Skip to content
Get started

Runtime Secrets

Runtime Secrets are the private values your Project needs while it is running: API keys, access tokens, webhook secrets, and other credentials used to call external services.

Use Runtime Secrets when a Project needs something outside Castaly, such as a payments provider, email service, AI model, analytics tool, or third-party API. Castaly stores these values separately from Chat, the Spec, and code so they can be used at runtime without being exposed in the Project definition.

Castaly creates Runtime Secret rows when a Build or Project capability needs a value at runtime.

Required by a feature

A feature needs a credential before it can fully work, such as a payment secret key or API token.

Detected from the implementation

Castaly lists only the secrets the Project needs. If none are required, Runtime Secrets shows No secrets required.

Scoped to the Project

Secrets belong to the current Project. They are not global account settings.

A missing required secret affects runtime behavior and Publish readiness. It does not stop Castaly from understanding or building your Project.

AreaWhat happens when a required secret is missing
BuildBuild can still run.
PreviewPreview can still open, but the feature that needs the secret may not work.
PublishPublish is blocked until the required secret is configured.

When Publish is blocked by a missing required secret, the Project shows Configuration required.

Runtime Secrets can be required or optional.

  • Required secrets must be configured before you can publish.
  • Optional secrets support additional behavior, but may not block Publish.
  • The UI is the source of truth for whether a missing secret blocks the current Project.

You can open Runtime Secrets in two ways:

  1. From Project Settings

    In the Project Workspace top bar, open the gear icon, then choose Runtime Secrets.

    Path: Project Workspace → gear icon → Runtime Secrets.

  2. From Configuration required

    If the Project shows Configuration required, click Set up to jump directly to Runtime Secrets.

    Path: Configuration required → Set up → Runtime Secrets.

  1. Open a Missing secret

    Find the row with status Missing, then choose Set secret.

  2. Enter the value

    Paste the API key, token, or secret value into the input.

  3. Save

    After saving, the status changes to Configured.

  4. Replace when needed

    To rotate a credential, choose Edit secret and save a new value. Editing replaces the stored value; it does not reveal the old one.

Runtime Secrets is a table. Castaly fills in the rows your build actually needs, grouped as Required or Optional.

ColumnWhat it shows
NameThe secret’s key, e.g. STRIPE_SECRET_KEY
EnvironmentWhere it applies — Preview or Production
ValueNot set before configuration, masked after saving
StatusMissing, Configured, or Dismissed
ActionSet secret, Edit secret, or Read-only

A missing required secret does not stop you from building or previewing.

  1. Build and Preview keep working

    You can run a Build and get a working Preview even with a required secret still Missing. The feature that needs it may not work yet, but nothing is blocked.

  2. The Project shows Configuration required

    Castaly marks the Project Configuration required and offers a Set up shortcut into Runtime Secrets.

  3. Publish is blocked until it's filled

    You can’t Publish a Project Version while a required secret is Missing. Fill it in, and Publish unblocks.

This is the one Project Settings rule that gates Publish. See Blockers for the full picture of what can hold a Project back.

Runtime Secrets are sensitive credentials. Treat them like production keys.

Encrypted at rest

Saved secrets are encrypted while stored.

Never shown again

After saving, Castaly only shows a masked value. To change it, replace it.

Keep them out of content

Do not paste secrets into Chat, the Spec, public docs, or visible page content.

While you are editing a secret, the input shows what you are typing so you can confirm it before saving. After it is saved, the stored value stays hidden.

Next: when required secrets are configured, continue to Publish Your Project or set your published URL in Project URLs.