Skip to main content
Replicas integrates with Doppler to sync secrets from your Doppler configs directly into workspace environment variables. Connections are configured per environment scope, so you can connect different Doppler projects or configs to your global, repository, or repository-set scopes.

Setup

Only organization admins can connect Doppler.
  1. In Doppler, open the project and config you want to sync from
  2. Go to Access → Tokens (or the Tokens tab on the config) and generate a Service Token with read access. The token starts with dp.st.
  3. Go to Environment settings in Replicas
  4. Select a scope: Global, a specific Repository, or a Repository Set
  5. Open the Variables tab, scroll to the Integrations section, and click Connect Doppler, then fill in:
    • Service Token: the dp.st.* token from Doppler
    • Project: the Doppler project slug
    • Config: the config name (e.g., dev, stg, prd)
    • API Host: only needed for self-hosted Doppler instances (defaults to https://api.doppler.com)
  6. Click Save & Connect. Replicas validates the credentials before saving
You can connect Doppler independently at each scope. For example, you might sync a staging config globally and a production config for a specific repository.

How It Works

When a workspace is created, Replicas authenticates with Doppler using the stored Service Token for each applicable scope, fetches all secrets via the /v3/configs/config/secrets/download endpoint, and injects them as environment variables into the workspace.

Priority

Doppler secrets follow the same priority ordering as manual environment variables, but within each scope, manual variables always override Doppler secrets:
  1. Global Doppler secrets (lowest)
  2. Global manual environment variables
  3. Repository-set Doppler secrets
  4. Repository-set manual environment variables
  5. Repository Doppler secrets
  6. Repository manual environment variables (highest)
If you define a variable manually in the same scope with the same key as a Doppler secret, the manual value wins. A repository-scoped Doppler secret overrides a global manual variable.

Test Sync

After connecting, use the Test Sync button to verify that Replicas can reach your Doppler config and see which secret keys are available. Secret values are never displayed; only the key names are shown.

Reconfiguring

Click Reconfigure to update the Service Token, change the project, or switch the config. The new credentials are validated before saving.

Copying or Moving Between Scopes

Once a Doppler connection is configured at any scope, admins can copy or move it to another scope without re-entering credentials. From the connected scope, open the Copy to or Move to menu next to the connection to choose a target (Global, any Repository, or any Repository Set).
  • Copy to duplicates the connection to the target scope. Both scopes end up with the same Service Token, project, and config. The source scope keeps its connection.
  • Move to copies to the target and then removes the connection from the source scope.
Credentials are re-encrypted server-side when cloned; the Service Token is never exposed to the browser during this operation. Only organization admins can copy or move connections.

Disconnecting

Click Disconnect to remove the Doppler connection for that scope. Existing workspaces are not affected, but new workspaces will no longer receive Doppler secrets from that scope.