Kizaki
Guides

Teams, Environments, And Secrets

Organize deploy targets, credentials, and operational access without hard-coding values into your app.

Once your app moves past local development, the workflow looks like this:

kizaki login
kizaki env list
kizaki secrets set STRIPE_SECRET_KEY sk_live_... --env production
kizaki logs --env production --tail

This is where Kizaki becomes a full platform. Deployment targets, environment isolation, secret storage, and access controls all follow from the same app you built locally.

Environments

Each environment is an isolated instance of your application with its own Postgres database, secret scope, and subdomain. The standard names are staging, production, and preview.

Create environments explicitly or let them be created on first deploy:

kizaki env create staging
kizaki env list

There is no limit on environments. Some teams add qa or per-branch preview environments for pull request workflows. Every environment runs the same application shape (schema, migrations, server functions) with its own data and credentials.

Secrets

Secrets are encrypted at rest, scoped per application and environment, and injected at deploy time. Name them in UPPER_SNAKE_CASE.

kizaki secrets set STRIPE_SECRET_KEY "sk_live_..." --env production
kizaki secrets set RESEND_API_KEY "re_..." --env production
kizaki secrets list --env production

Reference secrets in your Inspire schema with @secret("NAME"), for example in the payments or email blocks. The runtime reads these values at startup.

Changing a secret does not affect a running deployment. The new value takes effect on the next deploy. This is intentional: secret rotation never disrupts a live environment without a deliberate deployment step.

Platform Keys (CI and Automation)

Platform keys are tokens for headless environments like CI pipelines, deploy scripts, and automation workflows. They authenticate against the Kizaki platform, not your application.

Create a scoped token:

kizaki keys create --scope deploy:write --name "GitHub Actions"

Then in your CI pipeline:

KIZAKI_TOKEN=<token> kizaki deploy --env staging --yes

The --yes flag skips interactive confirmation, which is necessary in non-interactive environments.

API Keys (HTTP Access)

API keys are application-level tokens for external callers. They authenticate against your application's HTTP routes, not the platform. Use them when a third-party service or webhook needs to call your exposed functions.

API keys are scoped to the API key scopes declared in your Inspire schema:

kizaki api-keys create --scope orders:read --name "Warehouse Integration" --env production
kizaki api-keys list --env production

Three Credential Types

Each credential category serves a distinct purpose. Keeping them separate prevents credentials from being reused for the wrong job.

CategoryPurposeScope
kizaki secretsRuntime configuration — database URLs, third-party API keys, signing secretsPer environment
kizaki keysPlatform access for CI pipelines and automation scriptsPer team
kizaki api-keysApplication-level HTTP access for external callers and webhooksPer environment

Do not reuse credentials across categories. A platform key should never appear in application code, and a runtime secret should never authenticate a CI pipeline.

Local development requires no secrets. The embedded Postgres database, simulated payments, and dev auth backend all run without external credentials. This is the default when you run kizaki dev.

Staging is where you introduce real credentials:

kizaki secrets set STRIPE_SECRET_KEY "sk_test_..." --env staging
kizaki secrets set GOOGLE_CLIENT_ID "..." --env staging
kizaki secrets set GOOGLE_CLIENT_SECRET "..." --env staging
kizaki deploy --env staging

Use test-mode keys from Stripe, sandbox OAuth credentials, and a staging email provider. Verify that auth flows, payment webhooks, and email delivery work end-to-end before going live.

Production uses live keys:

kizaki secrets set STRIPE_SECRET_KEY "sk_live_..." --env production
kizaki secrets set GOOGLE_CLIENT_ID "..." --env production
kizaki secrets set GOOGLE_CLIENT_SECRET "..." --env production
kizaki deploy --env production

The application code does not change between environments. Only the secrets differ.

Teams

A team is the organizational boundary for environments, secrets, and billing. Every application belongs to one team, and every team member has access to all environments within it.

kizaki team list
kizaki team members

When you run kizaki login for the first time and create an application, a personal team is created automatically. For collaborative work, invite team members so they can deploy, manage secrets, and view logs without sharing personal credentials.

Ownership and billing are scoped to the team, not to the individual who created the application.

Background Work

Use triggers, effects, and schedules for async workflows, retries, and recurring jobs.

Reference Overview

The canonical reference for the Inspire language, the TypeScript developer surfaces, and the CLI.

Elsewhere

FeedbackStudio

On this page

EnvironmentsSecretsPlatform Keys (CI and Automation)API Keys (HTTP Access)Three Credential TypesRecommended ProgressionTeamsRelated Reference