Last Reviewed: August 22, 2024

PHP Usage

How to read Pantheon Secrets from code.

Edit this page on GitHub Report an issue with this doc

Reading secrets from PHP

Secrets can be read, updated, created, and deleted via the Terminus Secrets Manager Plugin. WordPress and Drupal however, can only read secrets at runtime - there is no way to modify secrets via the application or in code.

Secrets must have the scope web to be visible from your application. Secrets are cached in the server for 15 minutes, so you must wait for a while after modifying secret values before they will be available for use. This cache is also encrypted at rest.

Note: this also applies to quicksilver scripts.

Use the pantheon_get_secret PHP function

The function pantheon_get_secret() may be used to fetch the value of a single secret.

if ( function_exists('pantheon_get_secret') ) {
  $secret_value = pantheon_get_secret("SECRET_NAME");
}

WordPress detailed example

In this guide we will go over an end-to-end example on how to setup secrets for a given site and how to read those secrets in wp-config.php. For this example, we will use the WP Mail SMTP plugin to setup SendGrid.

Prerequisites

Make sure you have access to a WordPress site on Pantheon.
Make sure you have Terminus installed on your local machine.
Install the Terminus Secrets Manager Plugin.

Steps

Install and activate the WP Mail SMTP plugin.
Make sure your SendGrid account is correctly configured and allows sending email.
Create a SendGrid API key by following the SendGrid instructions.
Store the API key as a site secret:
```
terminus secret:site:set <site> sendgrid_api <api_key> --scope=web --type=runtime
```
As a best practice, the non-production environments should be the default and then override that value with a secret environment override to change the API key for the live environment (for example, if you want to use different SendGrid accounts for live and dev environments).

Add the following to wp-config.php, replacing placeholder values (e.g., [email protected] and Example From Name):

define( 'WPMS_ON', true ); // True turns on the WPMS constants for usage below, false turns it off.
define( 'WPMS_MAIL_FROM', '[email protected]' );  
define( 'WPMS_MAIL_FROM_NAME', 'Example From Name');
define( 'WPMS_MAILER', 'sendgrid' );
if ( function_exists('pantheon_get_secret') ) {
	define( 'WPMS_SENDGRID_API_KEY', pantheon_get_secret( 'sendgrid_api' ) );
}

Go to the SendGrid email test page (/wp-admin/admin.php?page=wp-mail-smtp-tools&tab=test) and test your SendGrid integration by sending a test email.

More Resources

For advanced use cases, you may consider leveraging the Secrets SDK library as an alternative to the pantheon_get_secret function.