diff --git a/apps/webservice/src/app/[workspaceSlug]/_components/target-drawer/CreateTargetVariableDialog.tsx b/apps/webservice/src/app/[workspaceSlug]/_components/target-drawer/CreateTargetVariableDialog.tsx
new file mode 100644
index 000000000..9ceb145d5
--- /dev/null
+++ b/apps/webservice/src/app/[workspaceSlug]/_components/target-drawer/CreateTargetVariableDialog.tsx
@@ -0,0 +1,221 @@
+import React, { useState } from "react";
+import { z } from "zod";
+
+import { Button } from "@ctrlplane/ui/button";
+import { Checkbox } from "@ctrlplane/ui/checkbox";
+import {
+  Dialog,
+  DialogContent,
+  DialogFooter,
+  DialogHeader,
+  DialogTrigger,
+} from "@ctrlplane/ui/dialog";
+import {
+  Form,
+  FormControl,
+  FormField,
+  FormItem,
+  FormLabel,
+  FormMessage,
+  useForm,
+} from "@ctrlplane/ui/form";
+import { Input } from "@ctrlplane/ui/input";
+import {
+  Select,
+  SelectContent,
+  SelectItem,
+  SelectTrigger,
+  SelectValue,
+} from "@ctrlplane/ui/select";
+
+import { api } from "~/trpc/react";
+
+type CreateTargetVariableDialogProps = {
+  targetId: string;
+  existingKeys: string[];
+  children: React.ReactNode;
+};
+
+export const CreateTargetVariableDialog: React.FC<
+  CreateTargetVariableDialogProps
+> = ({ targetId, existingKeys, children }) => {
+  const [open, setOpen] = useState(false);
+  const createTargetVariable = api.target.variable.create.useMutation();
+  const schema = z.object({
+    key: z
+      .string()
+      .refine((k) => k.length > 0, { message: "Key is required" })
+      .refine((k) => !existingKeys.includes(k), {
+        message: "Variable key must be unique",
+      }),
+    type: z.enum(["string", "number", "boolean"]),
+    value: z
+      .union([z.string(), z.number(), z.boolean()])
+      .refine((v) => (typeof v === "string" ? v.length > 0 : true), {
+        message: "Value is required",
+      }),
+    sensitive: z.boolean().default(false),
+  });
+  const form = useForm({
+    schema,
+    defaultValues: { key: "", value: "", type: "string" },
+  });
+  const { sensitive, type } = form.watch();
+
+  const utils = api.useUtils();
+  const onSubmit = form.handleSubmit((data) =>
+    createTargetVariable
+      .mutateAsync({ targetId, ...data })
+      .then(() => utils.target.byId.invalidate(targetId))
+      .then(() => form.reset())
+      .then(() => setOpen(false)),
+  );
+
+  return (
+    <Dialog open={open} onOpenChange={setOpen}>
+      <DialogTrigger asChild>{children}</DialogTrigger>
+      <DialogContent>
+        <DialogHeader>Create Target Variable</DialogHeader>
+        <Form {...form}>
+          <form onSubmit={onSubmit} className="space-y-4">
+            <FormField
+              control={form.control}
+              name="key"
+              render={({ field }) => (
+                <FormItem>
+                  <FormLabel>Key</FormLabel>
+                  <FormControl>
+                    <Input {...field} />
+                  </FormControl>
+                  <FormMessage />
+                </FormItem>
+              )}
+            />
+            <FormField
+              control={form.control}
+              name="type"
+              render={({ field: { value, onChange } }) => {
+                const onTypeChange = (type: string) => {
+                  if (type === "string") form.setValue("value", "");
+                  if (type === "number") form.setValue("value", 0);
+                  if (type === "boolean") form.setValue("value", false);
+                  if (type !== "string") form.setValue("sensitive", false);
+                  onChange(type);
+                };
+
+                return (
+                  <FormItem>
+                    <FormLabel>Type</FormLabel>
+                    <FormControl>
+                      <Select value={value} onValueChange={onTypeChange}>
+                        <SelectTrigger>
+                          <SelectValue placeholder="Variable type..." />
+                        </SelectTrigger>
+                        <SelectContent>
+                          <SelectItem value="string">String</SelectItem>
+                          <SelectItem value="number">Number</SelectItem>
+                          <SelectItem value="boolean">Boolean</SelectItem>
+                        </SelectContent>
+                      </Select>
+                    </FormControl>
+                    <FormMessage />
+                  </FormItem>
+                );
+              }}
+            />
+
+            {type === "string" && (
+              <FormField
+                control={form.control}
+                name="value"
+                render={({ field: { value, onChange } }) => (
+                  <FormItem>
+                    <FormLabel>Value</FormLabel>
+                    <FormControl>
+                      <Input
+                        value={value as string}
+                        onChange={onChange}
+                        type={sensitive ? "password" : "text"}
+                      />
+                    </FormControl>
+                    <FormMessage />
+                  </FormItem>
+                )}
+              />
+            )}
+
+            {type === "number" && (
+              <FormField
+                control={form.control}
+                name="value"
+                render={({ field: { value, onChange } }) => (
+                  <FormItem>
+                    <FormLabel>Value</FormLabel>
+                    <FormControl>
+                      <Input
+                        value={value as number}
+                        onChange={onChange}
+                        type="number"
+                      />
+                    </FormControl>
+                  </FormItem>
+                )}
+              />
+            )}
+
+            {type === "boolean" && (
+              <FormField
+                control={form.control}
+                name="value"
+                render={({ field: { value, onChange } }) => (
+                  <FormItem>
+                    <FormLabel>Value</FormLabel>
+                    <FormControl>
+                      <Select
+                        value={value ? "true" : "false"}
+                        onValueChange={(v) => onChange(v === "true")}
+                      >
+                        <SelectTrigger>
+                          <SelectValue placeholder="Value..." />
+                        </SelectTrigger>
+                        <SelectContent>
+                          <SelectItem value="true">True</SelectItem>
+                          <SelectItem value="false">False</SelectItem>
+                        </SelectContent>
+                      </Select>
+                    </FormControl>
+                  </FormItem>
+                )}
+              />
+            )}
+
+            {type === "string" && (
+              <FormField
+                control={form.control}
+                name="sensitive"
+                render={({ field: { value, onChange } }) => (
+                  <FormItem>
+                    <FormControl>
+                      <div className="flex items-center gap-2">
+                        <Checkbox checked={value} onCheckedChange={onChange} />
+                        <label htmlFor="sensitive" className="text-sm">
+                          Sensitive
+                        </label>
+                      </div>
+                    </FormControl>
+                  </FormItem>
+                )}
+              />
+            )}
+
+            <DialogFooter>
+              <Button type="submit" disabled={createTargetVariable.isPending}>
+                Create
+              </Button>
+            </DialogFooter>
+          </form>
+        </Form>
+      </DialogContent>
+    </Dialog>
+  );
+};
diff --git a/apps/webservice/src/app/[workspaceSlug]/_components/target-drawer/DeleteTargetVariableDialog.tsx b/apps/webservice/src/app/[workspaceSlug]/_components/target-drawer/DeleteTargetVariableDialog.tsx
new file mode 100644
index 000000000..0f5b23a2a
--- /dev/null
+++ b/apps/webservice/src/app/[workspaceSlug]/_components/target-drawer/DeleteTargetVariableDialog.tsx
@@ -0,0 +1,67 @@
+import React, { useState } from "react";
+
+import {
+  AlertDialog,
+  AlertDialogAction,
+  AlertDialogCancel,
+  AlertDialogContent,
+  AlertDialogDescription,
+  AlertDialogFooter,
+  AlertDialogHeader,
+  AlertDialogTrigger,
+} from "@ctrlplane/ui/alert-dialog";
+import { buttonVariants } from "@ctrlplane/ui/button";
+
+import { api } from "~/trpc/react";
+
+type DeleteTargetVariableDialogProps = {
+  variableId: string;
+  targetId: string;
+  onClose: () => void;
+  children: React.ReactNode;
+};
+
+export const DeleteTargetVariableDialog: React.FC<
+  DeleteTargetVariableDialogProps
+> = ({ variableId, targetId, onClose, children }) => {
+  const [open, setOpen] = useState(false);
+  const deleteTargetVariable = api.target.variable.delete.useMutation();
+  const utils = api.useUtils();
+
+  const onDelete = () =>
+    deleteTargetVariable
+      .mutateAsync(variableId)
+      .then(() => utils.target.byId.invalidate(targetId))
+      .then(() => setOpen(false));
+
+  return (
+    <AlertDialog
+      open={open}
+      onOpenChange={(o) => {
+        setOpen(o);
+        if (!o) onClose();
+      }}
+    >
+      <AlertDialogTrigger asChild>{children}</AlertDialogTrigger>
+      <AlertDialogContent>
+        <AlertDialogHeader>Are you sure?</AlertDialogHeader>
+        <AlertDialogDescription>
+          Deleting a target variable can change what values are passed to
+          pipelines running for this target.
+        </AlertDialogDescription>
+
+        <AlertDialogFooter>
+          <AlertDialogCancel>Cancel</AlertDialogCancel>
+          <div className="flex-grow" />
+          <AlertDialogAction
+            className={buttonVariants({ variant: "destructive" })}
+            onClick={onDelete}
+            disabled={deleteTargetVariable.isPending}
+          >
+            Delete
+          </AlertDialogAction>
+        </AlertDialogFooter>
+      </AlertDialogContent>
+    </AlertDialog>
+  );
+};
diff --git a/apps/webservice/src/app/[workspaceSlug]/_components/target-drawer/EditTargetVariableDialog.tsx b/apps/webservice/src/app/[workspaceSlug]/_components/target-drawer/EditTargetVariableDialog.tsx
new file mode 100644
index 000000000..76602fbc8
--- /dev/null
+++ b/apps/webservice/src/app/[workspaceSlug]/_components/target-drawer/EditTargetVariableDialog.tsx
@@ -0,0 +1,243 @@
+import type * as SCHEMA from "@ctrlplane/db/schema";
+import React, { useState } from "react";
+import { z } from "zod";
+
+import { Button } from "@ctrlplane/ui/button";
+import { Checkbox } from "@ctrlplane/ui/checkbox";
+import {
+  Dialog,
+  DialogContent,
+  DialogFooter,
+  DialogHeader,
+  DialogTrigger,
+} from "@ctrlplane/ui/dialog";
+import {
+  Form,
+  FormControl,
+  FormField,
+  FormItem,
+  FormLabel,
+  FormMessage,
+  useForm,
+} from "@ctrlplane/ui/form";
+import { Input } from "@ctrlplane/ui/input";
+import {
+  Select,
+  SelectContent,
+  SelectItem,
+  SelectTrigger,
+  SelectValue,
+} from "@ctrlplane/ui/select";
+
+import { api } from "~/trpc/react";
+
+type EditTargetVariableDialogProps = {
+  targetVariable: SCHEMA.TargetVariable;
+  existingKeys: string[];
+  children: React.ReactNode;
+  onClose: () => void;
+};
+
+export const EditTargetVariableDialog: React.FC<
+  EditTargetVariableDialogProps
+> = ({ targetVariable, existingKeys, children, onClose }) => {
+  const [open, setOpen] = useState(false);
+  const updateTargetVariable = api.target.variable.update.useMutation();
+  const utils = api.useUtils();
+  const keysWithoutCurrent = existingKeys.filter(
+    (k) => k !== targetVariable.key,
+  );
+  const schema = z.object({
+    key: z
+      .string()
+      .refine((k) => k.length > 0, { message: "Key is required" })
+      .refine((k) => !keysWithoutCurrent.includes(k), {
+        message: "Variable key must be unique",
+      }),
+    type: z.enum(["string", "number", "boolean"]),
+    value: z
+      .union([z.string(), z.number(), z.boolean()])
+      .refine((v) => (typeof v === "string" ? v.length > 0 : true), {
+        message: "Value is required",
+      }),
+    sensitive: z.boolean(),
+  });
+  const defaultValues = {
+    key: targetVariable.key,
+    type: typeof targetVariable.value,
+    value: targetVariable.value,
+    sensitive: targetVariable.sensitive,
+  };
+  const form = useForm({ schema, defaultValues });
+
+  const onSubmit = form.handleSubmit((data) =>
+    updateTargetVariable
+      .mutateAsync({ id: targetVariable.id, data })
+      .then(() => form.reset(data))
+      .then(() => utils.target.byId.invalidate(targetVariable.targetId))
+      .then(() => setOpen(false)),
+  );
+
+  const { sensitive, type } = form.watch();
+
+  return (
+    <Dialog
+      open={open}
+      onOpenChange={(o) => {
+        setOpen(o);
+        if (!o) onClose();
+      }}
+    >
+      <DialogTrigger asChild>{children}</DialogTrigger>
+      <DialogContent>
+        <DialogHeader>Edit Target Variable</DialogHeader>
+        <Form {...form}>
+          <form onSubmit={onSubmit} className="space-y-4">
+            <FormField
+              control={form.control}
+              name="key"
+              render={({ field }) => (
+                <FormItem>
+                  <FormLabel>Key</FormLabel>
+                  <FormControl>
+                    <Input {...field} />
+                  </FormControl>
+                  <FormMessage />
+                </FormItem>
+              )}
+            />
+            <FormField
+              control={form.control}
+              name="type"
+              render={({ field: { value, onChange } }) => {
+                const onTypeChange = (type: string) => {
+                  if (type === "string") form.setValue("value", "");
+                  if (type === "number") form.setValue("value", 0);
+                  if (type === "boolean") form.setValue("value", false);
+                  if (type !== "string") form.setValue("sensitive", false);
+                  onChange(type);
+                };
+
+                return (
+                  <FormItem>
+                    <FormLabel>Type</FormLabel>
+                    <FormControl>
+                      <Select value={value} onValueChange={onTypeChange}>
+                        <SelectTrigger>
+                          <SelectValue placeholder="Variable type..." />
+                        </SelectTrigger>
+                        <SelectContent>
+                          <SelectItem value="string">String</SelectItem>
+                          <SelectItem value="number">Number</SelectItem>
+                          <SelectItem value="boolean">Boolean</SelectItem>
+                        </SelectContent>
+                      </Select>
+                    </FormControl>
+                    <FormMessage />
+                  </FormItem>
+                );
+              }}
+            />
+
+            {type === "string" && (
+              <FormField
+                control={form.control}
+                name="value"
+                render={({ field: { value, onChange } }) => (
+                  <FormItem>
+                    <FormLabel>Value</FormLabel>
+                    <FormControl>
+                      <Input
+                        value={value as string}
+                        onChange={onChange}
+                        type={sensitive ? "password" : "text"}
+                      />
+                    </FormControl>
+                    <FormMessage />
+                  </FormItem>
+                )}
+              />
+            )}
+
+            {type === "number" && (
+              <FormField
+                control={form.control}
+                name="value"
+                render={({ field: { value, onChange } }) => (
+                  <FormItem>
+                    <FormLabel>Value</FormLabel>
+                    <FormControl>
+                      <Input
+                        value={value as number}
+                        onChange={onChange}
+                        type="number"
+                      />
+                    </FormControl>
+                  </FormItem>
+                )}
+              />
+            )}
+
+            {type === "boolean" && (
+              <FormField
+                control={form.control}
+                name="value"
+                render={({ field: { value, onChange } }) => (
+                  <FormItem>
+                    <FormLabel>Value</FormLabel>
+                    <FormControl>
+                      <Select
+                        value={value ? "true" : "false"}
+                        onValueChange={(v) => onChange(v === "true")}
+                      >
+                        <SelectTrigger>
+                          <SelectValue placeholder="Value..." />
+                        </SelectTrigger>
+                        <SelectContent>
+                          <SelectItem value="true">True</SelectItem>
+                          <SelectItem value="false">False</SelectItem>
+                        </SelectContent>
+                      </Select>
+                    </FormControl>
+                  </FormItem>
+                )}
+              />
+            )}
+
+            <FormField
+              control={form.control}
+              name="sensitive"
+              render={({ field: { value, onChange } }) => {
+                const onSensitiveChange = (checked: boolean) => {
+                  if (!checked) form.setValue("value", "");
+                  onChange(checked);
+                };
+                return (
+                  <FormItem>
+                    <FormControl>
+                      <div className="flex items-center gap-2">
+                        <Checkbox
+                          checked={value}
+                          onCheckedChange={onSensitiveChange}
+                        />
+                        <label htmlFor="sensitive" className="text-sm">
+                          Sensitive
+                        </label>
+                      </div>
+                    </FormControl>
+                  </FormItem>
+                );
+              }}
+            />
+
+            <DialogFooter>
+              <Button type="submit" disabled={updateTargetVariable.isPending}>
+                Update
+              </Button>
+            </DialogFooter>
+          </form>
+        </Form>
+      </DialogContent>
+    </Dialog>
+  );
+};
diff --git a/apps/webservice/src/app/[workspaceSlug]/_components/target-drawer/TargetDrawer.tsx b/apps/webservice/src/app/[workspaceSlug]/_components/target-drawer/TargetDrawer.tsx
index 81ab4dcf0..8b1927780 100644
--- a/apps/webservice/src/app/[workspaceSlug]/_components/target-drawer/TargetDrawer.tsx
+++ b/apps/webservice/src/app/[workspaceSlug]/_components/target-drawer/TargetDrawer.tsx
@@ -191,7 +191,10 @@ export const TargetDrawer: React.FC = () => {
               )}
               {activeTab === "jobs" && <JobsContent targetId={target.id} />}
               {activeTab === "variables" && (
-                <VariableContent targetId={target.id} />
+                <VariableContent
+                  targetId={target.id}
+                  targetVariables={target.variables}
+                />
               )}
             </div>
           </div>
diff --git a/apps/webservice/src/app/[workspaceSlug]/_components/target-drawer/TargetVariableDropdown.tsx b/apps/webservice/src/app/[workspaceSlug]/_components/target-drawer/TargetVariableDropdown.tsx
new file mode 100644
index 000000000..0dc80ced6
--- /dev/null
+++ b/apps/webservice/src/app/[workspaceSlug]/_components/target-drawer/TargetVariableDropdown.tsx
@@ -0,0 +1,61 @@
+import type * as SCHEMA from "@ctrlplane/db/schema";
+import React, { useState } from "react";
+import { IconPencil, IconTrash } from "@tabler/icons-react";
+
+import {
+  DropdownMenu,
+  DropdownMenuContent,
+  DropdownMenuItem,
+  DropdownMenuTrigger,
+} from "@ctrlplane/ui/dropdown-menu";
+
+import { DeleteTargetVariableDialog } from "./DeleteTargetVariableDialog";
+import { EditTargetVariableDialog } from "./EditTargetVariableDialog";
+
+type TargetVariableDropdownProps = {
+  targetVariable: SCHEMA.TargetVariable;
+  existingKeys: string[];
+  children: React.ReactNode;
+};
+
+export const TargetVariableDropdown: React.FC<TargetVariableDropdownProps> = ({
+  targetVariable,
+  existingKeys,
+  children,
+}) => {
+  const [open, setOpen] = useState(false);
+
+  return (
+    <DropdownMenu open={open} onOpenChange={setOpen}>
+      <DropdownMenuTrigger asChild>{children}</DropdownMenuTrigger>
+      <DropdownMenuContent align="end">
+        <EditTargetVariableDialog
+          targetVariable={targetVariable}
+          existingKeys={existingKeys}
+          onClose={() => setOpen(false)}
+        >
+          <DropdownMenuItem
+            className="flex cursor-pointer items-center gap-2"
+            onSelect={(e) => e.preventDefault()}
+          >
+            <IconPencil className="h-4 w-4" />
+            Edit
+          </DropdownMenuItem>
+        </EditTargetVariableDialog>
+        <DeleteTargetVariableDialog
+          variableId={targetVariable.id}
+          targetId={targetVariable.targetId}
+          onClose={() => setOpen(false)}
+        >
+          <DropdownMenuItem
+            className="flex cursor-pointer items-center gap-2"
+            onSelect={(e) => e.preventDefault()}
+          >
+            <IconTrash className="h-4 w-4 text-red-500" />
+            Delete
+          </DropdownMenuItem>
+        </DeleteTargetVariableDialog>
+      </DropdownMenuContent>
+    </DropdownMenu>
+  );
+};
diff --git a/apps/webservice/src/app/[workspaceSlug]/_components/target-drawer/VariablesContent.tsx b/apps/webservice/src/app/[workspaceSlug]/_components/target-drawer/VariablesContent.tsx
index 0a645ed15..d8f874f8d 100644
--- a/apps/webservice/src/app/[workspaceSlug]/_components/target-drawer/VariablesContent.tsx
+++ b/apps/webservice/src/app/[workspaceSlug]/_components/target-drawer/VariablesContent.tsx
@@ -1,5 +1,10 @@
 "use client";
 
+import type * as SCHEMA from "@ctrlplane/db/schema";
+import React from "react";
+import { IconDots, IconLock, IconPlus } from "@tabler/icons-react";
+
+import { Button } from "@ctrlplane/ui/button";
 import {
   Table,
   TableBody,
@@ -10,60 +15,143 @@ import {
 } from "@ctrlplane/ui/table";
 
 import { api } from "~/trpc/react";
+import { CreateTargetVariableDialog } from "./CreateTargetVariableDialog";
+import { TargetVariableDropdown } from "./TargetVariableDropdown";
+
+const TargetVariableSection: React.FC<{
+  targetId: string;
+  targetVariables: SCHEMA.TargetVariable[];
+}> = ({ targetId, targetVariables }) => (
+  <div className="space-y-6 py-1">
+    <div className="flex items-center gap-2 text-lg font-semibold">
+      Target Variables
+      <CreateTargetVariableDialog
+        targetId={targetId}
+        existingKeys={targetVariables.map((v) => v.key)}
+      >
+        <Button variant="outline" size="icon" className="h-8 w-8">
+          <IconPlus className="h-4 w-4" />
+        </Button>
+      </CreateTargetVariableDialog>
+    </div>
+    <Table className="w-full">
+      <TableHeader className="text-left">
+        <TableRow className="text-sm">
+          <TableHead>Key</TableHead>
+          <TableHead>Value</TableHead>
+          <TableHead />
+        </TableRow>
+      </TableHeader>
+      <TableBody>
+        {targetVariables.map((v) => (
+          <TableRow key={v.key}>
+            <TableCell className="flex items-center gap-2">
+              <span>{v.key}</span>
+              {v.sensitive && (
+                <IconLock className="h-4 w-4 text-muted-foreground" />
+              )}
+            </TableCell>
+            <TableCell>{v.sensitive ? "*****" : String(v.value)}</TableCell>
+            <TableCell>
+              <div className="flex justify-end">
+                <TargetVariableDropdown
+                  targetVariable={v}
+                  existingKeys={targetVariables.map((v) => v.key)}
+                >
+                  <Button variant="ghost" size="icon" className="h-6 w-6">
+                    <IconDots className="h-4 w-4" />
+                  </Button>
+                </TargetVariableDropdown>
+              </div>
+            </TableCell>
+          </TableRow>
+        ))}
+      </TableBody>
+    </Table>
+  </div>
+);
 
 const VariableRow: React.FC<{
   varKey: string;
   description: string;
   value?: string | null;
-}> = ({ varKey, description, value }) => (
+  isTargetVar: boolean;
+  sensitive: boolean;
+}> = ({ varKey, description, value, isTargetVar, sensitive }) => (
   <TableRow>
-    <TableCell className="w-[500px] p-3">
+    <TableCell>
       <div className="flex items-center gap-2">
-        <div>{varKey}</div>
+        <span>{varKey} </span>
+        {sensitive && <IconLock className="h-4 w-4 text-muted-foreground" />}
       </div>
       <div className="text-sm text-muted-foreground">{description}</div>
     </TableCell>
-    <TableCell className="p-3">
-      {value ?? <div className="italic text-neutral-500">NULL</div>}
+    <TableCell className="flex items-center gap-2">
+      {sensitive && <div className="text-muted-foreground">*****</div>}
+      {!sensitive &&
+        (value ?? <div className="italic text-neutral-500">NULL</div>)}
+      {isTargetVar && (
+        <div className="text-xs text-muted-foreground">(target)</div>
+      )}
+      {!isTargetVar && (
+        <div className="text-xs text-muted-foreground">(deployment)</div>
+      )}
     </TableCell>
   </TableRow>
 );
 
-export const VariableContent: React.FC<{ targetId: string }> = ({
-  targetId,
-}) => {
+export const VariableContent: React.FC<{
+  targetId: string;
+  targetVariables: SCHEMA.TargetVariable[];
+}> = ({ targetId, targetVariables }) => {
   const deployments = api.deployment.byTargetId.useQuery(targetId);
   const variables = api.deployment.variable.byTargetId.useQuery(targetId);
   return (
-    <div>
-      {deployments.data?.map((deployment) => {
-        return (
-          <div key={deployment.id} className="space-y-6 border-b p-24">
-            <div className="text-lg font-semibold">{deployment.name}</div>
-
-            <Table className="w-full">
-              <TableHeader className="text-left">
-                <TableRow className="text-sm">
-                  <TableHead className="p-3">Keys</TableHead>
-                  <TableHead className="p-3">Value</TableHead>
-                </TableRow>
-              </TableHeader>
-              <TableBody>
-                {variables.data
-                  ?.filter((v) => v.deploymentId === deployment.id)
-                  .map((v) => (
-                    <VariableRow
-                      key={v.id}
-                      varKey={v.key}
-                      value={v.value.value}
-                      description={v.description}
-                    />
-                  ))}
-              </TableBody>
-            </Table>
-          </div>
-        );
-      })}
+    <div className="space-y-8 overflow-y-auto">
+      <TargetVariableSection
+        targetId={targetId}
+        targetVariables={targetVariables}
+      />
+      <div className="text-lg font-semibold">Deployment Variables</div>
+      {deployments.data
+        ?.filter((d) => {
+          const vars = variables.data?.filter((v) => v.deploymentId === d.id);
+          return vars != null && vars.length > 0;
+        })
+        .map((deployment) => {
+          return (
+            <div key={deployment.id} className="space-y-2 border-b">
+              <div className="font-semibold">{deployment.name}</div>
+              <Table className="w-full table-fixed">
+                <TableHeader className="text-left">
+                  <TableRow className="text-sm">
+                    <TableHead className="p-3">Keys</TableHead>
+                    <TableHead className="p-3">Value</TableHead>
+                  </TableRow>
+                </TableHeader>
+                <TableBody>
+                  {variables.data
+                    ?.filter((v) => v.deploymentId === deployment.id)
+                    .map((v) => {
+                      const targetVar = targetVariables.find(
+                        (tv) => tv.key === v.key,
+                      );
+                      return (
+                        <VariableRow
+                          key={v.id}
+                          varKey={v.key}
+                          value={targetVar?.value ?? v.value.value}
+                          description={v.description}
+                          isTargetVar={targetVar != null}
+                          sensitive={targetVar?.sensitive ?? false}
+                        />
+                      );
+                    })}
+                </TableBody>
+              </Table>
+            </div>
+          );
+        })}
     </div>
   );
 };
diff --git a/packages/api/package.json b/packages/api/package.json
index c0dd467de..691eef381 100644
--- a/packages/api/package.json
+++ b/packages/api/package.json
@@ -23,6 +23,7 @@
     "@ctrlplane/db": "workspace:*",
     "@ctrlplane/job-dispatch": "workspace:*",
     "@ctrlplane/logger": "workspace:*",
+    "@ctrlplane/secrets": "workspace:*",
     "@ctrlplane/validators": "workspace:*",
     "@octokit/auth-app": "^7.1.0",
     "@octokit/rest": "catalog:",
diff --git a/packages/api/src/router/target.ts b/packages/api/src/router/target.ts
index 3911c1adf..d670a487c 100644
--- a/packages/api/src/router/target.ts
+++ b/packages/api/src/router/target.ts
@@ -15,6 +15,7 @@ import {
   takeFirstOrNull,
 } from "@ctrlplane/db";
 import * as schema from "@ctrlplane/db/schema";
+import { variablesAES256 } from "@ctrlplane/secrets";
 import { Permission } from "@ctrlplane/validators/auth";
 import { targetCondition } from "@ctrlplane/validators/targets";
 
@@ -184,6 +185,79 @@ const targetViews = createTRPCRouter({
     }),
 });
 
+const targetVariables = createTRPCRouter({
+  create: protectedProcedure
+    .input(schema.createTargetVariable)
+    .meta({
+      authorizationCheck: ({ canUser, input }) =>
+        canUser
+          .perform(Permission.TargetUpdate)
+          .on({ type: "target", id: input.targetId }),
+    })
+    .mutation(async ({ ctx, input }) => {
+      const { sensitive } = input;
+      const value = sensitive
+        ? variablesAES256().encrypt(String(input.value))
+        : input.value;
+      const data = { ...input, value };
+      return ctx.db.insert(schema.targetVariable).values(data).returning();
+    }),
+
+  update: protectedProcedure
+    .input(
+      z.object({ id: z.string().uuid(), data: schema.updateTargetVariable }),
+    )
+    .meta({
+      authorizationCheck: async ({ ctx, canUser, input }) => {
+        const variable = await ctx.db
+          .select()
+          .from(schema.targetVariable)
+          .where(eq(schema.targetVariable.id, input.id))
+          .then(takeFirstOrNull);
+        if (!variable) return false;
+
+        return canUser
+          .perform(Permission.TargetUpdate)
+          .on({ type: "target", id: variable.targetId });
+      },
+    })
+    .mutation(async ({ ctx, input }) => {
+      const { sensitive } = input.data;
+      const value = sensitive
+        ? variablesAES256().encrypt(String(input.data.value))
+        : input.data.value;
+      const data = { ...input.data, value };
+      return ctx.db
+        .update(schema.targetVariable)
+        .set(data)
+        .where(eq(schema.targetVariable.id, input.id))
+        .returning()
+        .then(takeFirst);
+    }),
+
+  delete: protectedProcedure
+    .input(z.string().uuid())
+    .meta({
+      authorizationCheck: async ({ ctx, canUser, input }) => {
+        const variable = await ctx.db
+          .select()
+          .from(schema.targetVariable)
+          .where(eq(schema.targetVariable.id, input))
+          .then(takeFirstOrNull);
+        if (!variable) return false;
+
+        return canUser
+          .perform(Permission.TargetUpdate)
+          .on({ type: "target", id: variable.targetId });
+      },
+    })
+    .mutation(async ({ ctx, input }) =>
+      ctx.db
+        .delete(schema.targetVariable)
+        .where(eq(schema.targetVariable.id, input)),
+    ),
+});
+
 type _StringStringRecord = Record<string, string>;
 const targetQuery = (db: Tx, checks: Array<SQL<unknown>>) =>
   db
@@ -218,6 +292,7 @@ export const targetRouter = createTRPCRouter({
   provider: targetProviderRouter,
   relations: targetRelations,
   view: targetViews,
+  variable: targetVariables,
 
   byId: protectedProcedure
     .meta({
@@ -225,27 +300,19 @@ export const targetRouter = createTRPCRouter({
         canUser.perform(Permission.TargetGet).on({ type: "target", id: input }),
     })
     .input(z.string().uuid())
-    .query(async ({ ctx, input }) => {
-      const metadata = await ctx.db
-        .select()
-        .from(schema.targetMetadata)
-        .where(eq(schema.targetMetadata.targetId, input))
-        .then((lbs) => Object.fromEntries(lbs.map((lb) => [lb.key, lb.value])));
-      return ctx.db
-        .select()
-        .from(schema.target)
-        .leftJoin(
-          schema.targetProvider,
-          eq(schema.target.providerId, schema.targetProvider.id),
-        )
-        .where(eq(schema.target.id, input))
-        .then(takeFirstOrNull)
-        .then((a) =>
-          a == null
-            ? null
-            : { ...a.target, metadata, provider: a.target_provider },
-        );
-    }),
+    .query(({ ctx, input }) =>
+      ctx.db.query.target
+        .findFirst({
+          where: eq(schema.target.id, input),
+          with: { metadata: true, variables: true, provider: true },
+        })
+        .then((t) => {
+          if (t == null) return null;
+          const pairs = t.metadata.map((m) => [m.key, m.value]);
+          const metadata = Object.fromEntries(pairs);
+          return { ...t, metadata };
+        }),
+    ),
 
   byWorkspaceId: createTRPCRouter({
     list: protectedProcedure
diff --git a/packages/db/src/schema/target-provider.ts b/packages/db/src/schema/target-provider.ts
index 01fd8c5e9..cc2279aa0 100644
--- a/packages/db/src/schema/target-provider.ts
+++ b/packages/db/src/schema/target-provider.ts
@@ -1,4 +1,5 @@
 import type { InferSelectModel } from "drizzle-orm";
+import { relations } from "drizzle-orm";
 import {
   pgTable,
   text,
@@ -9,6 +10,7 @@ import {
 import { createInsertSchema } from "drizzle-zod";
 import { z } from "zod";
 
+import { target } from "./target.js";
 import { workspace } from "./workspace.js";
 
 export const targetProvider = pgTable(
@@ -24,6 +26,11 @@ export const targetProvider = pgTable(
   (t) => ({ uniq: uniqueIndex().on(t.workspaceId, t.name) }),
 );
 
+export const targetProviderRelations = relations(
+  targetProvider,
+  ({ many }) => ({ targets: many(target) }),
+);
+
 export const createTargetProvider = createInsertSchema(targetProvider).omit({
   id: true,
 });
diff --git a/packages/db/src/schema/target.ts b/packages/db/src/schema/target.ts
index 1f029fa29..2d0b18a04 100644
--- a/packages/db/src/schema/target.ts
+++ b/packages/db/src/schema/target.ts
@@ -3,7 +3,7 @@ import type {
   TargetCondition,
 } from "@ctrlplane/validators/targets";
 import type { InferInsertModel, InferSelectModel, SQL } from "drizzle-orm";
-import { exists, like, not, notExists, or, sql } from "drizzle-orm";
+import { exists, like, not, notExists, or, relations, sql } from "drizzle-orm";
 import {
   boolean,
   json,
@@ -51,6 +51,15 @@ export const target = pgTable(
   (t) => ({ uniq: uniqueIndex().on(t.identifier, t.workspaceId) }),
 );
 
+export const targetRelations = relations(target, ({ one, many }) => ({
+  metadata: many(targetMetadata),
+  variables: many(targetVariable),
+  provider: one(targetProvider, {
+    fields: [target.providerId],
+    references: [targetProvider.id],
+  }),
+}));
+
 export type Target = InferSelectModel<typeof target>;
 
 export const createTarget = createInsertSchema(target, {
@@ -110,6 +119,13 @@ export const targetMetadata = pgTable(
   (t) => ({ uniq: uniqueIndex().on(t.key, t.targetId) }),
 );
 
+export const targetMetadataRelations = relations(targetMetadata, ({ one }) => ({
+  target: one(target, {
+    fields: [targetMetadata.targetId],
+    references: [target.id],
+  }),
+}));
+
 const buildMetadataCondition = (tx: Tx, cond: MetadataCondition): SQL => {
   if (cond.operator === "null")
     return notExists(
@@ -227,15 +243,22 @@ export const targetVariable = pgTable(
       .notNull(),
 
     key: text("key").notNull(),
-    value: jsonb("value").notNull(),
+    value: jsonb("value").$type<string | number | boolean>().notNull(),
     sensitive: boolean("sensitive").notNull().default(false),
   },
   (t) => ({ uniq: uniqueIndex().on(t.targetId, t.key) }),
 );
 
-export const createTargetVariable = createInsertSchema(targetVariable).omit({
-  id: true,
-});
+export const targetVariableRelations = relations(targetVariable, ({ one }) => ({
+  target: one(target, {
+    fields: [targetVariable.targetId],
+    references: [target.id],
+  }),
+}));
+
+export const createTargetVariable = createInsertSchema(targetVariable, {
+  value: z.union([z.string(), z.number(), z.boolean()]),
+}).omit({ id: true });
 
 export const updateTargetVariable = createTargetVariable.partial();
 export type TargetVariable = InferSelectModel<typeof targetVariable>;
diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml
index 6fa80037d..d5f564204 100644
--- a/pnpm-lock.yaml
+++ b/pnpm-lock.yaml
@@ -890,6 +890,9 @@ importers:
       '@ctrlplane/logger':
         specifier: workspace:*
         version: link:../logger
+      '@ctrlplane/secrets':
+        specifier: workspace:*
+        version: link:../secrets
       '@ctrlplane/validators':
         specifier: workspace:*
         version: link:../validators