Skip to content
Latchkey

doppler run: Inject Doppler Secrets into a Command

doppler run pulls the secrets for a project/config and executes the command after -- with them exported as environment variables.

Doppler is a hosted secrets manager; its CLI injects secrets at runtime so nothing is written to disk. In CI you authenticate with a service token scoped to one config.

What it does

doppler run fetches all secrets for the selected project and config and runs the given command with those secrets set as environment variables in the child process only.

Common usage

Terminal
export DOPPLER_TOKEN=dp.st.prod.xxxxx
doppler run -- ./deploy.sh
doppler run --project app --config prd -- npm start
doppler run --mount .env -- docker compose up

Options

FlagWhat it does
-- <command>Command to run with secrets injected
-p, --project <name>Doppler project to read from
-c, --config <name>Config (environment) within the project
-t, --token <token>Service token (or set DOPPLER_TOKEN)
--mount <path>Expose secrets as a temporary env file at path
--preserve-envDo not overwrite existing env vars of the same name

In CI

Use a service token scoped to a single config, set via DOPPLER_TOKEN from a repo secret, instead of doppler login. The token already implies the project and config, so you can drop --project/--config. Prefer doppler run over downloading secrets to a file.

Common errors in CI

"Doppler Error: you must provide a token" means DOPPLER_TOKEN is unset and no login exists; export the service token. "Doppler Error: Invalid Service token" means the token is wrong or revoked. "Doppler Error: Could not find requested project" means the token does not have access to the named project/config.

Related guides

Run this faster and cheaper on Latchkey managed runners. Start free →