Skip to main content
Global secrets are encrypted environment variables stored at the organization level. They are automatically inherited by every application and coding agent in your organization — no need to set the same secret on each app individually.

How they work

ZWRM injects secrets into VMs using a three-layer hierarchy. Each layer overrides the one below it:
PriorityScopeDescription
1 (lowest)GlobalOrganization-wide, inherited by all apps
2AppSet per-app with zwrm secrets
3 (highest)MachineMachine-specific overrides
If a global secret and an app secret share the same name, the app secret wins for that app. This lets you set sensible defaults globally and override them where needed.

Common use cases

  • API keys shared across multiple services (e.g. DATADOG_API_KEY, SENTRY_DSN)
  • Registry credentials for private Docker images
  • Shared database URLs used by several apps
  • Organization-wide config like LOG_LEVEL or ENVIRONMENT

Managing global secrets

Global secrets are currently managed through the ZWRM Dashboard or the REST API.
CLI support for global secrets (zwrm org secrets) is planned but not yet available. Use the dashboard or API in the meantime.

REST API

All endpoints require authentication and operate on the authenticated user’s organization.

Set a global secret

curl -X POST https://zwrm.io/v1/org/secrets \
  -H "Authorization: Bearer $ZWRM_API_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"name": "DATADOG_API_KEY", "value": "your-key-here"}'
Returns 201 for new secrets, 200 for updates. Updating a secret increments its version.

List global secrets

curl https://zwrm.io/v1/org/secrets \
  -H "Authorization: Bearer $ZWRM_API_TOKEN"
Returns secret names, versions, and timestamps. Values are never exposed.

Delete a global secret

curl -X DELETE https://zwrm.io/v1/org/secrets/DATADOG_API_KEY \
  -H "Authorization: Bearer $ZWRM_API_TOKEN"

Secret naming rules

Global secrets follow the same naming rules as app secrets: names must start with a letter or underscore and contain only letters, numbers, and underscores (e.g. MY_SECRET_123).