard.render.com/web/srv-abc123. It starts with srv-.

Import via Dashboard

  1. Navigate to your project's environment page and click “Import from Provider”
  2. Select Render from the provider grid
  3. Paste your API token and Service ID
  4. Review the variable list — uncheck any you don't want
  5. Click “Import”
  6. Optionally save the connection for next time

Import via CLI

Terminal
secr import --from render \
  --key rnd_your_api_key \
  --service-id srv-abc123def456
Render exposes all environment variable values, so every variable will be importable.

Heroku

Find Your API Token

  1. 1
    Go to dashboard.heroku.com/account

    Scroll to the API Key section.

  2. 2
    Click Reveal or Regenerate

    Copy your API key.

Find Your App Name

  1. 1
    Find your app name

    It's the URL slug of your app: my-app-name.herokuapp.com → my-app-name.

Import via Dashboard

  1. Navigate to your project's environment page and click “Import from Provider”
  2. Select Heroku from the provider grid
  3. Paste your API token and App Name
  4. Review the variable list — uncheck any you don't want
  5. Click “Import”
  6. Optionally save the connection for next time

Import via CLI

Terminal
secr import --from heroku \
  --key your_heroku_api_key \
  --service-id my-app-name
Heroku exposes all config vars in plaintext, so every variable will be importable.

Netlify

Find Your API Token

  1. 1
    Go to app.netlify.com/user/applications

    Or: User Settings > Applications > Personal access tokens.

  2. 2
    Create a new token

    Name it "secr import" and copy it.

Find Your Site ID

  1. 1
    Open your site in Netlify

    Select the site from your dashboard.

  2. 2
    Go to Site configuration > General

    The Site ID is listed under Site information.

Import via Dashboard

  1. Navigate to your project's environment page and click “Import from Provider”
  2. Select Netlify from the provider grid
  3. Paste your API token and Site ID
  4. Review the variable list — uncheck any you don't want
  5. Click “Import”
  6. Optionally save the connection for next time

Import via CLI

Terminal
secr import --from netlify \
  --key nfp_your_access_token \
  --service-id abc123-def456-ghi789
Netlify pulls variables from the "all" context, falling back to "production".

Tips

  • Import into the right environment. Make sure you're on the correct environment tab (development, staging, production) before importing.
  • Existing keys get updated, not duplicated. If a key already exists in secr, importing it again will create a new version (with the old value preserved in history).
  • Save your connection. After importing, save the connection to skip credential entry next time. Useful if you import from the same provider regularly.
  • Rotate provider tokens after import. If you created a one-time token just for this import, revoke it in the provider's settings once you're done.
  • Use templates to catch missing vars. After importing, run secr template validate to make sure you haven't missed any required variables.

Migrate your secrets in under a minute

Stop copying environment variables by hand. Connect your provider and import everything in one click.

Create Free AccountAPI Reference