doppler-secret-validation
Validate and test Doppler secrets. TRIGGERS - add to Doppler, store secret, validate token, test credentials.
Best use case
doppler-secret-validation is best used when you need a repeatable AI agent workflow instead of a one-off prompt.
Validate and test Doppler secrets. TRIGGERS - add to Doppler, store secret, validate token, test credentials.
Teams using doppler-secret-validation should expect a more consistent output, faster repeated execution, less prompt rewriting.
When to use this skill
- You want a reusable workflow that can be run more than once with consistent structure.
When not to use this skill
- You only need a quick one-off answer and do not need a reusable workflow.
- You cannot install or maintain the underlying files, dependencies, or repository context.
Installation
Claude Code / Cursor / Codex
Manual Installation
- Download SKILL.md from GitHub
- Place it in
.claude/skills/doppler-secret-validation/SKILL.mdinside your project - Restart your AI agent — it will auto-discover the skill
How doppler-secret-validation Compares
| Feature / Agent | doppler-secret-validation | Standard Approach |
|---|---|---|
| Platform Support | Not specified | Limited / Varies |
| Context Awareness | High | Baseline |
| Installation Complexity | Unknown | N/A |
Frequently Asked Questions
What does this skill do?
Validate and test Doppler secrets. TRIGGERS - add to Doppler, store secret, validate token, test credentials.
Where can I find the source code?
You can find the source code on GitHub using the link provided at the top of the page.
SKILL.md Source
# Doppler Secret Validation
> **Self-Evolving Skill**: This skill improves through use. If instructions are wrong, parameters drifted, or a workaround was needed — fix this file immediately, don't defer. Only update for real, reproducible issues.
## Overview
Workflow for securely adding, validating, and testing API tokens and credentials in Doppler secrets management.
## When to Use This Skill
Use this skill when:
- User provides API tokens or credentials (PyPI, GitHub, AWS, etc.)
- User mentions "add to Doppler", "store secret", "validate token"
- User wants to test authentication before production use
- User needs to verify secret storage and retrieval
## Workflow
### Step 1: Test Token Format (Before Adding to Doppler)
Before storing in Doppler, validate token format:
```bash
# Check token format, length, prefix
python3 -c "token = 'TOKEN_VALUE'; print(f'Prefix: {token[:20]}...'); print(f'Length: {len(token)}')"
```
**Common token formats**:
- PyPI: `pypi-...` (179 chars)
- GitHub: `ghp_...` (40+ chars)
- AWS: 20-char access key + 40-char secret
### Step 2: Add Secret to Doppler
```bash
doppler secrets set SECRET_NAME="value" --project PROJECT --config CONFIG
```
**Example**:
```bash
doppler secrets set PYPI_TOKEN="pypi-AgEI..." \
--project claude-config --config prd
```
**Important**: CLI doesn't support `--note`. Add notes via dashboard:
1. <https://dashboard.doppler.com>
2. Navigate: PROJECT → CONFIG → SECRET_NAME
3. Edit → Add descriptive note
### Step 3: Validate Storage
Use the bundled validation script:
```bash
/usr/bin/env bash << 'VALIDATE_EOF'
cd ${CLAUDE_PLUGIN_ROOT}/skills/doppler-secret-validation
uv run scripts/validate_secret.py \
--project PROJECT \
--config CONFIG \
--secret SECRET_NAME
VALIDATE_EOF
```
This validates:
1. Secret exists in Doppler
2. Secret retrieval works
3. Environment injection works via `doppler run`
**Example**:
```bash
uv run scripts/validate_secret.py \
--project claude-config \
--config prd \
--secret PYPI_TOKEN
```
### Step 4: Test API Authentication
Use the bundled auth test script (adapt test_api_authentication() for specific API):
```bash
/usr/bin/env bash << 'CONFIG_EOF'
cd ${CLAUDE_PLUGIN_ROOT}/skills/doppler-secret-validation
doppler run --project PROJECT --config CONFIG -- \
uv run scripts/test_api_auth.py \
--secret SECRET_NAME \
--api-url API_ENDPOINT
CONFIG_EOF
```
**Example (PyPI)**:
```bash
doppler run --project claude-config --config prd -- \
uv run scripts/test_api_auth.py \
--secret PYPI_TOKEN \
--api-url https://upload.pypi.org/legacy/
```
### Step 5: Document Usage
After validation, document the usage pattern for the user:
```bash
/usr/bin/env bash << 'CONFIG_EOF_2'
# Pattern 1: Doppler run (recommended for CI/scripts)
doppler run --project PROJECT --config CONFIG -- COMMAND
# Pattern 2: Manual export (for troubleshooting)
export SECRET_NAME=$(doppler secrets get SECRET_NAME \
--project PROJECT --config CONFIG --plain)
CONFIG_EOF_2
```
### Step 5b: mise [env] Integration (Recommended for Local Development)
For multi-account GitHub setups or per-directory credential needs, integrate Doppler secrets with mise `[env]`:
```toml
# .mise.toml
[env]
# Option A: Direct Doppler CLI fetch (slower, always fresh)
GH_TOKEN = "{{ exec(command='doppler secrets get GH_TOKEN --project myproject --config prd --plain') }}"
GITHUB_TOKEN = "{{ exec(command='doppler secrets get GH_TOKEN --project myproject --config prd --plain') }}"
# Option B: Cache for performance (1 hour cache)
GH_TOKEN = "{{ cache(key='gh_token', duration='1h', run='doppler secrets get GH_TOKEN --project myproject --config prd --plain') }}"
GITHUB_TOKEN = "{{ cache(key='gh_token', duration='1h', run='doppler secrets get GH_TOKEN --project myproject --config prd --plain') }}"
```
**Note**: Set BOTH `GH_TOKEN` and `GITHUB_TOKEN` - different tools check different variable names (gh CLI vs npm scripts).
**Why mise [env]?** Doppler `doppler run` is session-scoped; mise `[env]` provides directory-scoped credentials that persist across commands.
See [`mise-configuration` skill](../../../itp/skills/mise-configuration/SKILL.md#github-token-multi-account-patterns) for complete patterns.
## Common Patterns
### Multiple Configs (dev, stg, prd)
Add secret to multiple environments:
```bash
# Production
doppler secrets set TOKEN="prod-value" --project foo --config prd
# Development
doppler secrets set TOKEN="dev-value" --project foo --config dev
```
### Verify Secret Across Configs
```bash
/usr/bin/env bash << 'CONFIG_EOF_3'
for config in dev stg prd; do
echo "=== $config ==="
doppler secrets get TOKEN --project foo --config $config --plain | head -c 20
echo "..."
done
CONFIG_EOF_3
```
## Security Guidelines
1. **Never log full secrets**: Use `${SECRET:0:20}...` masking
2. **Prefer doppler run**: Scopes secrets to single command
3. **Use --plain only for piping**: Human-readable view masks secrets
4. **Separate configs per environment**: dev/stg/prd isolation
## Bundled Resources
- **scripts/validate_secret.py** - Complete validation suite (existence, retrieval, injection)
- **scripts/test_api_auth.py** - Template for API authentication testing
- **references/doppler-patterns.md** - Common CLI patterns and examples
## Reference
- Doppler docs: <https://docs.doppler.com/docs>
- CLI install: `brew install dopplerhq/cli/doppler`
- See [doppler-patterns.md](./references/doppler-patterns.md) for comprehensive patterns
---
## Troubleshooting
| Issue | Cause | Solution |
| --------------------------- | ------------------------------ | ----------------------------------------------------- |
| Secret not found | Wrong project/config specified | Verify with `doppler secrets ls --project X --config` |
| Auth test fails with 401 | Token expired or invalid | Regenerate token, re-add to Doppler |
| doppler run hangs | CLI waiting for input | Add `--no-interactive` flag |
| Token prefix mismatch | Wrong token type used | Check expected format (pypi-, ghp-, AKIA, etc.) |
| Validation script not found | Wrong directory context | Ensure CLAUDE_PLUGIN_ROOT is set correctly |
| Secret retrieval empty | Secret name typo | List secrets: `doppler secrets ls --project X` |
| mise cache stale | Duration expired | Clear cache or reduce duration setting |
| Multiple configs confusion | Secrets differ across envs | Use explicit --config flag for each command |
## Post-Execution Reflection
After this skill completes, reflect before closing the task:
0. **Locate yourself.** — Find this SKILL.md's canonical path before editing.
1. **What failed?** — Fix the instruction that caused it.
2. **What worked better than expected?** — Promote to recommended practice.
3. **What drifted?** — Fix any script, reference, or dependency that no longer matches reality.
4. **Log it.** — Evolution-log entry with trigger, fix, and evidence.
Do NOT defer. The next invocation inherits whatever you leave behind.Related Skills
schema-e2e-validation
Earthly E2E validation for YAML schema contracts. TRIGGERS - schema validation, YAML schema, schema contracts, regenerate types.
multi-agent-e2e-validation
Multi-agent parallel E2E validation for database refactors. TRIGGERS - E2E validation, schema migration testing, database refactor validation.
link-validation
Universal link validation using lychee for Claude Code sessions. Detect broken links and path policy violations on demand.
pypi-doppler
LOCAL-ONLY PyPI publishing with Doppler credentials. TRIGGERS - publish to PyPI, pypi upload, local publish. NEVER use in CI/CD.
ml-failfast-validation
POC validation patterns to catch issues before committing to long-running ML experiments. TRIGGERS - fail-fast, POC validation, preflight check, experiment validation, schema validation, gradient check, sanity check, smoke test.
doppler-workflows
Manage credentials and secrets through Doppler for publishing and deployment workflows. Use whenever the user needs to publish Python packages to PyPI, rotate AWS credentials, manage Doppler secrets, or configure credential pipelines for CI/CD. Do NOT use for 1Password vault operations or for secrets that are not managed through Doppler.
voice-quality-audition
Audition Kokoro TTS voices to compare quality and grade. TRIGGERS - audition voices, kokoro voices, voice comparison, tts voice, voice quality, compare voices.
settings-and-tuning
Configure TTS voices, speed, timeouts, queue depth, and bot settings. TRIGGERS - configure tts, change voice, tts speed, queue depth, tts timeout, bot config, tune settings, adjust parameters.
full-stack-bootstrap
One-time bootstrap for Kokoro TTS engine, Telegram bot, and BotFather setup. TRIGGERS - setup tts, install kokoro, botfather, bootstrap tts-tg-sync, configure telegram bot, full stack setup.
diagnostic-issue-resolver
Diagnose and resolve TTS and Telegram bot issues. TRIGGERS - tts not working, bot not responding, kokoro error, audio not playing, lock stuck, telegram bot troubleshoot, diagnose issue.
component-version-upgrade
Upgrade Kokoro model, bot dependencies, or TTS components. TRIGGERS - upgrade kokoro, update model, upgrade bot, update dependencies, version bump, component update.
clean-component-removal
Remove TTS and Telegram sync components cleanly. TRIGGERS - uninstall tts, remove telegram bot, uninstall kokoro, clean tts, teardown, component removal.