doppler run: Inject Doppler Secrets into a Command
doppler run pulls the secrets for a project/config and executes the command after -- with them exported as environment variables.
Doppler is a hosted secrets manager; its CLI injects secrets at runtime so nothing is written to disk. In CI you authenticate with a service token scoped to one config.
What it does
doppler run fetches all secrets for the selected project and config and runs the given command with those secrets set as environment variables in the child process only.
Common usage
export DOPPLER_TOKEN=dp.st.prod.xxxxx
doppler run -- ./deploy.sh
doppler run --project app --config prd -- npm start
doppler run --mount .env -- docker compose upOptions
| Flag | What it does |
|---|---|
| -- <command> | Command to run with secrets injected |
| -p, --project <name> | Doppler project to read from |
| -c, --config <name> | Config (environment) within the project |
| -t, --token <token> | Service token (or set DOPPLER_TOKEN) |
| --mount <path> | Expose secrets as a temporary env file at path |
| --preserve-env | Do not overwrite existing env vars of the same name |
In CI
Use a service token scoped to a single config, set via DOPPLER_TOKEN from a repo secret, instead of doppler login. The token already implies the project and config, so you can drop --project/--config. Prefer doppler run over downloading secrets to a file.
Common errors in CI
"Doppler Error: you must provide a token" means DOPPLER_TOKEN is unset and no login exists; export the service token. "Doppler Error: Invalid Service token" means the token is wrong or revoked. "Doppler Error: Could not find requested project" means the token does not have access to the named project/config.