diff --git a/.changeset/envvars-import-is-secret.md b/.changeset/envvars-import-is-secret.md
new file mode 100644
index 00000000000..5fbe70f43ae
--- /dev/null
+++ b/.changeset/envvars-import-is-secret.md
@@ -0,0 +1,12 @@
+---
+"@trigger.dev/core": patch
+---
+
+`envvars.upload` now accepts an optional `isSecret` flag, letting you create the imported variables as secret (redacted) environment variables. When omitted, variables default to non-secret.
+
+```ts
+await envvars.upload("proj_1234", "prod", {
+  variables: { STRIPE_SECRET_KEY: "sk_live_..." },
+  isSecret: true,
+});
+```
diff --git a/apps/webapp/app/routes/api.v1.projects.$projectRef.envvars.$slug.import.ts b/apps/webapp/app/routes/api.v1.projects.$projectRef.envvars.$slug.import.ts
index 53bc4429c1d..313ecdc8538 100644
--- a/apps/webapp/app/routes/api.v1.projects.$projectRef.envvars.$slug.import.ts
+++ b/apps/webapp/app/routes/api.v1.projects.$projectRef.envvars.$slug.import.ts
@@ -40,6 +40,7 @@ export async function action({ params, request }: ActionFunctionArgs) {
 
   const result = await repository.create(environment.project.id, {
     override: typeof body.override === "boolean" ? body.override : false,
+    isSecret: body.isSecret,
     environmentIds: [environment.id],
     // Pass parent environment ID so new variables can inherit isSecret from parent
     parentEnvironmentId: environment.parentEnvironmentId ?? undefined,
@@ -54,6 +55,7 @@ export async function action({ params, request }: ActionFunctionArgs) {
   if (environment.parentEnvironmentId && body.parentVariables) {
     const parentResult = await repository.create(environment.project.id, {
       override: typeof body.override === "boolean" ? body.override : false,
+      isSecret: body.isSecret,
       environmentIds: [environment.parentEnvironmentId],
       variables: Object.entries(body.parentVariables).map(([key, value]) => ({
         key,
diff --git a/packages/core/src/v3/apiClient/types.ts b/packages/core/src/v3/apiClient/types.ts
index aa21e2022d0..445d6bbda24 100644
--- a/packages/core/src/v3/apiClient/types.ts
+++ b/packages/core/src/v3/apiClient/types.ts
@@ -14,6 +14,10 @@ export interface ImportEnvironmentVariablesParams {
    */
   variables: Record<string, string>;
   override?: boolean;
+  /**
+   * When `true`, the imported variables are created as secret (redacted) environment variables. Defaults to `false`.
+   */
+  isSecret?: boolean;
 }
 
 export interface CreateEnvironmentVariableParams {
diff --git a/packages/core/src/v3/schemas/api.ts b/packages/core/src/v3/schemas/api.ts
index 570f03aca2c..73427476cec 100644
--- a/packages/core/src/v3/schemas/api.ts
+++ b/packages/core/src/v3/schemas/api.ts
@@ -1215,6 +1215,8 @@ export const ImportEnvironmentVariablesRequestBody = z.object({
   variables: z.record(z.string()),
   parentVariables: z.record(z.string()).optional(),
   override: z.boolean().optional(),
+  // When omitted, variables default to non-secret (the DB default is false).
+  isSecret: z.boolean().optional(),
   source: z
     .discriminatedUnion("type", [
       z.object({ type: z.literal("user"), userId: z.string() }),