Set, unset, list, encryption
Env vars are encrypted at rest (AES-256-GCM) and injected at container startup. Changes take effect on the next deploy — run percher publish to apply immediately.
bunx percher env set STRIPE_KEY=sk_live_... bunx percher env list # values are masked bunx percher env unset STRIPE_KEY
Build-time exposure: by default env vars are only available at runtime, which is correct for secrets but breaks frameworks like Vite/Next/Astro/Expo that bake *_PUBLIC_* values into the static bundle at build time. Opt in per-key via [build] pass_env in percher.toml:
# percher.toml [build] pass_env = [ "NEXT_PUBLIC_API_URL", "VITE_POCKETBASE_URL", "EXPO_PUBLIC_API_URL", ] # values still come from the env store, not the TOML bunx percher env set NEXT_PUBLIC_API_URL=https://api.example.com
For Dockerfile-based projects (runtime = "docker") the listed keys are forwarded as --build-arg; declare ARG NEXT_PUBLIC_API_URL in your Dockerfile to read them.