Most failed migrations are not caused by broken data. They are caused by a missing secret. This guide covers how to prepare secrets and environment variables so the destination deploys cleanly the first time.
Why secrets break migrations
Secrets live in many places: platform env config, per-function secrets, CI/CD variables, and infrastructure providers. They rarely have an inventory, and they are the one class of value that cannot be recovered from a backup.
Common secret types
API keys
Third-party SaaS keys — email, analytics, error reporting, feature flags.
Database URLs
Connection strings for primary databases, read replicas, and warehouses.
Supabase keys
Publishable, anon, and service role keys — each with different scopes.
OAuth credentials
Client IDs, client secrets, and redirect URIs for every provider.
Webhook secrets
Signing secrets for verifying incoming webhooks from third parties.
Payment provider keys
Stripe, Paddle, or other providers — usually with separate test and live keys.
Storage keys
Access keys for object storage and CDN edge configuration.
Source versus destination environment variables
Walk both sides column by column. Every value on the source needs an equivalent on the destination — or a documented reason it is being retired. Missing rows are the ones that cause outages.
Secrets checklist before migration
- Complete inventory of every secret, grouped by system.
- Owner assigned for each secret.
- Rotation plan for anything that will be re-issued during cutover.
- Test values available for smoke tests on the destination.
Security considerations
- Never commit secrets to the repository, even temporarily.
- Rotate any secret that touched a shared channel during migration.
- Restrict service role keys to the specific systems that need them.
- Audit who accessed the secret store during the migration window.
How Miglify helps create a secrets checklist
Miglify surfaces every environment variable and per-function secret the source project uses, compares it with the destination, and produces a checklist so teams know exactly what to set before traffic switches over.
Final thoughts
Treat secrets as their own migration surface. Inventory, transfer, test, rotate. The migrations that ship without an incident are the ones where secrets were planned as carefully as data.
Miglify keeps every step observable — analyze source, validate destination, and prepare rollback-aware runs before you cut over.
