When we load secret keys from environmental variables we need an extra layer of protection to avoid leaks.
For this effect offers a Redacted service. We can define a redacted value using Config.redacted:
import { Config } from "effect";
const config = Config.redacted("SECRET_KEY");Redacted works similar to Config.string but prevents accidental accesses and prints of secret configurations.
When we extract Config.redacted we get a Redacted<string> instead of the usual string.
const program = Effect.gen(function*() {
/// 👇 Type is `Redacted<string>`
const secretKey = yield* Config.redacted("SECRET_KEY");
})This prevents assigning Redacted where a string is expected:
const doSomeDangerousStuff = (secret: string) => /// ...
const program = Effect.gen(function*() {
const secretKey = yield* Config.redacted("SECRET_KEY");
/// ⛔️ `Argument of type 'Redacted<string>' is not assignable to parameter of type 'string'`
doSomeDangerousStuff(secretKey);
})In these situations we are required to be explicit about our intention. We can extract the string inside Redacted by using Redacted.value:
const doSomeDangerousStuff = (secret: string) => 0;
const program = Effect.gen(function* () {
const secretKey = yield* Config.redacted("SECRET_KEY");
/// ✅ This works
doSomeDangerousStuff(Redacted.value(secretKey));
});
Redactedalso prevent issues with logging secret keys (Console.log(secretKey)).
Make sure to always use Config.redacted for sensitive configuration values.