Protect your secrets

Keep your secret env vars secret for all eternity and your files belonging to certain apps protected against downloading.

Keep your secret env vars secret for all eternity and your files belonging to certain apps protected against downloading.

From now on the secret environment variables belonging to your apps are not displayed as default, only the list of them and the keys (their names), until you set it to be otherwise. We've also added a new feature to your apps' Secrets and Code Signing tabs: a toggle called 'protected'. With this, you can make your secrets unexposable and your code signing certificates undownloadable.

You should use this feature for secrets that you want to keep secret. 😎  This can be a password that you don't want other team members to see, even if they have access to the Secrets tab. Or the CTO can set an API-key and lock it so that the developers won't be able to see it or edit it, but the build still can use it.

Secrets tab

You can add new secrets to your app under the Secrets tab. Once you save them and refresh the page, stars will appear instead of the values. (Until now, the values were always printed here.) The values will only be sent to front-end when you click the eye, if you set it protected, it'll only get sent to the build machine.

Secret keys (and their values) cannot be changed only deleted.

We've added a crossed eye icon, which will expose the secret and show the value.

Another new feature is available under the drop-down menu (...): you can Make it protected. If you set an env var protected, you cannot see the value any longer, in fact, nobody can see it any longer, deleting it is the only option remaining. If you click the button, a popup appears warning you that this action is irreversible.

Please note that you have to save the page to make an environment variable protected. Protected env vars are indicated with a lock.

Code Signing tab

A similar option is available on Code Signing tab. For all the files uploaded here, you'll find Make protected under the drop-down menu (...):

Then comes the warning that this is irreversible from the moment you click the button, no Saving is required.

Making a file protected means that you cannot download it but only delete it.

Provisioning profiles
Provisioning profiles


Files in generc file storage
files in generc file storage

Happy secrecy! 🤐

No items found.

Explore more topics

App development

Best practices from engineers on how to use Bitrise to build better apps, faster.


Meet other Bitrise engineers, technology experts, power users, partners and join our BUGs.


All the updates about Bitrise events, sponsorships, employees, and more.


Mobile development, latest tech, industry insights, and interviews with experts.

Mobile DevOps

Learn why mobile development is unique and requires a set of unique practices.


Stay tuned for the last updates, new features, and product improvements.

Get the latest from Bitrise

Join other Mobile DevOps engineers who receive regular emails from Bitrise, filled with tips, news, and best practices.