TL;DR
Doppler is a cloud-hosted secret manager built for teams: you define environments, invite teammates, use their CLI or SDK to inject env vars at runtime, and get audit logs and rotation workflows. It's mature, well-adopted, and solves team-wide secret sharing cleanly. Stack is not a secret manager. It's a control plane that provisions SaaS services (Supabase, Stripe, Clerk, etc.) and records slot names for the secrets those services hand back. The actual vault is Phantom, Stack's sister product — a local-first, E2E-encrypted secret manager. Doppler versus Stack isn't really the comparison; it's Doppler versus Phantom-backed Stack. Here's the honest breakdown.
When to pick each
| Pick Doppler when | Pick Stack (+ Phantom) when |
|---|---|
| Your team already standardized on Doppler and has dev/staging/prod workflows in place. | You're starting fresh and want secret storage tied to provisioning, not as a separate step. |
| You need audit logs, RBAC, and SOC2-backed cloud storage out of the box. | You want local-first, E2E-encrypted secrets that never touch a vendor's servers. |
| You want a mature SDK ecosystem (Node, Python, Go, Ruby, PHP, .NET). | You want stack add stripe to create the account and safely store the key in one atomic operation. |
The decisive factor is usually team shape. Doppler excels at "10 engineers sharing production secrets." Stack + Phantom excels at "I just provisioned Supabase, and the service-role key must not touch my disk in plaintext."
At-a-glance
| Capability | Stack (+ Phantom) | Doppler |
|---|---|---|
| Category | SaaS control plane + E2E vault | Cloud-hosted secret manager |
| Primary surface | CLI + MCP + Claude Code plugin (Stack); CLI + Cloud (Phantom) | CLI + dashboard + SDKs |
| Vault model | Local-first vault with optional E2E-encrypted cloud sync | Cloud-hosted with server-side encryption |
| Encryption | AEAD client-side; vendor cannot decrypt your secrets | Server-side encryption with AWS KMS; Doppler admins can technically access |
| Runtime injection | stack exec -- bun dev (wraps phantom exec); phm_* tokens in .env | doppler run -- bun dev; or SDK reads from Doppler API at startup |
| Provisioning | Provisions 29 upstream SaaS providers and stores their keys atomically | Secrets manager only — BYO provider accounts |
| Team sharing | Phantom Cloud (optional, E2E-encrypted sync); team features on roadmap | First-class: workspaces, projects, environments, RBAC, SSO |
| Audit logs | Roadmap via stack cloud | Enterprise-grade audit trails |
| License / pricing | MIT · free forever (Stack); Phantom free tier + optional cloud sync | Free tier (3 seats); paid tiers start ~$18/user/mo |
| Best for | Solo devs, startups, agentic workflows, composed SaaS setups | Teams that need mature RBAC, audit logs, and SDK-based secret injection |
Where they overlap
Both solve "my app needs secrets at runtime without hardcoding them."
Both provide a CLI that wraps a process with resolved environment
variables at spawn time (doppler run -- and stack exec -- / phantom exec -- are
functionally similar). Both support cloud sync across machines and CI
runners. Both try to keep plaintext secrets out of your repo.
The real overlap is the vault layer. In practice Phantom and Doppler are comparable as secret stores; the difference is Phantom's E2E-encryption model (the vault provider literally cannot read your secrets) versus Doppler's server-side encryption model (Doppler admins have access under their encryption-at-rest scheme). Different threat models, and reasonable people pick either.
Where Stack wins
- Provisioning and vault write are one operation.
stack add stripecreates the Stripe account, captures the restricted key, and writes it to Phantom — all before the command returns. With Doppler, you provision in a dashboard, copy the key, paste it intodoppler secrets set. That copy-paste step is where keys leak into clipboards, shell history, and chat logs. - True E2E encryption. Phantom uses AEAD client-side encryption with a key only your device holds. Even if Phantom Cloud were compromised, attackers see ciphertext. Doppler's server-side encryption is a different model — fine for most threat models, but not E2E.
- No plaintext in
.env, ever. Stack regenerates.env.localwithphm_*tokens that resolve atstack exectime. If someone checks in.env.local, the tokens are useless without the vault. - MCP-native. Stack's 19 MCP tools let an agent drive provisioning end-to-end. Doppler has no native MCP server — you'd have to wrap its CLI yourself.
- Free forever. Stack is MIT; Phantom's core vault is free. Doppler's team-tier features start at paid plans.
Where Doppler wins
Honest concessions:
- Team-shared secrets with RBAC. Doppler is built for teams: projects, environments, role-based access, secret-level permissions, SSO. Phantom's team story is on the roadmap, not shipped; today Phantom Cloud is an E2E-sync primitive, not a team RBAC platform.
- Audit logs and compliance. Doppler has SOC2 Type II,
GDPR compliance, and full audit trails of who accessed which secret
when. Stack and Phantom are pre-alpha; audit logs land with
stack cloud. - Mature SDK ecosystem. Doppler has first-party SDKs in
Node, Python, Go, Ruby, PHP, .NET. Phantom's primary integration path
is
phantom execwrapping your process. If you want a native SDK call that refreshes secrets mid-process, Doppler wins. - Existing adoption. If your team already uses Doppler
and has tooling around it, ripping it out to adopt Phantom is almost
never the right call. Use
stack addfor provisioning and pipe the resulting secrets into Doppler instead. - Enterprise maturity. Years of production usage, a real support organization, and a polished dashboard. Stack is v0.1.1.
Can I use both?
Yes. If your team is committed to Doppler, Stack can still provision —
run stack add supabase to create the project and fetch the
key, then pipe it into Doppler via doppler secrets set.
It's less elegant than the pure Stack + Phantom flow but gets you
one-command provisioning while preserving your existing vault. A cleaner
path on the roadmap: Phantom will support phantom sync --platform doppler
so Stack-managed secrets propagate to Doppler automatically.
Migration and caveats
Stack is pre-alpha — these comparisons reflect v0.1.1 as of April 2026. We don't claim parity with Doppler's enterprise maturity, team RBAC, or audit features. Phantom's team story is a deliberate v0.x omission, not a finished product. If you need team-wide audited secret sharing today, Doppler is the mature choice. If you're a solo dev or a small team that wants provisioning and vault to feel like one tool, Stack + Phantom is worth a shot. For the full Phantom mental model, see /docs/phantom. For MCP workflows, see /docs/mcp. For the provider catalog, see /docs/providers.
FAQ
Is Stack a secret manager?
No. Stack is a control plane that provisions SaaS services and records which secrets each service needs. The actual vault is Phantom (phm.dev), Stack's sister product, which is a local-first E2E-encrypted secret manager. If you prefer Doppler or Infisical as your vault, Stack can still provision — you just pipe the resulting secrets into your existing vault.
Can I migrate from Doppler to Phantom?
Yes — Phantom has an import path for Doppler configs. The reverse also
works: Phantom can push its vault to Doppler via phantom sync
so teams that have already standardized on Doppler can adopt Stack
without disrupting their current secret workflow.
Which do YC startups use?
Early-stage startups commonly use Doppler or 1Password for shared team secrets because they're mature and the team primitive is solved. Stack + Phantom is the better choice when you want provider provisioning and secret storage to happen in one atomic step rather than as two separate processes.