When deploying to a live environment such as production, you should use a Doppler Service Token for ease of configuration and additional security.
Unlike a CLI token created by running
doppler setup, a service token provides read-only access for a single project and config, adhering to the principle of least privilege in ensuring an application only has access to the secrets it needs.
Using a Sevice Token
DOPPLER_TOKEN environment variable is set with the value of the Service Token, the Doppler CLI uses it to fetch the latest version of the secrets for a specific project and config with no manual configuration of the environment required.
Revoking a Token
Revoking a service token is non-reversible and will immediately prevent all access to the config. To revoke a token, click the Revoke button for the token you'd like to remove.
🚧 If a token is revoked, this will prevent access to the latest version of the secrets, but the CLI will continue to provide the last accessed version of the secrets (if it has previously been able to access the secrets) due to the encrypted fallback file being stored on disk.