DwiziDwizi

Browse docs

Technical Guides

Encrypted storage and runtime injection for sensitive keys.

Environment Variables & Secrets

Dwizi tools run in isolated containers. The only way to pass secrets into a tool is via environment variables. We never mount .env files inside containers, and we never expose secrets in the browser.

How Dwizi Stores Env Vars

  • Encrypted at rest in the registry database.
  • Injected at runtime into the container environment.
  • Not visible in the UI after save.
  • Not shared across tools or orgs.

This means your keys are only available while the tool is executing.

How to Read Env Vars

Use the runtime-native APIs:

// Deno
const apiKey = Deno.env.get("API_KEY");

// Node
const apiKey = process.env.API_KEY;

If the variable is missing, throw a clear error so the run fails fast:

if (!apiKey) throw new Error("Missing API_KEY");

Security Pitfalls to Avoid

  • Do not log secrets. Anything written to stdout/stderr can appear in logs.
  • Do not return secrets in your JSON output.
  • Do not hardcode keys in source code or templates.
  • Avoid secrets in public tools unless absolutely required.
  • Rotate keys if you ever copy them into logs or outputs.

Recommended Patterns

  • Use short, explicit names (STRIPE_API_KEY, SLACK_BOT_TOKEN).
  • Keep secrets minimal per tool. Don’t reuse a single key across tools if you can avoid it.
  • Prefer environment variables over query params or request bodies for secrets.
  • Avoid naming your own variables with the DWIZI_ prefix.