Base44: Secrets Management for Backend Functions

Secure Secret Storage for Backend Functions

Base44 added native secrets management to its CLI, giving developers a secure way to store sensitive configuration values such as API keys, database credentials, and third-party tokens. Previously, keeping credentials out of application code required manual workarounds; the new system makes this a first-class concern in the Base44 developer workflow.

Secrets are stored at the project level and exposed to backend functions as standard environment variables, accessible inside Deno functions via the familiar Deno.env.get() call. Because Base44's backend functions run on Deno — a modern TypeScript runtime with strong isolation guarantees — secrets never leak into client-side code and are always confined to server-side execution contexts.

Three New CLI Commands

The secrets system ships as three complementary commands that handle the full lifecycle of a secret.

secrets set

The secrets set command stores one or more key-value pairs:

base44 secrets set API_KEY=sk-abc123 DATABASE_URL=postgres://localhost/mydb

Alternatively, an entire .env file can be loaded at once using the --env-file flag:

base44 secrets set --env-file .env.production

When a secret is updated, all deployed backend functions that reference it are automatically redeployed with the new value.

secrets list

The secrets list command displays all secrets configured for the current project. For security, actual values are masked; only names and partially redacted values are shown.

secrets delete

The secrets delete command removes one or more secrets by name:

base44 secrets delete API_KEY DATABASE_URL

As with updates, deletion triggers an automatic redeploy of any backend functions that referenced the removed secret.

Why It Matters

Hardcoding API keys in application source code is a well-known security risk and a common cause of credential leaks. Base44's secrets management removes this friction for teams building integrations with external APIs.