Secrets & Environment Variables

The Secrets screen is where you set the environment variables your app uses. Mosayic distinguishes between two categories:

Public env vars — values that ship in your mobile app’s bundle (URLs, public keys). These are stored in your .env files and in EAS build config.
Secrets — values that must never be exposed to users (service role keys, API keys for paid services). These are stored in Google Cloud Secret Manager and injected into your deployed API at runtime.

What goes where

Public env vars

Anything prefixed with EXPO_PUBLIC_ is bundled into your mobile app at build time. These are public by definition — anyone who downloads your app can extract them.

Variable	What it is
`EXPO_PUBLIC_SUPABASE_URL`	URL of your Supabase project
`EXPO_PUBLIC_SUPABASE_PUB_KEY`	Supabase anon (publishable) key
`EXPO_PUBLIC_API_URL`	Your deployed API URL (set automatically after first prod deploy)

The dashboard maintains the values in two places:

The mobile/.env file on your machine (used during local development)
The eas.json config (used when EAS builds production binaries)

When you change a value via the dashboard, both are updated.

Secrets

These never end up in mobile code. They live only on the server side.

Variable	What it is
`SUPABASE_SECRET_KEY`	Supabase service role key — full DB access
`DB_CONNECTION_STRING`	Postgres connection string for GitHub Actions migrations
(anything else you add)	API keys for OpenAI, Stripe, Resend, etc.

For secrets, the dashboard:

Asks you for the value via a password-style input field.
Sends the value through Mosayic’s WebSocket relay to your VS Code extension. The value is never persisted on Mosayic’s servers — it’s a write-through.
The extension runs the appropriate CLI command:
- For GCP secrets: gcloud secrets create <name> + gcloud secrets versions add <name> --data-file=-
- For GitHub Actions secrets: gh secret set <name> --body <value>
Mosayic flips a boolean in its database (supabase_secret_is_set, db_connection_string_is_set, etc.) so the dashboard knows the secret exists. The value itself is not stored.

The dashboard never displays a secret value back to you. If you forget what you set, you have to look it up in the source service (Supabase Studio, your password manager, etc.).

Even though Mosayic doesn’t persist secret values, they do briefly transit Mosayic’s backend WebSocket. If you’re working with extremely sensitive secrets and want to avoid this entirely, you can set them directly with the CLI:

gcloud secrets create my-secret --data-file=secret.txt
gh secret set MY_SECRET --body "$(cat secret.txt)"

Then click Mark as set in the dashboard — Mosayic will flip its tracking flag without seeing the value.

How secrets reach your deployed API

When your API is deployed to Cloud Run, the deployment is configured to read secrets from Google Cloud Secret Manager at runtime. Specifically:

The Cloud Run service has a secret-mounted environment variable binding for each declared secret
On every cold start, Cloud Run fetches the latest secret version from Secret Manager
The Compute Engine service account (which Cloud Run uses by default) is granted roles/secretmanager.secretAccessor for each secret

This is set up automatically by Mosayic when you deploy. You don’t need to manually wire IAM permissions.

How secrets reach GitHub Actions

Some secrets — notably DB_CONNECTION_STRING — are needed by GitHub Actions for the migrations workflow. These are stored as repository secrets on your <project>-api repo and injected into the Action via:

env:
  DB_CONNECTION_STRING: ${{ secrets.DB_CONNECTION_STRING }}

The dashboard runs gh secret set from your api/ folder, so secrets land on the right repo automatically.

Adding your own secrets

The Secrets screen has an Add secret button. You give it:

A name (uppercase, underscore-separated, e.g. OPENAI_API_KEY)
A value
A target — Google Secret Manager (for runtime use by your API) or GitHub Actions (for CI/CD use)

After adding, you’ll need to update your API code to read it (os.environ["OPENAI_API_KEY"]) and re-deploy.