Docs
Secrets
Why SupaClone does not automatically copy secret values and how to re-enter them safely after cloning.
Last updated 2026-07-09
Secrets are manual by design
SupaClone does not automatically copy secret values between projects.
This is intentional. Many secrets are write-only, masked by Supabase, environment-specific, or unsafe to move without review. Copying them blindly can connect a staging project to production services.
Common manual secrets
Expect to re-enter:
- Edge Function secrets.
- OAuth provider secrets.
- Auth hook secrets.
- Custom SMTP passwords.
- CAPTCHA secrets.
- SMS provider credentials.
- Webhook signing secrets.
- Payment provider keys.
- Any third-party API tokens used by your functions or database logic.
Recommended process
Use a staging-specific secret set whenever possible.
- Review SupaClone's manual steps after the clone.
- Create target secrets with staging or target-specific values.
- Avoid reusing production tokens unless the target is production-bound.
- Rotate any secret that was exposed during manual migration.
- Confirm target logs do not print secret values.
Source secrets
SupaClone may identify that a secret-backed feature exists, but it should not reveal the secret value in the UI, reports, or logs.
If a provider only works after you re-enter a secret, that is expected behavior.
Ready to run a verified clone?
Start with a fresh target project, choose exactly what to copy, and review the clone report after the run completes.
Clone your first project free