Environment variables & secrets

Many apps need configuration that shouldn’t live in their source code, such as an API key, a database URL, or a feature flag. Apptrope lets you attach environment variables to each app individually, keeps the sensitive ones out of view, and stores them securely in your operating system’s credential store. This page covers how to set them, where they’re kept, and how they behave when you share an app.

Setting variables for an app

Environment variables are configured per app, not globally. To open the editor:

  1. Find the app’s card in your Library.
  2. Click the card’s actions menu.
  3. Choose Environment….

You’ll get a simple editor with a row for each variable, showing a name on the left and a value on the right.

The Environment variables editor, opened from a card’s ⋯ menu, showing masked values with a reveal toggle.

The Environment variables editor. Each row has a variable name, a masked value with a reveal toggle, and an ✕ to remove it. Use + Add variable to add a row, then Save.

To add, edit, or remove

  • Add a variable with + Add variable, then type a name (for example OPENAI_API_KEY) and its value.
  • Edit a value by clicking into its field and typing.
  • Reveal a masked value with the eye toggle at the end of the value field, so you can confirm what you pasted.
  • Remove a variable with the at the end of its row.
  • Click Save to keep your changes, or Cancel to discard them.

The variables you save are passed to that app’s process the next time it runs. Each app gets only its own variables. They don’t leak into other apps or into your shell.

How values are stored

Apptrope treats these values as secrets. Rather than writing them into a plain settings file, it hands them to your operating system’s secure credential store:

Platform Where values are stored
macOS Keychain
Windows Credential Manager
Linux Secret Service

Because the values live in the OS keychain, they’re protected by the same mechanisms that guard your other saved credentials. In the editor, values are masked by default and only shown when you use the reveal toggle, so a secret isn’t left sitting on screen.

Debug and unsigned builds

Repeatedly reading from the keychain can trigger an OS prompt every time. To keep local development smooth, debug and unsigned builds of Apptrope don’t use the keychain. Instead they store values in a local file named secrets.json, created with 0600 permissions (readable and writable only by your user account). This avoids repeated keychain prompts while you work.

Forcing a specific backend

If you need to choose the storage backend explicitly (for example, to test keychain behavior in a debug build, or to avoid the keychain in a signed build), set the APPTROPE_SECRET_STORE environment variable before launching Apptrope:

# Use the local 0600 secrets.json file
APPTROPE_SECRET_STORE=file

# Use the OS keychain
APPTROPE_SECRET_STORE=keychain

The two accepted values are file and keychain.

Secrets and sharing

Your secrets are never included in a shared bundle. When you export an app with ⋯ → Export bundle…, Apptrope packages the app but excludes secrets (along with dotfiles). Anyone you share the .apptrope file with will need to supply their own values in their own Apptrope. Your keys never travel with the bundle.

This means environment variables are a safe place for anything sensitive. It stays on your machine, in your keychain, and out of anything you hand to someone else.

Tips

  • Use variables for anything you don’t want hard-coded: API keys, tokens, connection strings, and per-environment settings.
  • After sharing an app, remind the recipient which variables the app expects, since the values themselves won’t be in the bundle.
  • If a saved value looks wrong, reopen Environment… and use the reveal toggle to check it rather than re-pasting blind.