Secure Secrets Management for Meteor Apps
Keep credentials out of Git and deploy safely using secrets managers and automation.
Committing a settings.json file with real credentials is one of the most common Meteor security mistakes. If your repository ever goes public, gets forked, or your image ends up in a public registry, those credentials are exposed permanently. Git history never forgets.
The Essential Setup
Two things to do right now if you haven't already.
Update Your .gitignore
Add these entries so secrets files never get committed accidentally:
settings.json
settings-*.json
.settings-*.json
env/Commit a Settings Template
Keep a settings.example.json in your repository as documentation. This is safe to commit because it contains no real values. It shows your team exactly what configuration they need.
{
"galaxy.meteor.com": {
"env": {
"MONGO_URL": "YOUR_MONGO_URL",
"MAIL_URL": "YOUR_MAIL_URL"
}
},
"private": {
"stripeKey": "YOUR_STRIPE_KEY"
},
"public": {
"appName": "My App"
}
}Already Committed Secrets?
Removing them from current files isn't enough. They're still in your Git history. Use BFG Repo-Cleaner to scrub them. Test on a clone first since BFG rewrites history and anyone with a local copy will need to re-clone. After cleanup, rotate every credential that was ever committed. Assume they've been exposed.
Using a Secrets Manager
A secrets manager stores credentials securely and injects them at deploy time. No secrets in code. No secrets in Git.
Popular options:
- Infisical: Open source with a generous free tier
- Doppler: Universal secrets platform with team features
- HashiCorp Vault: Enterprise-grade
- AWS Secrets Manager: Native AWS integration
The pattern is the same regardless of which you choose: store your settings.json content as a secret (for example, a variable named SETTINGS_JSON), fetch it at deploy time, write it to a temp file, deploy, then delete the temp file.
Deploy Script
Here's a minimal deploy script using Infisical. The same pattern works with any secrets manager.
#!/bin/bash
set -e
APP_NAME="my-app"
ENVIRONMENT="prod"
TEMP_SETTINGS=".settings-deploy-$$.json"
infisical secrets get SETTINGS_JSON --env=$ENVIRONMENT --plain > $TEMP_SETTINGS
meteor deploy $APP_NAME --settings $TEMP_SETTINGS
rm -f $TEMP_SETTINGSMake it executable with chmod +x deploy.sh, then run ./deploy.sh. The temp file is cleaned up automatically even if deployment fails.
For multiple environments, pass different values:
ENVIRONMENT=staging APP_NAME=staging.myapp.com ./deploy.sh
ENVIRONMENT=prod APP_NAME=myapp.com ./deploy.shCI/CD Automation
For automated deployments from GitHub Actions, store your secrets manager credentials and your METEOR_TOKEN (from ~/.meteor/meteor_token.json) as GitHub Actions secrets. Then fetch your SETTINGS_JSON from the secrets manager during the workflow, write it to disk, deploy, and clean up.
See the Infisical GitHub Actions docs for a complete example using Machine Identity authentication.

