Managing secrets as a team

Managing secrets as a team

Managing secrets is rarely a solo task. As soon as multiple developers are involved, structure becomes essential. Without it, secrets get shared in DMs, stored in personal config files, or lost in cloud dashboards that only one person knows how to access.

This chapter covers how Doppler helps teams collaborate around secrets in a secure, scalable way without introducing friction.

Note: A few new features have launched since this video was recorded. Doppler now supports OIDC for secure CI/CD auth, change requests for reviewing secret updates, and analytics dashboards to see how your team’s using the platform. We’ll cover all of these later in the chapter.

Doppler plans and access

Doppler is built to support teams at every stage, from solo developers to growing startups and enterprise organizations. The platform is available across three plans: Developer, Team, and Enterprise.

The Developer plan is free and best suited for individuals or small teams just getting started. It includes a single workplace, unlimited projects, and access for up to five users.

The Team plan is designed for more collaborative use cases. It adds features like project-based roles and permissions, access logs, and integrations with popular CI/CD platforms.

The Enterprise plan includes everything in the Team plan, along with advanced capabilities such as SAML SSO, SCIM provisioning, custom roles, user groups, and extended logging support. These features help larger organizations manage access and scale securely across teams.

As we go through this chapter, we’ll note when specific features are tied to a particular plan. You can also view a full comparison here.

Personal configs for local development

Developers often need to test locally with secrets that differ from shared values. Personal configs let each user define a private version of a configuration that only applies to their own machine. This helps reduce the need for manual edits to environment files or shared secrets during development.

Personal configs are available across all plans and live within the environment settings panel. Only the person who creates a personal config can view or use it.

Role-based access controls (RBAC)

Managing secrets securely requires more than just storing them in the right place. Teams need to control who can view and modify secrets and in which environments. Role-based access makes it easier to protect production, prevent accidental changes, and maintain separation between responsibilities.

On the Developer plan, all users share the same level of access. Each user's workplace role is set to "Owner" and project role set to "Admin" which grants full access for both workplace and project permissions.

The Team plan introduces built-in roles at both the workplace and project level. Owners and Admins can manage projects and invite users. Collaborators and Viewers can be scoped to specific environments, giving teams more flexibility without compromising security.

The Enterprise plan builds on this by allowing teams to define custom roles. These can be tailored to match internal policies or specific workflows, providing more granular control.

Logs and version history

Being able to track what changed, when, and by whom is essential for collaboration and troubleshooting. Activity logs provide visibility into changes across your workspace, while secret version history allows you to roll back values if something breaks.

The Developer plan includes access to logs from the past three days, giving individuals short-term visibility into changes.

The Team plan provides 90 days of activity logs, version history, and rollback support. It also allows you to send activity events to Slack, Microsoft Teams, or Discord for easier monitoring.

The Enterprise plan includes full activity logs and supports exporting events to tools like Splunk, Sumo Logic, and Datadog. You can also send real-time activity updates to Slack, Microsoft Teams, or Discord. Each log entry includes a unique URL and can be filtered by secret, user, or access method.

Single Sign-On and domain control

Single Sign-On (SSO) simplifies authentication and gives admins more control over who can join a workspace. It also reduces the burden of managing individual login credentials.

Both the Team and Enterprise plans include SSO support. Email-based SSO allows anyone from an approved domain to join without needing an invite. Users can configure SAML-based SSO using identity providers such as Okta or Google Workspace. Domain verification is managed directly in the Doppler dashboard.

User groups

User management can get complicated as teams grow. User groups help by letting admins assign roles to entire teams or departments at once, rather than configuring access user by user. Groups can be created through the dashboard, API, or Terraform.

User groups are available on the Enterprise plan and can be added on the Team plan.

Enterprise customers can also enable SCIM to automatically sync users and group data from their identity provider. This helps ensure that team access stays accurate as employees join or leave.

Custom roles

Different teams need different levels of access. While built-in roles cover most use cases, some organizations require more flexibility.

Custom roles allow teams to define their own permission sets that map directly to internal security policies or operational responsibilities. You can control what actions each role can perform like managing secrets, configuring integrations, or approving change requests, and apply those roles across specific projects or environments.

Available as an add-on to the Team plan and included in the Enterprise plan, custom roles work well alongside user groups to scale access control across larger teams.

OIDC authentication with service accounts

Service account identities allow CI systems and other automated tools to authenticate to Doppler without storing long-lived API tokens. Instead, these systems generate a short-lived OIDC token that Doppler validates at runtime.

This makes automated workflows more secure and easier to manage, especially across multiple environments.

Doppler supports OIDC integration with providers like GitHub Actions, GitLab, and CircleCI. You can authenticate using the CLI or Doppler’s API, and define exactly which claims need to be present for a token to be valid.

Service account identities are available on the Team and Enterprise plans. Identity rules and configuration options are defined in the service account’s settings within Doppler.

Change requests

Secrets deserve the same review process as code. Change requests let teams propose updates to secrets and configs without needing full write access. The right teammates can review, approve, and merge each request, reducing risk and improving accountability.

Change requests are available on the Team and Enterprise plans. On Enterprise, admins can enforce structured approval workflows using policies that define who must review changes and how many approvals are required.

This feature helps teams stay secure while avoiding access sprawl, and keeps secret changes as deliberate as code commits.

Analytics dashboards

Understanding how secrets are used across your organization is key to maintaining security and scaling safely. Doppler’s Analytics Dashboards provide a clear view into how secrets are being managed, where integrations are active, and how teams are adopting the platform.

Each dashboard focuses on a specific area, such as integration usage or environment activity, and includes charts that help you spot patterns, troubleshoot issues, and make more informed decisions.

Dashboards are permission-based and visible only to users with access to all projects, including workspace Owners and Admins. They are included in the Enterprise plan, and additional dashboard types and insights are planned for future releases.

Next: Integrating secrets into CI/CD and production

Now that your secrets are structured and your team is set up, the next step is putting those secrets to work across your deployment workflows. In Chapter 4, we’ll explore how Doppler connects to your CI/CD pipelines, how secrets stay in sync across environments, and how to move from manual config updates to fully automated delivery.