Functions

Secrets Management

Functions often need API keys, tokens, or other sensitive configuration to call external services. PayWeave provides encrypted secrets that are injected into your handler's environment at runtime.

Adding secrets

From your Function detail page, go to the Secrets tab. Click Add Secret and provide a key and value:

Plain Text

Key:   OPENAI_API_KEY
Value: sk-proj-abc123...

After saving, the value is encrypted and stored securely. It will not be displayed again in the dashboard - only the key name is visible.

Using secrets in handlers

Secrets are available via process.env in your handler code, just like standard environment variables:

TypeScript

export default async function handler(req: Request): Promise<Response> {
  const key = process.env.OPENAI_API_KEY;

  const res = await fetch('https://api.openai.com/v1/chat/completions', {
    method: 'POST',
    headers: {
      'Authorization': `Bearer ${key}`,
      'Content-Type': 'application/json',
    },
    body: JSON.stringify({
      model: 'gpt-4o-mini',
      messages: [{ role: 'user', content: 'Hello' }],
    }),
  });

  const data = await res.json();
  return Response.json(data);
}

Updating and deleting secrets

To update a secret, click the edit icon next to its key name and enter a new value. The old value is replaced immediately. To delete a secret, click the delete icon - it is removed from the encrypted store and will no longer be available to handlers.

Secrets are scoped to a single Function. If multiple Functions need the same credential, add the secret to each one individually.

Encryption details

Secret values are encrypted using AES-256-GCM with per-workspace keys. They are decrypted only at handler execution time in an isolated runtime. Secrets are never written to logs, included in error responses, or exposed through the API.

Use descriptive key names like STRIPE_SECRET_KEY or DATABASE_URL to keep your secrets organized. Key names must be uppercase alphanumeric with underscores.

Handlers Refunds