Secret Management

Secret management is the famous security hole in AI-based coding, especially with vibe coding. But there are techniques that make keeping your app secure straightforward – it’s more about knowing some fundamental rules.

The Golden Rule

Never give an AI a secret

Never paste a secret into the AI terminal. This isn’t about data protection within LLM companies – it’s because AI will famously hard-code that secret into your codebase, which is a major security violation.

Secrets must be managed in their appropriate places. Mosayic streamlines this by permitting secrets only in:

• .env.local in your Python API
• Google Secret Manager in Google Cloud Platform
• GitHub Actions Secrets for CI/CD workflows

Never Commit Secrets to GitHub

You must never commit secrets in your code repositories.

The .env.local file is safe to use because it’s included in your .gitignore – Git can’t see it. When you push to GitHub, secrets stay on your local machine.

You’ll need some secrets when developing locally (for example, an OpenAI API key), and that’s fine. But you don’t push secrets with your codebase. Instead, you inject them using tools the cloud provider gives you.

How Secrets Work in the API

In the Python API codebase, you’ll find a settings.py file containing a list of environment variables and secrets.

Note

Environment variables aren’t just API keys. They can be URLs, email addresses, environment names, or anything else that changes depending on where your app runs.

Local Development

The .env.local file injects environment variables when running locally.

Production (Cloud Run)

One reason Mosayic chose Google Cloud Platform is that it makes injecting managed secrets easy. When you set up secrets in Google Secret Manager, they’re injected as environment variables into Cloud Run, which makes them available to your app via settings.py.

Different Values Per Environment

Your local and production environments often need different values for the same variable. For example:

• Local: Supabase public key from your local instance
• Production: Supabase public key from your production dashboard (set in GCP)

GitHub Actions Secrets

Some secrets are needed in your CI/CD workflows. GitHub Actions has its own secrets storage for this purpose.

Setting Secrets in Mosayic

In the Secrets Management tab, Mosayic makes setting secrets straightforward. The Supabase configuration in particular is set up for you – when you set secrets, Mosayic automatically creates them in the right places. Just enter the values.

Tip

It’s critical to understand what Mosayic is doing under the hood. Know where secrets are being set:

• .env.local for local development
• Google Secret Manager for production
• GitHub Actions Secrets for CI/CD workflows

But rest assured that Mosayic handles this in a safe and secure way.