Managing Secrets in Bruno: A Secure and Simple Approach

When working with APIs, secrets like keys, tokens, and passwords inevitably come into play. Many users flock to Bruno since your data is stored locally, rather than in the cloud.

Recently, this has become a significant issue with other API clients. In late 2024 CloudSEK released the findings from a year-long investigation into Postman that surfaced over 30,000 public collections with leaked credentials. This could mean that nearly 1 in 10 public Postman collections has leaked sensitive information. 

"In most instances, these collections included access tokens, refresh tokens, third-party API keys, and even test or demo user data from organizations of various sizes and across different industries."

- CloudSEK

Since Bruno stores your data locally there's no risk of cloud exposure, but if you're sharing collections with your teammates or customers you still need to protect any sensitive information that may be stored in your collections.  

In this post, we'll explore how Bruno handles secrets and how you can secure your sensitive information while keeping your workflow clean and collaborative.

Why Secret Management Matters

Bruno stores collections as folders in your local file system. This design decision makes it easy to version control collections, but it also means sensitive data could accidentally be pushed into Git (just like any other code). For example:

• Committing .bru environment files with secrets to Git

• Sharing exported collection files without scrubbing secrets

To prevent this, Bruno offers multiple ways to manage secrets safely.

👁️‍🗨️ 1. Mark Variables as "Secret"

The simplest way to manage secrets in Bruno is just marking an environment variable as a secret directly in the UI. 

When a variable is marked as secret:

• Bruno manages it internally

• It’s never written to disk (not even in the environment file)

• It's obscured in the UI to avoid accidental leaks

This is great for quick setups where you don’t want to maintain a separate .env file.

🔐 2. Use a .env File

A more developer-centric approach is managing Bruno secrets just like you would any other code - with an  .env and .gitignore placed at the root of your collection.

• Variables in the .env file are not written into the .bru files

• These secrets will be accessible in your Bruno collection via the process.env object.

This is ideal if using .env and .gitignore is currently your standard process, or if you're storing the collection in a repository where these already exist. 

🔐 3. External Secret Providers (Advanced)

Need more enterprise-grade security? Bruno Ultimate Edition supports integration with secret managers like:

• HashiCorp Vault

• AWS Secrets Manager 

• Azure Key Vault

These integrations let you fetch secrets dynamically from your provider of choice without storing them in your project folder. It’s perfect for teams working in larger cloud-native environments.

Each provider comes with step-by-step setup instructions, including:

• Adding a secret provider

• Configuring how to fetch secrets

• Using secrets in your requests

• Optional CLI support

Best Practices

To keep your secrets safe while using Bruno:

✅ Mark sensitive environment values as secret 
✅ Avoid hardcoding secrets in environment or request files
✅ Add .env files to .gitignore
✅ Consider external secret providers for production or cloud-based projects

Wrapping Up

Bruno gives developers full control over how they manage sensitive information—whether you're building solo, collaborating in a small team, or working in a cloud-native enterprise setup. By leveraging its built-in features and integrations, you can confidently build and share collections without risking a secret spill.

Ready get your secrets out of the cloud and start working locally? Download Bruno and give it a try!