Env vars

Caddi keeps env vars per environment. Every change goes through us so it lands in the audit log — and so secrets aren’t set on Vercel by hand and forgotten.

Types

secret — encrypted at rest, write-once. The CLI shows masked values and never echoes them back. Used for API keys, DB URLs, signing secrets.
plain — readable. Used for URLs, public IDs, NEXT_PUBLIC_* values.

Setting

bash

caddi env set DATABASE_URL "postgres://..."   --env production --secret
caddi env set NEXT_PUBLIC_SITE_URL "https://meridian.studio" --env production

Copying between envs

bash

# Bring staging in line with production
caddi env copy --from production --to staging

# Just one
caddi env copy STRIPE_SECRET_KEY --from production --to staging

Secrets are copied through Caddi’s key-wrap layer; the plaintext never lands in your shell.

Diffing

bash

caddi env diff --from staging --to production

# Only in staging:    FEATURE_FLAG_AB
# Only in production: ANALYTICS_KEY
# Drift:              NEXT_PUBLIC_SITE_URL

Schemas

Every template ships a caddi.template.json with an env schema. Caddi validates new values against it — required vs optional, secret vs plain. You can extend the schema per-project (in .caddi/config.json) without forking the template.

The Vercel dashboard remains the storage. We don’t hide it. But editing values on Vercel directly bypasses the audit log — please use caddi env or the dashboard instead.

Pulling for local dev

bash

caddi env pull --env dev .env.local

# By default secrets are skipped. Pass --include-secrets to write them
# (logged as audit entry env.pulled_with_secrets).

Domains →

Env vars

Types

Setting

Copying between envs

Diffing

Schemas

Pulling for local dev

Next