The rule is simple: never paste a secret into a chat with an AI assistant (including ChatGPT or Claude), never put it in a config file you commit to Git, never share it in Slack, never type it into a browser address bar. Once a secret is in those places, you don't know who else has seen it—it might be in chat logs, cached by a third party, or visible in plaintext to anyone with repository access. Ship has a secret store specifically so the value is held in one place, encrypted at rest, with audit logs of who accessed it and when. The wizard asks you to paste the secret into a form field; the form sends it directly to Ship's secret store, it's encrypted immediately, and the value is never logged or displayed again. That's the safe path.
Back to Appendix index