✨ Let's learn how to secure a Go app

🤔 Wouldn't it be nice to store secret values like API keys, database passwords, and private keys, directly in the source code?

Of course, we can’t do that, it's horrifyingly insecure!
(Unfortunately, it's alsovery common.)

Encore's secrets manager makes it simple to store secrets securely, and lets you use them in your program like regular variables.

In this guide, we'll show you how!🔑

💽 Install Encore

Install the Encore CLI to run your local environment:

• macOS:brew install encoredev/tap/encore
• Linux:curl -L https://encore.dev/install.sh | bash
• Windows:iwr https://encore.dev/install.ps1 | iex

🛠 Create an app

A common use case for storing secrets is when using a third-party API.

As an example,ElevenLabs offers a cool API for generating voices using AI.

To use it, let's create a new Encore application with this command and select theEmpty app template:

encore app create

💾 Download the ElevenLabs package

1. Download theelevenlabs package fromhttps://github.com/encoredev/examples/tree/main/bits/elevenlabs (link) and add it to the app directory you just created.
2. Sync your project dependencies by runninggo mod tidy. (Note: This requires that you have Go 1.21, or later,installed.)

Notice how the program usesElevenLabsAPIKey as a regular variable, that's because Encore takes of supplying the secret from Encore's secret manager. But first, we need to store an API key.

🔑 Get your API Key and store it in Encore's secrets manager

Get yourAPI key from ElevenLabs by signing up for a free account athttps://elevenlabs.io.

Once you have the API key, save it as a secret using Encore's secret manager with the nameElevenLabsAPIKey, by running:

encore secretset--type dev,prod,local,pr ElevenLabsAPIKey

🏁 Run your app locally

Start your application locally by running:

encore run

You can now open Encore's local development dashboard athttp://localhost:9400 to see your app's API documentation, call the API using the API explorer and view traces, and more.

🕹 Try out the API

Now let's play around a bit with our shiny new API integration!

From the API Explorer in the local development dashboard, try calling theelevenlabs.DownloadAudio endpoint with the text input of your choice in the request body.

This will use the API to generate an MP3 audio file and download it to your app root folder:speech.mp3.

If you see the file, it means your API integration works and you securely used your API key. Congratulations!🎉

🤔 How it works: Using secrets in your Encore application

Ok, so we know that it works. Buthow does it work? Let's take a deeper look!

When using a secret in your application, you define it directly in your code by creating an unexported struct namedsecrets, where all fields are of typestring. For example:

varsecretsstruct{SSHPrivateKeystring// ed25519 private key for SSH serverGitHubAPITokenstring// personal access token for deployments// ...}

When you've defined secrets in your program, the Encore compiler will check that they are set before running or deploying your application. If a secret is not set, you will get a compilation error notifying you that a secret value is missing.

Once you've provided values for all secrets, you can just use them in your application like a regular variable. For example:

funccallGitHub(ctxcontext.Context){req,_:=http.NewRequestWithContext(ctx,"GET","https:///api.github.com/user",nil)req.Header.Add("Authorization","token "+secrets.GitHubAPIToken)resp,err:=http.DefaultClient.Do(req)// ... handle err and resp}

🤔 How it works: Saving secret values

Using the Cloud Dashboard

The simplest way to set up secrets is with the Secrets Manager in the Encore Cloud Dashboard. Open your app inapp.encore.dev, go toSettings in the main navigation, and then click onSecrets in the settings menu.

From there you can create secrets, save secret values, and configure different values for different environments.

Using the CLI

If you prefer, you can also set up secrets from the CLI using:encore secret set --type <types> <secret-name>

<types> defines which environment types the secret value applies to. Use a comma-separated list ofproduction,development,preview, andlocal. Shorthands:prod,dev,pr.

For exampleencore secret set --type prod SSHPrivateKey sets the secret value for production environments,
andencore secret set --type dev,preview,local GitHubAPIToken sets the secret value for development, preview, and local environments.

In some cases it can be useful to define a secret for a specific environment instead of an environment type.
You can do so withencore secret set --env <env-name> <secret-name>. Secret values for specific environments
take precedence over values for environment types.

Environment settings

Each secret can only have one secret value for each environment type. For example: If you have a secret value that's shared betweendevelopment,preview andlocal, and you want to override the value forlocal, you must first edit the existing secret and removelocal using the Secrets Manager in theCloud Dashboard. You can then add a new secret value forlocal. The end result should look something like the picture below.

🤔 How it works: Where are secrets stored?

When you store a secret Encore stores it encrypted using Google Cloud Platform'sKey Management Service (KMS).

• Production / Your own cloud: When you deploy to production using your own cloud account on GCP or AWS, Encore provisions a secrets manager in your account (using either KMS or AWS Secrets Manager) and replicates your secrets to it. The secrets are then injected into the container using secret environment variables.
• Local: For local secrets Encore automatically replicates them to developers' machines when runningencore run.
• Development / Encore Cloud: Environments on Encore's development cloud (running on GCP under the hood) work the same as self-hosted GCP environments, using GCP Secrets Manager.## 🚀 Bonus: Deploy to the cloud

If you want to deploy your app to a free cloud environment in Encore's development cloud, simply run:

git add-A.git commit-m'Initial commit'git push encore

👉 Then head over to theCloud Dashboard to monitor your deployment and find your production URL by going the overview page for the environment you just created. It will be something like:https://staging-[APP-ID].encr.app.

🎉 Great job - you're running in the cloud!

Great job! You now have an AI-powered app running in the cloud.

Keep building with Encore using these Open SourceApp Templates. 👈

If you have questions or want to share your work, join the developer hangout inEncore's community Slack. 👈

Learn More

• Encore Documentation
• ElevenLabs Documentation