Switchy
Sign up
developer-toolsapi_key

Doppler SecretOps

Doppler is a secrets management platform that helps teams securely manage and sync environment variables across projects and environments.

Verdict

Doppler SecretOps manages environment variables, API keys, and configuration secrets across your team's deployments. When you @mention it in a Space, your AI can read secrets from specific environments, rotate credentials, audit who changed what config, or roll back a bad deploy. Engineers use it to debug staging vs. production config drift without leaving chat. DevOps teams use it to clone configs for new feature branches or create environments on demand. You'll need a Doppler service token with read or read/write scope depending on whether you want the AI to fetch secrets only or also modify them.

Common use cases

  • Audit who rotated production API keys
  • Clone staging config to new feature branch
  • Compare secrets between dev and prod environments
  • Roll back config after bad deploy
  • Create new environment for QA testing

Integration

Vendor
Doppler SecretOps
Category
developer-tools
Auth
API_KEY
Tools
29
Composio slug
doppler_secretops

Tools

  • Activity Logs List

    Tool to list workplace activity logs. Use when you need to fetch recent activity logs.

  • Clone Config

    Tool to clone a branch config including all its secrets. Use after confirming the source config details.

  • Config Logs List

    Tool to list config change logs for a specific config. Use when you need the audit trail for a config after confirming its identity.

  • Config Logs Rollback

    Tool to rollback a config to a selected log version. Use when needing to undo a specific change by its log ID, after confirming project, config, and log ID.

  • Configs Delete
    destructive

    Tool to delete a config permanently. Use when you need to remove a config that is no longer needed.

  • Create Branch Config

    Tool to create a branch config. Use when you need to programmatically establish a new branch-based configuration for a specified project and environment. Use after selecting the target project and environment.

  • Create Environment

    Tool to create a new environment. Use when you need to programmatically create an environment for a specified project.

  • Create Project

    Tool to create a project. Use when you need to programmatically initialize a new Doppler project after authentication.

  • Environments Delete
    destructive

    Tool to delete an environment. Use when you need to remove an environment from a project after confirming it's no longer in use.

  • Get Config Details

    Tool to fetch a config's details. Use when you need metadata for a specific config after specifying the project and config names. Example: "Get details for config 'staging-config' in project 'proj-123'."

  • Get Environment Details

    Tool to retrieve an environment. Use when you need metadata for a specific environment after specifying the project and environment slug.

  • Get Project Member

    Tool to retrieve a project member by type and slug. Use after confirming project slug, member type, and slug.

  • Get Project Role

    Tool to retrieve a project role. Use when you need details of a specific project role after authenticating.

  • Integrations List

    Tool to list all external integrations. Use when you need to retrieve all configured external integrations after authentication.

  • Invites List

    Tool to list open workplace invites. Use when you need to retrieve all pending invitations for the current Doppler workplace after authenticating.

  • List Environments

    Tool to list environments in a Doppler project. Use when you need environment metadata for a specific project after providing the project slug.

  • List Projects

    Tool to list Doppler projects. Use when you need to retrieve all projects with optional pagination.

  • Lock Config

    Tool to lock a config. Use when you need to prevent a config from being renamed or deleted after confirming the project and config names. Example: "Lock config 'staging-config' in project 'proj-123' after finalizing environment setup."

  • Project Permissions List

    Tool to list project-level permissions. Use when you need to fetch all available permissions for projects after authentication.

  • Projects Delete
    destructive

    Tool to delete a project permanently. Use after confirming irreversible removal.

  • Remove Group Member
    destructive

    Tool to remove a member from a group. Use after confirming the group slug and member identifiers.

  • Remove Project Member
    destructive

    Tool to remove a member from a project. Use after confirming project slug, member type, and slug. Example: "Delete member 'jdoe' of type 'users' from project 'my-project-slug'."

  • Rename Environment

    Tool to rename an environment. Use when you need to update an environment's display name after confirming project and environment identifiers.

  • Retrieve Activity Log

    Tool to retrieve a single activity log entry by id. Use when you have a valid Activity Log id.

  • Retrieve Config Log Entry

    Tool to retrieve a specific config log entry. Use when needing details of a single config log; call after specifying project, config, and log identifiers.

  • Revoke Dynamic Secret Lease
    destructive

    Tool to revoke a dynamic secret lease. Use when you need to invalidate an active lease by its ID after confirming the config and dynamic secret identifiers.

  • Unlock Config

    Tool to unlock a config. Use when you need to allow renaming or deletion of a previously locked config. Example: "Unlock config 'staging-config' in project 'proj-123'."

  • Update Config

    Tool to modify an existing config. Use when you need to rename a config after confirming project and config names.

  • Update Secrets

    Tool to update secrets in a config. Use when you need to change secret values for deployments.

Setup

Setup guide

  1. 11. Log into your Doppler dashboard and navigate to the project you want Switchy to access. 2. Go to Access → Service Tokens and click Generate. 3. Choose the scope: select 'Read' if you only want the AI to fetch secrets and logs, or 'Read/Write' if you want it to create configs, rotate secrets, or roll back changes. 4. Copy the token and return to Switchy. 5. In your workspace settings, click Integrations → Add MCP → Doppler SecretOps. 6. Paste the service token and click Connect. 7. Open any Space and type '@Doppler list my projects' to confirm the connection works. 8. If the AI returns your project list, the integration is live and ready to use.

What teammates see: by default, memories from Doppler SecretOps are scoped to the Space (PROJECT visibility) - you can mark any memory PRIVATE or share it ORG-wide.

Works well with

Top models

Compatibility data appears once enough Spaces have used this MCP together with a given model.

How Switchy teams use it

Not enough Spaces yet to publish anonymised usage stats (we require ≥ 50 Spaces per week).

Starter prompts

Audit Recent Changes

@Doppler show me the most recent activity logs across all projects. Focus on the last 20 entries and highlight any secret rotations or deletions.
Open in a Space →

Compare Environments

@Doppler compare the secrets in my 'staging' and 'production' environments for the main project. Show me any keys that exist in one but not the other.
Open in a Space →

Clone Config for Branch

@Doppler clone the 'development' config in my main project to a new branch called 'feature-auth-v2'. Include all existing secrets.
Open in a Space →

Roll Back Bad Deploy

@Doppler show me the config logs for 'production' in my main project. Then roll back to the version from two hours ago if it looks stable.
Open in a Space →

Create QA Environment

@Doppler create a new environment called 'qa-staging' in my main project. Use the same structure as the existing 'staging' environment.
Open in a Space →

Example outputs

Illustrative - representative of the model's voice and quality, not literal recordings.

Prompt

@Doppler list all activity logs from the last 7 days for our production workspace, focusing on secret updates and config changes

Output

Here's a summary of recent activity in your Doppler workspace over the past week: 15 secret updates were made across 3 projects (api-backend, web-frontend, worker-service). The most active config was production.api-backend with 8 changes. Notable events include: API_KEY rotation on Jan 15 by sarah@team.com, DATABASE_URL update on Jan 14 by deploy-bot, and a config rollback on Jan 13 by ops@team.com. All changes occurred within your production environment. This represents illustrative activity patterns; actual log entries will vary by your team's operations.

Notes

This example demonstrates the Activity Logs List tool's audit capabilities. Requires read access to workplace activity logs via your Doppler API key. Useful for security reviews and compliance tracking, but note that log retention and detail level depend on your Doppler plan tier.

Prompt

@Doppler create a new branch config called 'feature-oauth' cloned from our staging environment in the api-backend project, then update the OAUTH_CLIENT_ID secret

Output

I've created the branch config 'feature-oauth' in your api-backend project by cloning all secrets from the staging environment. The new config now contains 23 secrets matching staging's state as of this moment. I've also updated OAUTH_CLIENT_ID to the new value you specified. This branch config is now ready for your feature development work and won't affect staging or production environments. Remember to sync any future staging changes manually if needed. This illustrates the typical workflow; actual secret counts and names reflect your project structure.

Notes

This example chains two write operations: Clone Config followed by a secret update. Demonstrates Doppler's branch-based workflow for feature development. Requires write permissions on the target project. Be aware that cloning creates a point-in-time copy—subsequent changes to the source config won't auto-sync to your branch.

Prompt

@Doppler analyze our config change history for the production environment across all projects and identify which secrets have been rotated most frequently in the past 30 days

Output

Based on config logs across your production environment, here are the most frequently rotated secrets in the past month: DATABASE_PASSWORD (api-backend) was updated 6 times, suggesting active credential rotation. STRIPE_API_KEY (payment-service) changed 4 times, likely due to key cycling policies. JWT_SECRET (auth-service) was rotated 3 times. The api-backend project shows the highest change velocity with 18 total secret updates. This pattern suggests healthy security hygiene around database credentials. Consider documenting rotation triggers if not already tracked. This analysis represents typical patterns; your actual rotation frequency depends on your security policies.

Notes

This example showcases synthesis across multiple Config Logs List calls combined with AI reasoning to surface security patterns. Requires read access to config logs across projects. Particularly valuable for security audits and identifying secrets that may need automated rotation workflows. Log history depth varies by Doppler plan.

Use-case deep-dives

Incident rollback for staging secrets

When Doppler wins for fast secret rollback after a bad deploy

A 6-person eng team pushes a staging deploy at 3pm that breaks auth because someone fat-fingered an API key rotation. With Doppler's Config Logs Rollback tool, the on-call dev can revert the staging config to the 2:45pm snapshot in under 30 seconds—no Slack thread hunting, no manual re-paste from 1Password. The Activity Logs List tool shows exactly who changed what, so the postmortem writes itself. This MCP is overkill if your team rotates secrets once a quarter and never has staging incidents. It's the right call if you ship multiple times a day and need audit trails that don't live in someone's terminal history. If your secret changes happen in production more than twice a week, Doppler's rollback tooling pays for itself in the first save.

Customer onboarding environment spin-up

When this MCP scales self-service customer environments

A 12-person B2B SaaS team onboards enterprise customers who each need isolated staging environments with unique API keys, database credentials, and third-party tokens. The Create Environment and Create Branch Config tools let a solutions engineer script the entire setup—new Doppler environment, branch config cloned from a template, secrets injected from the customer's vault—without touching the main codebase or waiting on DevOps. The Clone Config tool copies the baseline secrets; the team customizes the 8-12 customer-specific values in under 5 minutes. This breaks down if you onboard fewer than 3 customers a month or if your secrets are simple enough for a .env file. It's the right move if you're spinning up 10+ isolated environments a quarter and secret drift is causing support tickets.

Compliance audit trail for fintech

When Doppler's audit logs satisfy SOC 2 secret access reviews

A 9-person fintech startup preparing for SOC 2 Type II needs to prove who accessed production secrets and when. Doppler's Config Logs List and Activity Logs List tools generate the timestamped audit trail auditors expect—every secret read, every rotation, every config change—without custom logging infrastructure. The compliance lead exports 90 days of logs in 2 minutes; the auditor sees exactly which engineer accessed the Stripe key on July 14th. This MCP is unnecessary if you're pre-revenue or your secrets live in a single .env file with no compliance requirements. It's the right call if you're pursuing SOC 2, ISO 27001, or handling PII at scale and need defensible access logs that don't require a dedicated security engineer to maintain.

Frequently asked

What does the Doppler MCP do in Switchy?

It connects your team's Doppler workspace so AI agents can read secrets, create environments, clone configs, and audit activity logs without leaving the chat. You can ask questions like 'what's in our staging config' or 'roll back production to yesterday's version' and the agent executes the Doppler API calls directly. It doesn't store secrets — it fetches them on demand when the agent needs them.

Do I need admin access to connect Doppler?

You need a Doppler service token with read and write permissions for the projects you want the agent to touch. Doppler uses API key auth, not OAuth, so you generate the token in your Doppler dashboard under Access > Service Tokens. Scope it to specific projects if you don't want the agent modifying everything. The token goes into Switchy's credential vault and never leaves your workspace.

Can the Doppler MCP rotate secrets automatically?

No. It can read, update, and delete secrets in configs, but it won't auto-rotate them on a schedule or trigger rotation in third-party services. If you need rotation, you still use Doppler's native integrations or write a separate script. The MCP is for ad-hoc agent tasks — 'update this API key', 'clone staging to a new branch' — not for background automation.

How is this different from just using the Doppler CLI?

The CLI requires you to remember commands and pipe output into other tools. The MCP lets you ask in plain English — 'show me the last five changes to prod config' — and the agent parses the response, summarises it, or chains it into another action. You're trading terminal fluency for conversational speed. If your team already has CLI muscle memory, you might not need this.

Who on the team should connect the Doppler integration?

Whoever owns your Doppler service tokens — usually a DevOps lead or platform engineer. They generate the scoped token and paste it into Switchy. After that, anyone in the workspace can invoke Doppler tools through the agent, but the underlying permissions are still governed by what that token can access. One token per workspace is typical unless you need separate scopes for different teams.

Data last verified 607 hours ago.Sources aggregated hourly to weekly. See docs/architecture/model-directory.md.