Skip to content

Docs

Secrets

Why SupaClone does not automatically copy secret values and how to re-enter them safely after cloning.

Last updated 2026-07-09

Secrets are manual by design

SupaClone does not automatically copy secret values between projects.

This is intentional. Many secrets are write-only, masked by Supabase, environment-specific, or unsafe to move without review. Copying them blindly can connect a staging project to production services.

Common manual secrets

Expect to re-enter:

  • Edge Function secrets.
  • OAuth provider secrets.
  • Auth hook secrets.
  • Custom SMTP passwords.
  • CAPTCHA secrets.
  • SMS provider credentials.
  • Webhook signing secrets.
  • Payment provider keys.
  • Any third-party API tokens used by your functions or database logic.

Use a staging-specific secret set whenever possible.

  1. Review SupaClone's manual steps after the clone.
  2. Create target secrets with staging or target-specific values.
  3. Avoid reusing production tokens unless the target is production-bound.
  4. Rotate any secret that was exposed during manual migration.
  5. Confirm target logs do not print secret values.

Source secrets

SupaClone may identify that a secret-backed feature exists, but it should not reveal the secret value in the UI, reports, or logs.

If a provider only works after you re-enter a secret, that is expected behavior.

Ready to run a verified clone?

Start with a fresh target project, choose exactly what to copy, and review the clone report after the run completes.

Clone your first project free