How to organize secrets across multiple projects
The failure mode is always the same: twenty repositories, three copies of the same Stripe key, and nobody knows which one is current. Good organization is not aesthetics — it reduces wrong-key incidents and makes rotation possible.
1. Pick a primary dimension: product, not folder path
Humans think in products (“payments”, “auth service”), not ~/Projects/legacy/node-api-copy-2. Your vault and naming should mirror product boundaries.
PassStore maps this to workspaces — one per product or repo family. Download.
2. Naming convention (copy-paste standard)
Document in CONTRIBUTING.md:
<provider>_<purpose>_<environment>
Examples:
stripe_secret_key_dev
sendgrid_api_key_staging
openai_api_key_personal_sandbox
Avoid KEY1, TOKEN, SECRET — they guarantee confusion. More detail: organize API keys without slowing down.
3. Polyrepo layout
| Repo | Vault workspace | Groups inside |
|---|---|---|
acme/web | acme-web | dev, staging |
acme/api | acme-api | dev, staging |
acme/mobile | acme-mobile | dev |
Shared vendor key used by two services? Pick one canonical entry in a workspace named acme-shared and reference it in README — do not duplicate under two names unless you must for access control.
4. Monorepo layout
Use per-app groups inside one workspace:
Workspace: acme-monorepo
Group: apps-web-dev
Group: apps-api-dev
Group: packages-ci
Pair with env file strategy from multiple .env files.
5. Duplication audit (quarterly, 15 minutes)
- List all API integrations from
package.json,go.mod, Terraform, etc. - For each vendor, confirm one canonical secret location.
- Delete abandoned keys in vendor dashboards.
See avoid duplicate env configuration.
6. Onboarding a new laptop
- Install vault app; restore from approved backup path (not email).
- Re-clone repos; never copy old
~/Projectsblindly from unknown disks. - Regenerate keys that cannot be verified clean.
7. Soft CTA
PassStore is built around workspaces for exactly this problem — developer secrets stay encrypted at rest on macOS (Security).