Secrets Management for SaaS Teams

Secrets management is one of the most consistently mishandled areas in SaaS engineering. The typical pattern: secrets start in a .env file, get committed to git accidentally, get shared in Slack DMs, accumulate in team members' local environments, and never get rotated. Then someone leaves the company and you do not know which credentials they had access to.

This reference covers the full secrets management stack: what counts as a secret, the environments it must be managed across, the tools available at each stage of growth, and the operational practices that keep secrets out of the wrong hands.

🔑 What Counts as a Secret

A secret is any value that grants access to a resource and must not be exposed publicly. The definition is broader than most teams realize.

CategoryExamplesRisk if Exposed
Database credentialsConnection strings, usernames, passwordsFull data access; data breach
Third-party API keysStripe, Twilio, SendGrid, OpenAI keysUnauthorized charges; data access; account lockout
Auth secretsJWT signing keys, session secrets, OAuth client secretsSession hijacking; auth bypass
Encryption keysAES keys, RSA private keys, KMS key ARNsData decryption; compliance violation
Internal service tokensWebhook signing secrets, internal API tokensService impersonation; data manipulation
Infrastructure credentialsAWS access keys, GCP service account keys, SSH private keysFull infrastructure access; worst-case scenario

🏗 Secrets by Environment

Every secret must be managed separately per environment. Using the same secret in development and production is a security control failure — if development is compromised, production is compromised too.

Environment isolation rules:

🛠 Secrets Management Tools by Stage

Choose your secrets management tool based on your current team size and infrastructure, not your target architecture.

StageRecommended ToolWhy
Pre-seed / SoloDoppler, Railway env vars, Vercel envZero infrastructure; works with existing hosting
Seed (2–10 engineers)Doppler, 1Password Secrets Automation, AWS Secrets ManagerTeam access controls; audit log; rotation support
Series A+ (10+ engineers)HashiCorp Vault, AWS Secrets Manager + KMSFine-grained access policies; dynamic secrets; compliance-grade audit trail

What to avoid at any stage:

🔄 Secrets Rotation

Secrets rotation is the practice of replacing a secret with a new value on a regular schedule or after a security event. Most SaaS teams do not rotate secrets until something goes wrong — which means they are always reacting, never preventing.

Rotation triggers that require immediate action:

Rotation schedule by secret type:

📋 Access Control and Audit

Secrets access should follow the principle of least privilege: each service, each person, and each script gets access only to the secrets it needs to do its specific job — nothing more.

Access control checklist:

What to Do Next

Audit your current secrets posture this week: search your git history for common secret patterns (grep -rn "AKIA" . for AWS keys, grep -rn "sk_live" . for Stripe keys). If any are found, rotate them immediately before doing anything else. Then: pick a secrets manager appropriate for your stage and migrate your highest-risk production secrets this sprint.