Doppler Secret Validation

Overview

Workflow for securely adding, validating, and testing API tokens and credentials in Doppler secrets management.

When to Use This Skill

Use this skill when:

User provides API tokens or credentials (PyPI, GitHub, AWS, etc.)
User mentions "add to Doppler", "store secret", "validate token"
User wants to test authentication before production use
User needs to verify secret storage and retrieval

Workflow

Step 1: Test Token Format (Before Adding to Doppler)

Before storing in Doppler, validate token format:

# Check token format, length, prefix
python3 -c "token = 'TOKEN_VALUE'; print(f'Prefix: {token[:20]}...'); print(f'Length: {len(token)}')"

Common token formats:

PyPI: pypi-... (179 chars)
GitHub: ghp_... (40+ chars)
AWS: 20-char access key + 40-char secret

Step 2: Add Secret to Doppler

doppler secrets set SECRET_NAME="value" --project PROJECT --config CONFIG

Example:

doppler secrets set PYPI_TOKEN="pypi-AgEI..." \
  --project claude-config --config prd

Important: CLI doesn't support --note. Add notes via dashboard:

https://dashboard.doppler.com
Navigate: PROJECT → CONFIG → SECRET_NAME
Edit → Add descriptive note

Step 3: Validate Storage

Use the bundled validation script:

/usr/bin/env bash << 'VALIDATE_EOF'
cd ${CLAUDE_PLUGIN_ROOT}/skills/doppler-secret-validation
uv run scripts/validate_secret.py \
  --project PROJECT \
  --config CONFIG \
  --secret SECRET_NAME
VALIDATE_EOF

This validates:

Secret exists in Doppler
Secret retrieval works
Environment injection works via doppler run

Example:

uv run scripts/validate_secret.py \
  --project claude-config \
  --config prd \
  --secret PYPI_TOKEN

Step 4: Test API Authentication

Use the bundled auth test script (adapt test_api_authentication() for specific API):

/usr/bin/env bash << 'CONFIG_EOF'
cd ${CLAUDE_PLUGIN_ROOT}/skills/doppler-secret-validation
doppler run --project PROJECT --config CONFIG -- \
  uv run scripts/test_api_auth.py \
    --secret SECRET_NAME \
    --api-url API_ENDPOINT
CONFIG_EOF

Example (PyPI):

doppler run --project claude-config --config prd -- \
  uv run scripts/test_api_auth.py \
    --secret PYPI_TOKEN \
    --api-url https://upload.pypi.org/legacy/

Step 5: Document Usage

After validation, document the usage pattern for the user:

/usr/bin/env bash << 'CONFIG_EOF_2'
# Pattern 1: Doppler run (recommended for CI/scripts)
doppler run --project PROJECT --config CONFIG -- COMMAND

# Pattern 2: Manual export (for troubleshooting)
export SECRET_NAME=$(doppler secrets get SECRET_NAME \
  --project PROJECT --config CONFIG --plain)
CONFIG_EOF_2

Step 5b: mise [env] Integration (Recommended for Local Development)

For multi-account GitHub setups or per-directory credential needs, integrate Doppler secrets with mise [env]:

# .mise.toml
[env]
# Option A: Direct Doppler CLI fetch (slower, always fresh)
GH_TOKEN = "{{ exec(command='doppler secrets get GH_TOKEN --project myproject --config prd --plain') }}"
GITHUB_TOKEN = "{{ exec(command='doppler secrets get GH_TOKEN --project myproject --config prd --plain') }}"

# Option B: Cache for performance (1 hour cache)
GH_TOKEN = "{{ cache(key='gh_token', duration='1h', run='doppler secrets get GH_TOKEN --project myproject --config prd --plain') }}"
GITHUB_TOKEN = "{{ cache(key='gh_token', duration='1h', run='doppler secrets get GH_TOKEN --project myproject --config prd --plain') }}"

Note: Set BOTH GH_TOKEN and GITHUB_TOKEN - different tools check different variable names (gh CLI vs npm scripts).

Why mise [env]? Doppler doppler run is session-scoped; mise [env] provides directory-scoped credentials that persist across commands.

See mise-configuration skill for complete patterns.

Common Patterns

Multiple Configs (dev, stg, prd)

Add secret to multiple environments:

# Production
doppler secrets set TOKEN="prod-value" --project foo --config prd

# Development
doppler secrets set TOKEN="dev-value" --project foo --config dev

Verify Secret Across Configs

/usr/bin/env bash << 'CONFIG_EOF_3'
for config in dev stg prd; do
  echo "=== $config ==="
  doppler secrets get TOKEN --project foo --config $config --plain | head -c 20
  echo "..."
done
CONFIG_EOF_3

Security Guidelines

Never log full secrets: Use ${SECRET:0:20}... masking
Prefer doppler run: Scopes secrets to single command
Use --plain only for piping: Human-readable view masks secrets
Separate configs per environment: dev/stg/prd isolation

Bundled Resources

scripts/validate_secret.py - Complete validation suite (existence, retrieval, injection)
scripts/test_api_auth.py - Template for API authentication testing
references/doppler-patterns.md - Common CLI patterns and examples

Reference

Doppler docs: https://docs.doppler.com/docs
CLI install: brew install dopplerhq/cli/doppler
See doppler-patterns.md for comprehensive patterns

doppler-secret-validation