Rails 8.1 introduces a unified credentials API via `Rails.app.creds` that checks ENV variables first, then falls back to encrypted credentials. This eliminates the common pattern of mixing `ENV.fetch` and `credentials.dig` calls throughout a codebase. The `require` method raises a `KeyError` if a key is missing from all backends, while `option` handles optional values. Nested keys map to double-underscored ENV names (e.g., `STRIPE__API_KEY`), allowing secrets to be moved between ENV and encrypted files without changing application code. Per-environment encrypted credential files are supported, with production using its own isolated file and key.
Sort: