Skip to content


Repository files navigation

💪 Strong Config

Continuous Integration Coverage Status

Have you ever...

❓ ...struggled with config drift between local, staging, prod?

❓ ...forgot to update the production config after updating the development config?

❓ ...forgot to tell your teammates to update their local .env files after you made a change?

❓ ...worried about leaking secrets by accidentally pushing your .env files to GitHub?

❓ ...wished you could nest config values in your .env just like in a JavaScript object?

❓...had a CI build fail due to environment variable issues?

Strong Config is here to help!

Commit your configs to version-control safely and easily, for all your environments

Define your config in JSON or YAML instead of .env files

Nest your values for clearly structured config files

Validate your config against a JSON Schema to catch config errors early

Encrypt your secrets with strong cryptography. Fully encrypted at rest and only decrypted in-memory at runtime.

Safeguard your config through git hooks. Ensure config is both valid and encrypted before committing and pushing.

Easy integration with the most popular cloud key management services AWS KMSGoogle Cloud KMS, and Azure Key Vault. Powered by Mozilla's SOPS.

Enforce environment-specific permissions via your KMS. Decide who can encrypt and decrypt configs for which environments. For example, you could allow all engineers to decrypt your staging config, but restrict the production config to fewer people.

Auto-generate TypeScript types for your config (requires a JSON Schema)

Example config before encryption

# A top-level config value which will be available to your application as `config.logger`
  # A nested value which will be available as `config.logger.level`
  level: DEBUG

  apiClientId: non-secret-client-id
  # A secret. Every key with a 'Secret' suffix will be encrypted by Strong Config (e.g. 'encryptMeSecret')
  apiSecret: top-secret-api-credential

# A dynamic value that will be substituted at runtime with the value of the environment variable $SHELL
shell: ${SHELL}

Example config after encryption

  # This value remains as is because it doesn't have a 'Secret' suffix
  level: DEBUG

  apiClientId: non-secret-client-id
  # This is now encrypted and safe to commit into version control :)
  apiSecret: ENC[AES256_GCM,data:aeQ+hlVIah7WyJoVR/Jbkb6GLH7ihsV0D81+U++pkiWD0zeoRL/Oe9Q3Tz6j/TNvKKVDnohIMyw3UVjELOuSY+A==,iv:nVRZWogV4B7o=,tag:KrE2jssfP4uCvqq+pc/JyQ==,type:str]

# Also still the same value which will be substituted only at runtime
shell: ${SHELL}

# The below section is auto-generated by sops and contains important metadata to
# decrypt the config at runtime. Do not manually edit or delete this section.
    - resource_id: projects/my-project/locations/europe-west2/keyRings/my-project-key-ring/cryptoKeys/my-strong-config-key
      created_at: '2020-01-07T10:11:12Z'
      enc: AiAAmdAgj1dw1XdD2MsVpvmA4Deo867hmcX2B3NDhe9BCF2axuZ18hJJFK9oBlE1BrD70djwqi+L8T+NRNVnGUP+1//w8cJATAfJ8W/cQZFcdFTqjezC+VYv9xYI8i1bRna4xfFo/INIJtFDR38ZH1nrQg==
  lastmodified: '2020-01-07T10:11:12Z'
  mac: ENC[AES256_GCM,data:ABcd1EF2gh3IJKl4MNOpQr5stuvWXYz6sBCDEfGhIjK=,iv:A1AaAAAaa111a1Aa111AA/aaaAaaAAaa+aAaAaAAAaA=,tag:AAaaA1a1aaaAa/aa11AaaA==,type:str]
  encrypted_suffix: Secret
  version: 3.5.0


For the full documentation, check Here's a short teaser:

  1. Install @strong-config/node and the SOPS binary.

    npm install @strong-config/node
    # or
    yarn add @strong-config/node

    Sidenote: The Sops Binary After package installation, Strong Config automatically runs a postinstall script that checks for availability of the sops binary on your system. If it can't find the sops binary, it will try to download it to node_modules/.bin/sops which is always part of $PATH when you yarn run or npm run scripts. Alternatively, you can also install sops globally via brew install sops (macOS). For other systems check the official sops releases on GitHub.

  2. Create a config file

    # By default, strong-config uses the ./config folder.
    # You can configure this to be a different folder via the options
    mkdir config
    # We'll use YAML here, but this could also JSON
    echo "myFirstConfig: strong" > config/development.yml
    echo "myFirstSecret: a development secret" >> config/development.yml
  3. Load config in your application code

    /* src/config.js */
    const StrongConfig = require('@strong-config/node')
    // Instantiate StrongConfig, then decrypt and load config file
    const config = new StrongConfig().getConfig()
    // This will print "{ myFirstConfig: 'strong' }" to the console
     * OPTIONAL (but recommended)
     * Call `new StrongConfig()` just once in your application, then export the memoized config for other files to use.
     * If you call `new StrongConfig()` again from another file, it would still work, but would re-instantiate a new
     * StrongConfig instance and load the config file from disk again which is slower than loading it from memory.
    module.exports = config
  4. Run your app

    strong-config relies on the NODE_ENV environment variable to determine which config file to load. For example, setting NODE_ENV=development will load ./config/development.yaml

    # Set the environment variable
    NODE_ENV=development yarn start # or `NODE_ENV=development npm start

    If you used our example code from the previous step, the config should now be printed to the terminal 💪.

  5. Check the Strong Config website for more documentation

    Check out the full documentation on to learn how to:

    • Encrypt your config
    • Validate your config against a schema
    • Generate TypeScript types for your config

    ...and more :)