Keeping secrets with Figaro

Jasper Curry
2 min readSep 15, 2016


You’re in the process of writing a new application and you push all your code up to git — great! One problem though, often times we need to store sensitive information like API keys or login information and we don’t want this to be visible to the world. There are many ways that you can choose to obscure these files from public view, but if you intend use Heroku with your app, there is one obvious solution — Figaro.

Figaro is a simple gem that allows you to easily set environment variables that can be used to hold sensitive information. This method of using environment variables is the preferred method because it prevents this information from being directly coded in the app’s source code.

To use Figaro it is as simple as requiring the Figaro gem and running ‘bundle exec figaro install’. This makes a file called application.yml in the config folder and automatically adds it to your .gitignore file so it will not be accidentally uploaded to github.

Then, when you need to reference this sensitive information, you can just call the respective environment variable, like so:

Note: environment variables are for storing simple key/values. All values will be converted to strings.

When it it time to deploy your app on Heroku, you’ll have two options on how to set your environment variables. The method Heroku provides you with is just setting each one individually, like so:

heroku config:add SECRET_API_KEY=jHXKPPE0dUW84xJNYzn6CdWM2JfrCbPE
heroku config:add PUBLIC_KEY=pk_HHtUKJwlN7USCT6nE5jiXgoduiNl3

Alternatively, if you have used Figaro, you can just run the following code to set all your environment variables with one command.

figaro heroku:set -e production

More resources:



Jasper Curry

Product at The New York Times. Previously at Noom, Policygenius, and NBC News.