Hey there! We've found the following might help you get unblocked faster:

• 🧵 Spring boot environment Variables

• 🧵 Problem accessing env variables from VITE deploy

• 📚 Environment Variables

If you find the answer from one of these, please let us know by solving the thread!

Hello,

There seems to be some slight confusion about how our pricing works, so let me try to clear that up for you.

Individual users do not have a plan; users manage a workspace, and the plan is tied to the workspace, so you would only need to maintain one Pro workspace. The coworker's own workspace could be on the trial plan, for all it matters.

Note: A Pro workspace is needed since the Hobby plan is intended for individual users working on Hobby projects.

Adding more users to the Pro workspace does not change its pricing. It is a base $20 fee for the plan, and members do not add any additional costs whatsoever.

And finally, hiding or sealing variables is very much possible, and only one click away:

https://docs.railway.com/reference/variables#sealed-variables

https://docs.railway.com/guides/variables#sealing-a-variable

Best,
Brody

Hi Brody,
This is phenomenal news! After reading https://station.railway.com/feedback/restricting-project-members-to-specific-5cf12b09 and reading up on Doppler + Railway, I was frustrated that what I was looking for wasn't feasible.

I did spend some time researching this, so I am glad I made the post and that others will come across it as well who are mistaken as I was.

Before I mark this thread as resolved, I had one more question. Is there anything I should be aware of, any limitation to sealed variables? For example, can the sealed variable be printed in the deploy logs if a developer were to push code that did that? Or does keeping it out of the UI + API mean it also doesn't make its way into the logs?

If there's no clean way for Railway to keep it from making it into the logs, that's fine but at least I know the limitation. If someone has a virus for example (on the dev team) then at least in a normal scenario, the creds wouldn't be screen scraped. It would take an attacker committing code to the Railway environment to do this (which would be an advanced attack). So in this way, if we know what to expect from the feature we can make the necessary decisions.

On a slightly related note, environment specific access would be lovely (per the URL linked).

Kind regards,
Octavian

Hello,

Unfortunately, we don't do any deploy log sanitation, so yes, you could push code to log any variable, sealed or not.

Best,
Brody

That's fine, at least now we know what the system offers.
If you could put as a user feedback somewhere in some tracker, that it would be nice for a workspace owner to assign a developer (even if the owner can't contribute via deployments and stuff), that would be super helpful. Like, if I had to pay 2X $5 (one for each user) so we could share the hobby instance for QA, and then $20 for Pro (for Prod which I have access to if no env access is ever needed by the developer), that would work for me.

Right now, the $5->$20 plan is a little prohibitive when needing to split into QA/Prod environments due to this reason.

Thanks for the help and have a wonderful week Brody!