Discover what is new and improved with Doppler!

April 13, 2021

Developers and organizations trust Doppler with securely managing and serving millions of secrets to their applications and we’re excited to announce that Doppler has achieved SOC 2 Compliance.

Read our announcement blog post to learn more.

December 10, 2020

GitHub now scans your repos for Doppler tokens. Tokens found in public repos will be automatically revoked, preventing exposed tokens from being used to access your secrets.

See the official announcement from GitHub at

November 17, 2020

We’re trusted with serving millions of secrets to developers and their apps in a secure, performant, and reliable way. A love for security is built into the core of our DNA and you can help by joining Doppler's Vulnerability Disclosure Program at

July 22, 2020

We've rolled out support for our most requested MFA method: security keys! You can now use a YubiKey and other WebAuthn-based security keys as an additional factor during login. Security keys can be added in addition to OTP/Authy, and we support multiple keys from day one. One piece of personal advice: always add a backup key!

March 2, 2020

We've added support for setting up OTP via a manual key. This is in addition to the primary method of scanning a QR code. If you haven't set up OTP yet, try it out today!

February 13, 2020

Our users trust Doppler with their secrets. In return, Doppler trusts users to take account security seriously. After all, the most secure systems are still only as secure as their weakest link.

To help improve account security for all users, we'll now prompt you to set up 2FA on your next login. We'll also do so after performing a password reset.

This helps ensure your secrets are shielded from poor password hygiene, which is an ongoing goal of ours.

January 10, 2020

To encourage best practices, service tokens are now only displayed once during initial creation. After creation, you'll need to generate a new service token to retrieve its value. This helps ensure that you're using a unique service token for each service.

January 3, 2020

To help keep customers safe, we now securely check users' passwords against public data breaches. If your password has previously been exposed in a data breach, we'll display a notice during login that requires you to change your password. More info:

We use the k-Anonymity model to anonymously and securely check if your password has been part of any past, public data breaches. Specifically, during login we now take a SHA1 hash of your password. The first 5 characters of this hash are sent to the popular Have I Been Pwned (HIBP) service. HIBP returns a list of all hashes it knows about that start with the same 5-character suffix. Our servers then compare each returned hash against the full SHA1 hash of the user's password. If there is a match, we prompt the user to change their password.

This process can only be performed during login and when changing your password because that's the only time Doppler has access to a user's plaintext password. We store bcrypt hashes of passwords in our database, meaning it would be computationally infeasible to perform this HIBP check at any other time. Additionally, the computed SHA1 hash is used only for the HIBP service and is never persisted outside of application memory.

We'll likely talk more about password security at a future date. For now, we encourage all of our customers to follow these best practices, as we do internally:

  • Use a password manager for every account, regardless of its importance
  • Always enable 2FA! (but ideally avoid SMS and Voice 2FA)
  • Generate strong, random passwords with your password manager
  • Never reuse passwords
February 4, 2019

Using Single Sign-On providers like Okta or OneLogin? We have great news, you can now onboard your entire organization with our enterprise SAML SSO + JIT (Just In Time) feature. Request access today by reaching out to our enterprise team.

October 14, 2018

As of today, you can roll your Doppler API key as needed. For owners, the ability to roll any other teammate's API key on the team page is also available.