Doppler
Doppler is a secrets management platform that helps developers organize and sync environment variables across teams and infrastructure.
Verdict
Common use cases
- Pull staging secrets during incident triage
- Rotate API keys after a security audit
- Generate expiring share links for contractors
- Audit who changed production config yesterday
- Sync .env files across local and CI
Integration
- Vendor
- Doppler
- Category
- developer-tools
- Auth
- API_KEY
- Tools
- 26
- Composio slug
doppler
Tools
- Create Encrypted Share Link
Tool to generate a Doppler Share link by sending an encrypted secret. Use when you need to securely share secrets with end-to-end encryption. The receive flow is end-to-end encrypted where the encrypted secret will be decrypted on the recip
- Create Plain Text Share Link
Tool to generate a Doppler Share link by sending a plain text secret. Use when you need to securely share secrets with expiration controls. The secret is not stored in plain text by Doppler; the receive flow is end-to-end encrypted where th
- Delete Secretdestructive
Tool to delete a secret from a Doppler config. Use when you need to permanently remove a secret from a specific project and config.
- Download Secrets
Tool to download secrets from a Doppler config in various formats. Use when you need to retrieve all secrets or a subset of secrets from a specific project and config. Supports multiple output formats and name transformations.
- Get Authenticated User Info
Tool to retrieve information about the authenticated user or token. Use when you need to verify authentication status or get details about the current token's workplace and permissions.
- Get Config
Tool to retrieve a specific Doppler config by project and config name. Use when you need to get configuration details for a specific project environment.
- Get Config Log
Tool to retrieve a specific config log from Doppler. Use when you need to view details about a particular configuration change or event.
- Get Project Details
Tool to retrieve details of a specific Doppler project by its identifier. Use when you need to get project metadata including name, description, and creation timestamp.
- Get Project Role
Tool to retrieve details of a specific project role in Doppler. Use when you need to get information about a role's permissions and metadata.
- Get Secret
Tool to retrieve a specific secret from a Doppler project config. Use when you need to get the value of a specific secret including its raw and computed values.
- Get Workplace Information
Tool to retrieve workplace information from Doppler. Use when you need to get workplace details including ID, name, billing email, and security email.
- Get Workplace Role
Tool to retrieve workplace role information from Doppler. Use when you need to get details about a specific role including its permissions and metadata.
- List Change Requests
Tool to list existing change requests in the Doppler workplace. Use when you need to retrieve all change requests and their current status.
- List Config Logs
Tool to retrieve configuration change logs for a specific config in a project. Use when you need to view the history of configuration changes, track who made changes, or identify rollback actions.
- List Doppler Configs
Tool to list configurations from a Doppler project. Use when you need to retrieve all configs or filter by environment. Supports pagination for large result sets.
- List Doppler Projects
Tool to list all Doppler projects in your workspace. Use when you need to retrieve available projects for configuration management or to get project details.
- List Doppler Secrets
Tool to list all secrets for a specific Doppler config within a project. Use when you need to retrieve secret values and metadata. Returns both raw and computed values for each secret, along with visibility settings and optional notes.
- List Environments
Tool to list all environments in a Doppler project. Use when you need to retrieve the environments available in a specific project.
- List Integrations
Tool to retrieve all existing integrations in Doppler. Use when you need to list all configured integrations.
- List Project Role Permissions
Tool to list all available permissions for project roles in Doppler. Use when you need to see what permissions can be assigned to custom project roles.
- List Project Roles
Tool to list all available project roles in Doppler. Use when you need to retrieve all roles for permission management or to see what roles are available.
- List Secret Names
Tool to retrieve the list of secret names from a specific Doppler config. Use when you need to list available secret names without their values.
- List Workplace Permissions
Tool to retrieve all available workplace permissions in Doppler. Use when you need to view the list of permissions that can be assigned to workplace roles.
- List Workplace Roles
Tool to list all workplace roles in your Doppler workspace. Use when you need to retrieve available workplace roles for user management or permission configuration.
- Update Doppler Secrets
Tool to update secrets in a Doppler config. Use when you need to create or update secret values in a specific project and config.
- Update Secret Note
Tool to update a note for a secret in Doppler. Use when you need to add or modify documentation for a specific secret. The note will be applied to the specified secret across all environments in the project.
Setup
Setup guide
- 11. Open your Switchy workspace and navigate to Integrations in the sidebar. 2. Search for Doppler and click Connect. 3. In a new tab, log into your Doppler dashboard and go to Access → Service Tokens. 4. Create a new service token with the scope you need: read-only if you only pull secrets, read-write if you also rotate or delete them. 5. Copy the token and paste it into the Switchy auth modal, then click Authorize. 6. Switchy confirms the connection by fetching your authenticated user info. 7. Open any Space and type '@Doppler download secrets from project X config Y' to test — if it returns key-value pairs, you're live. 8. To invoke other tools, @mention Doppler and describe the task in plain language; Switchy routes to the correct tool automatically.
What teammates see: by default, memories from Doppler are scoped to the Space (PROJECT visibility) - you can mark any memory PRIVATE or share it ORG-wide.
Works well with
Top models
Compatibility data appears once enough Spaces have used this MCP together with a given model.
How Switchy teams use it
Starter prompts
Download Production Secrets
@Doppler download all secrets from the backend-api project, production config, in JSON format.Open in a Space →
Create Encrypted Share Link
@Doppler create an encrypted share link for the secret 'DB_PASSWORD=mySecurePass123' that expires in 24 hours.Open in a Space →
Audit Recent Config Changes
@Doppler retrieve the config log for the payments-service project, staging config, and show me the last 10 entries.Open in a Space →
Delete Deprecated Secret
@Doppler delete the secret named 'LEGACY_API_KEY' from the mobile-app project, development config.Open in a Space →
Verify Token Permissions
@Doppler get info about the authenticated user and show me the token's workplace and permissions.Open in a Space →
Example outputs
Illustrative - representative of the model's voice and quality, not literal recordings.
@doppler download all secrets from the staging config in our api-backend project as a JSON file
Retrieved 47 secrets from api-backend/staging. The download includes DATABASE_URL, STRIPE_API_KEY, JWT_SECRET, and 44 other environment variables formatted as JSON key-value pairs. This represents the current state of your staging environment configuration as of this moment.
This read operation requires a service token scoped to the specific project and config. The downloaded secrets are decrypted and returned in plain text, so handle the output carefully. Doppler doesn't version individual secret values in the response—you're seeing the latest committed state.
@doppler delete the DEPRECATED_LEGACY_API_KEY secret from our production config
Successfully deleted DEPRECATED_LEGACY_API_KEY from api-backend/production. This change is immediate and irreversible—any services still referencing this secret will fail authentication. The deletion has been logged in your config audit trail with timestamp and actor information.
Deletion is permanent and takes effect immediately across all services pulling from this config. Before running this, confirm no active deployments depend on the secret. The MCP requires write permissions on the target config. Consider using Doppler's built-in audit logs to review who created the secret and when it was last accessed.
@doppler review the last 10 config changes in our production environment and flag any that modified database credentials
Analyzed recent config logs for api-backend/production. Found 3 database-related changes in the last 10 entries: (1) DATABASE_URL updated 4 days ago by sarah@team, (2) DB_POOL_SIZE changed from 20 to 50 yesterday by deploy-bot, (3) READ_REPLICA_URL added 6 days ago by mike@team. The DATABASE_URL change happened outside normal deployment windows and may warrant review.
This synthesis combines the config log retrieval tool with AI reasoning to surface security-relevant patterns. The MCP returns raw log entries (actor, timestamp, secret name, action type)—the AI interprets which changes matter. Useful for post-incident audits, but remember Doppler logs the fact of a change, not the old/new secret values themselves.
Use-case deep-dives
When Doppler beats .env files for new-hire setup
A backend engineer joins your 8-person startup on Monday. By lunch, they need local credentials for Postgres, Stripe test keys, and AWS dev buckets. Without Doppler, someone emails a .env file or pastes secrets in Slack—both leak risks. With Doppler's MCP, your onboarding doc says 'run this CLI command' and the engineer pulls the dev config directly into their local environment. The Download Secrets tool fetches everything in one call; no manual copy-paste, no stale credentials. The trade-off: if your team is still figuring out which secrets belong in which environment, Doppler's project-config structure forces you to organize first. If you're past the 'secrets in Slack' phase and hiring regularly, this MCP turns a 20-minute risk into a 2-minute command.
Encrypted share links for one-time credential delivery
Your support engineer needs to send a customer a temporary API key for debugging—valid for 24 hours, then gone. Emailing it is a compliance red flag; Slack DMs live forever. Doppler's Create Encrypted Share Link tool generates a URL with end-to-end encryption and a TTL. The customer clicks once, copies the key, and the link expires. The secret never touches Doppler's servers in plain text, and your audit log shows who created the link and when it was accessed. The boundary: if you're sending more than 5-10 of these per week, you probably need a proper customer portal with scoped API tokens. But for occasional, high-trust handoffs—password resets, partner integrations, contractor access—this MCP gives you the security posture of a secret manager without building one.
Config logs for tracking who changed what after a breach
Your staging database got exposed in a public repo. You rotate every credential in the affected config, but now you need to prove to your security lead that nothing else was touched. Doppler's Get Config Log tool pulls a timestamped record of every secret change: who deleted the old Postgres password, who added the new one, and when the Stripe key was rotated as a precaution. You export the log, attach it to your incident report, and close the loop in 10 minutes. The limitation: if your team doesn't already use Doppler for secret management, this MCP won't help—there's no log to query. But if you're already storing secrets in Doppler and need to answer 'what changed during the incident window,' this tool is faster than grep-ing Slack or guessing from memory.
Frequently asked
What does the Doppler MCP do in Switchy?
It lets your AI agents read, write, and share secrets from your Doppler configs without leaving the chat. Agents can download environment variables, create encrypted share links, delete secrets, or audit config logs. You stay in Switchy; the MCP handles the Doppler API calls in the background.
Do I need a Doppler service token or personal API key?
You need a Doppler API key—either a personal token or a service token with read/write scopes for the projects you want agents to touch. Personal tokens inherit your user permissions; service tokens let you lock down access to specific configs. Paste the key into Switchy's connection flow and you're done.
Can the MCP update secrets or only read them?
It can do both. The MCP includes tools to delete secrets and create share links, so agents can modify your Doppler configs if your API key allows it. If you only want read access, use a service token scoped to read-only on the relevant projects.
Why use this instead of the Doppler CLI or dashboard?
The MCP is faster when you're already in a Switchy chat asking an agent to debug an environment or rotate a key. The agent pulls the secret, checks the log, and updates the config in one thread. The CLI is better for scripted deploys; the dashboard is better for bulk audits.
Who on the team should connect Doppler to Switchy?
Whoever owns the secrets the team needs agents to access. If you're sharing a workspace, create a Doppler service token scoped to the right projects and connect it once. Everyone in the workspace inherits that connection; individual API keys aren't required unless you want per-user audit trails.