Validate and test secrets stored in Doppler. Add API tokens/credentials to Doppler, verify storage and retrieval, test authentication with target services. Use when user mentions "add to Doppler", "store secret", "validate token", or provides API tokens needing secure storage.
/plugin marketplace add terrylica/cc-skills/plugin install terrylica-devops-tools-plugins-devops-tools@terrylica/cc-skillsThis skill is limited to using the following tools:
references/doppler-patterns.mdscripts/test_api_auth.pyscripts/validate_secret.pyWorkflow for securely adding, validating, and testing API tokens and credentials in Doppler secrets management.
Use this skill when:
Before storing in Doppler, validate token format:
# Check token format, length, prefix
python3 -c "token = 'TOKEN_VALUE'; print(f'Prefix: {token[:20]}...'); print(f'Length: {len(token)}')"
Common token formats:
pypi-... (179 chars)ghp_... (40+ chars)doppler secrets set SECRET_NAME="value" --project PROJECT --config CONFIG
Example:
doppler secrets set PYPI_TOKEN="pypi-AgEI..." \
--project claude-config --config prd
Important: CLI doesn't support --note. Add notes via dashboard:
Use the bundled validation script:
/usr/bin/env bash << 'VALIDATE_EOF'
cd ${CLAUDE_PLUGIN_ROOT}/skills/doppler-secret-validation
uv run scripts/validate_secret.py \
--project PROJECT \
--config CONFIG \
--secret SECRET_NAME
VALIDATE_EOF
This validates:
doppler runExample:
uv run scripts/validate_secret.py \
--project claude-config \
--config prd \
--secret PYPI_TOKEN
Use the bundled auth test script (adapt test_api_authentication() for specific API):
/usr/bin/env bash << 'CONFIG_EOF'
cd ${CLAUDE_PLUGIN_ROOT}/skills/doppler-secret-validation
doppler run --project PROJECT --config CONFIG -- \
uv run scripts/test_api_auth.py \
--secret SECRET_NAME \
--api-url API_ENDPOINT
CONFIG_EOF
Example (PyPI):
doppler run --project claude-config --config prd -- \
uv run scripts/test_api_auth.py \
--secret PYPI_TOKEN \
--api-url https://upload.pypi.org/legacy/
After validation, document the usage pattern for the user:
/usr/bin/env bash << 'CONFIG_EOF_2'
# Pattern 1: Doppler run (recommended for CI/scripts)
doppler run --project PROJECT --config CONFIG -- COMMAND
# Pattern 2: Manual export (for troubleshooting)
export SECRET_NAME=$(doppler secrets get SECRET_NAME \
--project PROJECT --config CONFIG --plain)
CONFIG_EOF_2
For multi-account GitHub setups or per-directory credential needs, integrate Doppler secrets with mise [env]:
# .mise.toml
[env]
# Option A: Direct Doppler CLI fetch (slower, always fresh)
GH_TOKEN = "{{ exec(command='doppler secrets get GH_TOKEN --project myproject --config prd --plain') }}"
GITHUB_TOKEN = "{{ exec(command='doppler secrets get GH_TOKEN --project myproject --config prd --plain') }}"
# Option B: Cache for performance (1 hour cache)
GH_TOKEN = "{{ cache(key='gh_token', duration='1h', run='doppler secrets get GH_TOKEN --project myproject --config prd --plain') }}"
GITHUB_TOKEN = "{{ cache(key='gh_token', duration='1h', run='doppler secrets get GH_TOKEN --project myproject --config prd --plain') }}"
Note: Set BOTH GH_TOKEN and GITHUB_TOKEN - different tools check different variable names (gh CLI vs npm scripts).
Why mise [env]? Doppler doppler run is session-scoped; mise [env] provides directory-scoped credentials that persist across commands.
See mise-configuration skill for complete patterns.
Add secret to multiple environments:
# Production
doppler secrets set TOKEN="prod-value" --project foo --config prd
# Development
doppler secrets set TOKEN="dev-value" --project foo --config dev
/usr/bin/env bash << 'CONFIG_EOF_3'
for config in dev stg prd; do
echo "=== $config ==="
doppler secrets get TOKEN --project foo --config $config --plain | head -c 20
echo "..."
done
CONFIG_EOF_3
${SECRET:0:20}... maskingbrew install dopplerhq/cli/doppler