Doppler Secret Validation
Overview
Workflow for securely adding, validating, and testing API tokens and credentials in Doppler secrets management.
When to Use This Skill
Use this skill when:
-
User provides API tokens or credentials (PyPI, GitHub, AWS, etc.)
-
User mentions "add to Doppler", "store secret", "validate token"
-
User wants to test authentication before production use
-
User needs to verify secret storage and retrieval
Workflow
Step 1: Test Token Format (Before Adding to Doppler)
Before storing in Doppler, validate token format:
Check token format, length, prefix
python3 -c "token = 'TOKEN_VALUE'; print(f'Prefix: {token[:20]}...'); print(f'Length: {len(token)}')"
Common token formats:
-
PyPI: pypi-... (179 chars)
-
GitHub: ghp_... (40+ chars)
-
AWS: 20-char access key + 40-char secret
Step 2: Add Secret to Doppler
doppler secrets set SECRET_NAME="value" --project PROJECT --config CONFIG
Example:
doppler secrets set PYPI_TOKEN="pypi-AgEI..."
--project claude-config --config prd
Important: CLI doesn't support --note . Add notes via dashboard:
-
Navigate: PROJECT → CONFIG → SECRET_NAME
-
Edit → Add descriptive note
Step 3: Validate Storage
Use the bundled validation script:
/usr/bin/env bash << 'VALIDATE_EOF'
cd ${CLAUDE_PLUGIN_ROOT}/skills/doppler-secret-validation
uv run scripts/validate_secret.py
--project PROJECT
--config CONFIG
--secret SECRET_NAME
VALIDATE_EOF
This validates:
-
Secret exists in Doppler
-
Secret retrieval works
-
Environment injection works via doppler run
Example:
uv run scripts/validate_secret.py
--project claude-config
--config prd
--secret PYPI_TOKEN
Step 4: Test API Authentication
Use the bundled auth test script (adapt test_api_authentication() for specific API):
/usr/bin/env bash << 'CONFIG_EOF'
cd ${CLAUDE_PLUGIN_ROOT}/skills/doppler-secret-validation
doppler run --project PROJECT --config CONFIG --
uv run scripts/test_api_auth.py
--secret SECRET_NAME
--api-url API_ENDPOINT
CONFIG_EOF
Example (PyPI):
doppler run --project claude-config --config prd --
uv run scripts/test_api_auth.py
--secret PYPI_TOKEN
--api-url https://upload.pypi.org/legacy/
Step 5: Document Usage
After validation, document the usage pattern for the user:
/usr/bin/env bash << 'CONFIG_EOF_2'
Pattern 1: Doppler run (recommended for CI/scripts)
doppler run --project PROJECT --config CONFIG -- COMMAND
Pattern 2: Manual export (for troubleshooting)
export SECRET_NAME=$(doppler secrets get SECRET_NAME
--project PROJECT --config CONFIG --plain)
CONFIG_EOF_2
Step 5b: mise [env] Integration (Recommended for Local Development)
For multi-account GitHub setups or per-directory credential needs, integrate Doppler secrets with mise [env] :
.mise.toml
[env]
Option A: Direct Doppler CLI fetch (slower, always fresh)
GH_TOKEN = "{{ exec(command='doppler secrets get GH_TOKEN --project myproject --config prd --plain') }}" GITHUB_TOKEN = "{{ exec(command='doppler secrets get GH_TOKEN --project myproject --config prd --plain') }}"
Option B: Cache for performance (1 hour cache)
GH_TOKEN = "{{ cache(key='gh_token', duration='1h', run='doppler secrets get GH_TOKEN --project myproject --config prd --plain') }}" GITHUB_TOKEN = "{{ cache(key='gh_token', duration='1h', run='doppler secrets get GH_TOKEN --project myproject --config prd --plain') }}"
Note: Set BOTH GH_TOKEN and GITHUB_TOKEN
- different tools check different variable names (gh CLI vs npm scripts).
Why mise [env]? Doppler doppler run is session-scoped; mise [env] provides directory-scoped credentials that persist across commands.
See mise-configuration skill for complete patterns.
Common Patterns
Multiple Configs (dev, stg, prd)
Add secret to multiple environments:
Production
doppler secrets set TOKEN="prod-value" --project foo --config prd
Development
doppler secrets set TOKEN="dev-value" --project foo --config dev
Verify Secret Across Configs
/usr/bin/env bash << 'CONFIG_EOF_3' for config in dev stg prd; do echo "=== $config ===" doppler secrets get TOKEN --project foo --config $config --plain | head -c 20 echo "..." done CONFIG_EOF_3
Security Guidelines
-
Never log full secrets: Use ${SECRET:0:20}... masking
-
Prefer doppler run: Scopes secrets to single command
-
Use --plain only for piping: Human-readable view masks secrets
-
Separate configs per environment: dev/stg/prd isolation
Bundled Resources
-
scripts/validate_secret.py - Complete validation suite (existence, retrieval, injection)
-
scripts/test_api_auth.py - Template for API authentication testing
-
references/doppler-patterns.md - Common CLI patterns and examples
Reference
-
Doppler docs: https://docs.doppler.com/docs
-
CLI install: brew install dopplerhq/cli/doppler
-
See doppler-patterns.md for comprehensive patterns
Troubleshooting
Issue Cause Solution
Secret not found Wrong project/config specified Verify with doppler secrets ls --project X --config
Auth test fails with 401 Token expired or invalid Regenerate token, re-add to Doppler
doppler run hangs CLI waiting for input Add --no-interactive flag
Token prefix mismatch Wrong token type used Check expected format (pypi-, ghp-, AKIA, etc.)
Validation script not found Wrong directory context Ensure CLAUDE_PLUGIN_ROOT is set correctly
Secret retrieval empty Secret name typo List secrets: doppler secrets ls --project X
mise cache stale Duration expired Clear cache or reduce duration setting
Multiple configs confusion Secrets differ across envs Use explicit --config flag for each command