feat(secret-sync): minor fix on heroku docs

feat(secret-sync): minor fix on heroku sync
Add Heroku PR suggestions
2025-08-03 20:23:35 +00:00 · 2025-06-19 15:17:36 -03:00 · 2025-06-19 13:38:20 -03:00 · 2025-06-19 09:28:43 -03:00 · 2025-06-19 08:47:03 -03:00 · 2025-06-17 21:19:21 -03:00
86 changed files with 1724 additions and 18 deletions
--- a/backend/src/lib/api-docs/constants.ts
+++ b/backend/src/lib/api-docs/constants.ts
@@ -2390,6 +2390,10 @@ export const SecretSyncs = {
    ONEPASS: {
      vaultId: "The ID of the 1Password vault to sync secrets to."
    },
+    HEROKU: {
+      app: "The ID of the Heroku app to sync secrets to.",
+      appName: "The name of the Heroku app to sync secrets to."
+    },
    RENDER: {
      serviceId: "The ID of the Render service to sync secrets to.",
      scope: "The Render scope that secrets should be synced to.",
--- a/backend/src/server/routes/v1/app-connection-routers/app-connection-router.ts
+++ b/backend/src/server/routes/v1/app-connection-routers/app-connection-router.ts
@@ -50,6 +50,7 @@ import {
  HCVaultConnectionListItemSchema,
  SanitizedHCVaultConnectionSchema
 } from "@app/services/app-connection/hc-vault";
+import { HerokuConnectionListItemSchema, SanitizedHerokuConnectionSchema } from "@app/services/app-connection/heroku";
 import {
  HumanitecConnectionListItemSchema,
  SanitizedHumanitecConnectionSchema
@@ -106,6 +107,7 @@ const SanitizedAppConnectionSchema = z.union([
  ...SanitizedOCIConnectionSchema.options,
  ...SanitizedOracleDBConnectionSchema.options,
  ...SanitizedOnePassConnectionSchema.options,
+  ...SanitizedHerokuConnectionSchema.options,
  ...SanitizedRenderConnectionSchema.options,
  ...SanitizedFlyioConnectionSchema.options
 ]);
@@ -135,6 +137,7 @@ const AppConnectionOptionsSchema = z.discriminatedUnion("app", [
  OCIConnectionListItemSchema,
  OracleDBConnectionListItemSchema,
  OnePassConnectionListItemSchema,
+  HerokuConnectionListItemSchema,
  RenderConnectionListItemSchema,
  FlyioConnectionListItemSchema
 ]);
--- a/backend/src/server/routes/v1/app-connection-routers/heroku-connection-router.ts
+++ b/backend/src/server/routes/v1/app-connection-routers/heroku-connection-router.ts
@@ -0,0 +1,54 @@
+import z from "zod";
+
+import { readLimit } from "@app/server/config/rateLimiter";
+import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
+import { AppConnection } from "@app/services/app-connection/app-connection-enums";
+import {
+  CreateHerokuConnectionSchema,
+  SanitizedHerokuConnectionSchema,
+  THerokuApp,
+  UpdateHerokuConnectionSchema
+} from "@app/services/app-connection/heroku";
+import { AuthMode } from "@app/services/auth/auth-type";
+
+import { registerAppConnectionEndpoints } from "./app-connection-endpoints";
+
+export const registerHerokuConnectionRouter = async (server: FastifyZodProvider) => {
+  registerAppConnectionEndpoints({
+    app: AppConnection.Heroku,
+    server,
+    sanitizedResponseSchema: SanitizedHerokuConnectionSchema,
+    createSchema: CreateHerokuConnectionSchema,
+    updateSchema: UpdateHerokuConnectionSchema
+  });
+
+  // The below endpoints are not exposed and for Infisical App use
+  server.route({
+    method: "GET",
+    url: `/:connectionId/apps`,
+    config: {
+      rateLimit: readLimit
+    },
+    schema: {
+      params: z.object({
+        connectionId: z.string().uuid()
+      }),
+      response: {
+        200: z
+          .object({
+            id: z.string(),
+            name: z.string()
+          })
+          .array()
+      }
+    },
+    onRequest: verifyAuth([AuthMode.JWT]),
+    handler: async (req) => {
+      const { connectionId } = req.params;
+
+      const apps: THerokuApp[] = await server.services.appConnection.heroku.listApps(connectionId, req.permission);
+
+      return apps;
+    }
+  });
+};
--- a/backend/src/server/routes/v1/app-connection-routers/index.ts
+++ b/backend/src/server/routes/v1/app-connection-routers/index.ts
@@ -16,6 +16,7 @@ import { registerGcpConnectionRouter } from "./gcp-connection-router";
 import { registerGitHubConnectionRouter } from "./github-connection-router";
 import { registerGitHubRadarConnectionRouter } from "./github-radar-connection-router";
 import { registerHCVaultConnectionRouter } from "./hc-vault-connection-router";
+import { registerHerokuConnectionRouter } from "./heroku-connection-router";
 import { registerHumanitecConnectionRouter } from "./humanitec-connection-router";
 import { registerLdapConnectionRouter } from "./ldap-connection-router";
 import { registerMsSqlConnectionRouter } from "./mssql-connection-router";
@@ -55,6 +56,7 @@ export const APP_CONNECTION_REGISTER_ROUTER_MAP: Record<AppConnection, (server:
    [AppConnection.OCI]: registerOCIConnectionRouter,
    [AppConnection.OracleDB]: registerOracleDBConnectionRouter,
    [AppConnection.OnePass]: registerOnePassConnectionRouter,
+    [AppConnection.Heroku]: registerHerokuConnectionRouter,
    [AppConnection.Render]: registerRenderConnectionRouter,
    [AppConnection.Flyio]: registerFlyioConnectionRouter
  };
--- a/backend/src/server/routes/v1/secret-sync-routers/heroku-sync-router.ts
+++ b/backend/src/server/routes/v1/secret-sync-routers/heroku-sync-router.ts
@@ -0,0 +1,13 @@
+import { CreateHerokuSyncSchema, HerokuSyncSchema, UpdateHerokuSyncSchema } from "@app/services/secret-sync/heroku";
+import { SecretSync } from "@app/services/secret-sync/secret-sync-enums";
+
+import { registerSyncSecretsEndpoints } from "./secret-sync-endpoints";
+
+export const registerHerokuSyncRouter = async (server: FastifyZodProvider) =>
+  registerSyncSecretsEndpoints({
+    destination: SecretSync.Heroku,
+    server,
+    responseSchema: HerokuSyncSchema,
+    createSchema: CreateHerokuSyncSchema,
+    updateSchema: UpdateHerokuSyncSchema
+  });
--- a/backend/src/server/routes/v1/secret-sync-routers/index.ts
+++ b/backend/src/server/routes/v1/secret-sync-routers/index.ts
@@ -13,6 +13,7 @@ import { registerFlyioSyncRouter } from "./flyio-sync-router";
 import { registerGcpSyncRouter } from "./gcp-sync-router";
 import { registerGitHubSyncRouter } from "./github-sync-router";
 import { registerHCVaultSyncRouter } from "./hc-vault-sync-router";
+import { registerHerokuSyncRouter } from "./heroku-sync-router";
 import { registerHumanitecSyncRouter } from "./humanitec-sync-router";
 import { registerRenderSyncRouter } from "./render-sync-router";
 import { registerTeamCitySyncRouter } from "./teamcity-sync-router";
@@ -40,6 +41,7 @@ export const SECRET_SYNC_REGISTER_ROUTER_MAP: Record<SecretSync, (server: Fastif
  [SecretSync.TeamCity]: registerTeamCitySyncRouter,
  [SecretSync.OCIVault]: registerOCIVaultSyncRouter,
  [SecretSync.OnePass]: registerOnePassSyncRouter,
+  [SecretSync.Heroku]: registerHerokuSyncRouter,
  [SecretSync.Render]: registerRenderSyncRouter,
  [SecretSync.Flyio]: registerFlyioSyncRouter
 };
--- a/backend/src/server/routes/v1/secret-sync-routers/secret-sync-router.ts
+++ b/backend/src/server/routes/v1/secret-sync-routers/secret-sync-router.ts
@@ -27,6 +27,7 @@ import { FlyioSyncListItemSchema, FlyioSyncSchema } from "@app/services/secret-s
 import { GcpSyncListItemSchema, GcpSyncSchema } from "@app/services/secret-sync/gcp";
 import { GitHubSyncListItemSchema, GitHubSyncSchema } from "@app/services/secret-sync/github";
 import { HCVaultSyncListItemSchema, HCVaultSyncSchema } from "@app/services/secret-sync/hc-vault";
+import { HerokuSyncListItemSchema, HerokuSyncSchema } from "@app/services/secret-sync/heroku";
 import { HumanitecSyncListItemSchema, HumanitecSyncSchema } from "@app/services/secret-sync/humanitec";
 import { RenderSyncListItemSchema, RenderSyncSchema } from "@app/services/secret-sync/render/render-sync-schemas";
 import { TeamCitySyncListItemSchema, TeamCitySyncSchema } from "@app/services/secret-sync/teamcity";
@@ -52,6 +53,7 @@ const SecretSyncSchema = z.discriminatedUnion("destination", [
  TeamCitySyncSchema,
  OCIVaultSyncSchema,
  OnePassSyncSchema,
+  HerokuSyncSchema,
  RenderSyncSchema,
  FlyioSyncSchema
 ]);
@@ -74,6 +76,7 @@ const SecretSyncOptionsSchema = z.discriminatedUnion("destination", [
  TeamCitySyncListItemSchema,
  OCIVaultSyncListItemSchema,
  OnePassSyncListItemSchema,
+  HerokuSyncListItemSchema,
  RenderSyncListItemSchema,
  FlyioSyncListItemSchema
 ]);
--- a/backend/src/services/app-connection/app-connection-enums.ts
+++ b/backend/src/services/app-connection/app-connection-enums.ts
@@ -23,6 +23,7 @@ export enum AppConnection {
  OCI = "oci",
  OracleDB = "oracledb",
  OnePass = "1password",
+  Heroku = "heroku",
  Render = "render",
  Flyio = "flyio"
 }
--- a/backend/src/services/app-connection/app-connection-fns.ts
+++ b/backend/src/services/app-connection/app-connection-fns.ts
@@ -69,6 +69,7 @@ import {
  HCVaultConnectionMethod,
  validateHCVaultConnectionCredentials
 } from "./hc-vault";
+import { getHerokuConnectionListItem, HerokuConnectionMethod, validateHerokuConnectionCredentials } from "./heroku";
 import {
  getHumanitecConnectionListItem,
  HumanitecConnectionMethod,
@@ -125,6 +126,7 @@ export const listAppConnectionOptions = () => {
    getOCIConnectionListItem(),
    getOracleDBConnectionListItem(),
    getOnePassConnectionListItem(),
+    getHerokuConnectionListItem(),
    getRenderConnectionListItem(),
    getFlyioConnectionListItem()
  ].sort((a, b) => a.name.localeCompare(b.name));
@@ -202,6 +204,7 @@ export const validateAppConnectionCredentials = async (
    [AppConnection.OCI]: validateOCIConnectionCredentials as TAppConnectionCredentialsValidator,
    [AppConnection.OracleDB]: validateSqlConnectionCredentials as TAppConnectionCredentialsValidator,
    [AppConnection.OnePass]: validateOnePassConnectionCredentials as TAppConnectionCredentialsValidator,
+    [AppConnection.Heroku]: validateHerokuConnectionCredentials as TAppConnectionCredentialsValidator,
    [AppConnection.Render]: validateRenderConnectionCredentials as TAppConnectionCredentialsValidator,
    [AppConnection.Flyio]: validateFlyioConnectionCredentials as TAppConnectionCredentialsValidator
  };
@@ -219,7 +222,10 @@ export const getAppConnectionMethodName = (method: TAppConnection["method"]) =>
    case AzureClientSecretsConnectionMethod.OAuth:
    case GitHubConnectionMethod.OAuth:
    case AzureDevOpsConnectionMethod.OAuth:
+    case HerokuConnectionMethod.OAuth:
      return "OAuth";
+    case HerokuConnectionMethod.AuthToken:
+      return "Auth Token";
    case AwsConnectionMethod.AccessKey:
    case OCIConnectionMethod.AccessKey:
      return "Access Key";
@@ -310,6 +316,7 @@ export const TRANSITION_CONNECTION_CREDENTIALS_TO_PLATFORM: Record<
  [AppConnection.OCI]: platformManagedCredentialsNotSupported,
  [AppConnection.OracleDB]: transferSqlConnectionCredentialsToPlatform as TAppConnectionTransitionCredentialsToPlatform,
  [AppConnection.OnePass]: platformManagedCredentialsNotSupported,
+  [AppConnection.Heroku]: platformManagedCredentialsNotSupported,
  [AppConnection.Render]: platformManagedCredentialsNotSupported,
  [AppConnection.Flyio]: platformManagedCredentialsNotSupported
 };
--- a/backend/src/services/app-connection/app-connection-maps.ts
+++ b/backend/src/services/app-connection/app-connection-maps.ts
@@ -25,6 +25,7 @@ export const APP_CONNECTION_NAME_MAP: Record<AppConnection, string> = {
  [AppConnection.OCI]: "OCI",
  [AppConnection.OracleDB]: "OracleDB",
  [AppConnection.OnePass]: "1Password",
+  [AppConnection.Heroku]: "Heroku",
  [AppConnection.Render]: "Render",
  [AppConnection.Flyio]: "Fly.io"
 };
@@ -54,6 +55,7 @@ export const APP_CONNECTION_PLAN_MAP: Record<AppConnection, AppConnectionPlanTyp
  [AppConnection.OracleDB]: AppConnectionPlanType.Enterprise,
  [AppConnection.OnePass]: AppConnectionPlanType.Regular,
  [AppConnection.MySql]: AppConnectionPlanType.Regular,
+  [AppConnection.Heroku]: AppConnectionPlanType.Regular,
  [AppConnection.Render]: AppConnectionPlanType.Regular,
  [AppConnection.Flyio]: AppConnectionPlanType.Regular
 };
--- a/backend/src/services/app-connection/app-connection-service.ts
+++ b/backend/src/services/app-connection/app-connection-service.ts
@@ -58,6 +58,8 @@ import { githubConnectionService } from "./github/github-connection-service";
 import { ValidateGitHubRadarConnectionCredentialsSchema } from "./github-radar";
 import { ValidateHCVaultConnectionCredentialsSchema } from "./hc-vault";
 import { hcVaultConnectionService } from "./hc-vault/hc-vault-connection-service";
+import { ValidateHerokuConnectionCredentialsSchema } from "./heroku";
+import { herokuConnectionService } from "./heroku/heroku-connection-service";
 import { ValidateHumanitecConnectionCredentialsSchema } from "./humanitec";
 import { humanitecConnectionService } from "./humanitec/humanitec-connection-service";
 import { ValidateLdapConnectionCredentialsSchema } from "./ldap";
@@ -109,6 +111,7 @@ const VALIDATE_APP_CONNECTION_CREDENTIALS_MAP: Record<AppConnection, TValidateAp
  [AppConnection.OCI]: ValidateOCIConnectionCredentialsSchema,
  [AppConnection.OracleDB]: ValidateOracleDBConnectionCredentialsSchema,
  [AppConnection.OnePass]: ValidateOnePassConnectionCredentialsSchema,
+  [AppConnection.Heroku]: ValidateHerokuConnectionCredentialsSchema,
  [AppConnection.Render]: ValidateRenderConnectionCredentialsSchema,
  [AppConnection.Flyio]: ValidateFlyioConnectionCredentialsSchema
 };
@@ -516,6 +519,7 @@ export const appConnectionServiceFactory = ({
    teamcity: teamcityConnectionService(connectAppConnectionById),
    oci: ociConnectionService(connectAppConnectionById, licenseService),
    onepass: onePassConnectionService(connectAppConnectionById),
+    heroku: herokuConnectionService(connectAppConnectionById, appConnectionDAL, kmsService),
    render: renderConnectionService(connectAppConnectionById),
    flyio: flyioConnectionService(connectAppConnectionById)
  };
--- a/backend/src/services/app-connection/app-connection-types.ts
+++ b/backend/src/services/app-connection/app-connection-types.ts
@@ -98,6 +98,12 @@ import {
  THCVaultConnectionInput,
  TValidateHCVaultConnectionCredentialsSchema
 } from "./hc-vault";
+import {
+  THerokuConnection,
+  THerokuConnectionConfig,
+  THerokuConnectionInput,
+  TValidateHerokuConnectionCredentialsSchema
+} from "./heroku";
 import {
  THumanitecConnection,
  THumanitecConnectionConfig,
@@ -173,6 +179,7 @@ export type TAppConnection = { id: string } & (
  | TOCIConnection
  | TOracleDBConnection
  | TOnePassConnection
+  | THerokuConnection
  | TRenderConnection
  | TFlyioConnection
 );
@@ -206,6 +213,7 @@ export type TAppConnectionInput = { id: string } & (
  | TOCIConnectionInput
  | TOracleDBConnectionInput
  | TOnePassConnectionInput
+  | THerokuConnectionInput
  | TRenderConnectionInput
  | TFlyioConnectionInput
 );
@@ -247,6 +255,7 @@ export type TAppConnectionConfig =
  | TTeamCityConnectionConfig
  | TOCIConnectionConfig
  | TOnePassConnectionConfig
+  | THerokuConnectionConfig
  | TRenderConnectionConfig
  | TFlyioConnectionConfig;

@@ -275,6 +284,7 @@ export type TValidateAppConnectionCredentialsSchema =
  | TValidateOCIConnectionCredentialsSchema
  | TValidateOracleDBConnectionCredentialsSchema
  | TValidateOnePassConnectionCredentialsSchema
+  | TValidateHerokuConnectionCredentialsSchema
  | TValidateRenderConnectionCredentialsSchema
  | TValidateFlyioConnectionCredentialsSchema;

--- a/backend/src/services/app-connection/heroku/heroku-connection-enums.ts
+++ b/backend/src/services/app-connection/heroku/heroku-connection-enums.ts
@@ -0,0 +1,4 @@
+export enum HerokuConnectionMethod {
+  AuthToken = "auth-token",
+  OAuth = "oauth"
+}
--- a/backend/src/services/app-connection/heroku/heroku-connection-fns.ts
+++ b/backend/src/services/app-connection/heroku/heroku-connection-fns.ts
@@ -0,0 +1,208 @@
+import { AxiosError, AxiosResponse } from "axios";
+
+import { getConfig } from "@app/lib/config/env";
+import { request } from "@app/lib/config/request";
+import { BadRequestError, InternalServerError } from "@app/lib/errors";
+import { AppConnection } from "@app/services/app-connection/app-connection-enums";
+import { encryptAppConnectionCredentials } from "@app/services/app-connection/app-connection-fns";
+import { IntegrationUrls } from "@app/services/integration-auth/integration-list";
+import { TKmsServiceFactory } from "@app/services/kms/kms-service";
+
+import { TAppConnectionDALFactory } from "../app-connection-dal";
+import { HerokuConnectionMethod } from "./heroku-connection-enums";
+import { THerokuApp, THerokuConnection, THerokuConnectionConfig } from "./heroku-connection-types";
+
+interface HerokuOAuthTokenResponse {
+  access_token: string;
+  expires_in: number;
+  refresh_token: string;
+  token_type: string;
+  user_id: string;
+  session_nonce: string;
+}
+
+export const getHerokuConnectionListItem = () => {
+  const { CLIENT_ID_HEROKU } = getConfig();
+
+  return {
+    name: "Heroku" as const,
+    app: AppConnection.Heroku as const,
+    methods: Object.values(HerokuConnectionMethod) as [HerokuConnectionMethod.AuthToken, HerokuConnectionMethod.OAuth],
+    oauthClientId: CLIENT_ID_HEROKU
+  };
+};
+
+export const refreshHerokuToken = async (
+  refreshToken: string,
+  appId: string,
+  orgId: string,
+  appConnectionDAL: Pick<TAppConnectionDALFactory, "updateById">,
+  kmsService: Pick<TKmsServiceFactory, "createCipherPairWithDataKey">
+): Promise<string> => {
+  const { CLIENT_SECRET_HEROKU } = getConfig();
+
+  const payload = {
+    grant_type: "refresh_token",
+    refresh_token: refreshToken,
+    client_secret: CLIENT_SECRET_HEROKU
+  };
+
+  const { data } = await request.post<{ access_token: string; expires_in: number }>(
+    IntegrationUrls.HEROKU_TOKEN_URL,
+    payload,
+    {
+      headers: {
+        "Content-Type": "application/x-www-form-urlencoded"
+      }
+    }
+  );
+
+  const encryptedCredentials = await encryptAppConnectionCredentials({
+    credentials: {
+      refreshToken,
+      authToken: data.access_token,
+      expiresAt: new Date(Date.now() + data.expires_in * 1000 - 60000)
+    },
+    orgId,
+    kmsService
+  });
+
+  await appConnectionDAL.updateById(appId, { encryptedCredentials });
+
+  return data.access_token;
+};
+
+export const exchangeHerokuOAuthCode = async (code: string): Promise<HerokuOAuthTokenResponse> => {
+  const { CLIENT_SECRET_HEROKU } = getConfig();
+
+  try {
+    const response = await request.post<HerokuOAuthTokenResponse>(
+      IntegrationUrls.HEROKU_TOKEN_URL,
+      {
+        grant_type: "authorization_code",
+        code,
+        client_secret: CLIENT_SECRET_HEROKU
+      },
+      {
+        headers: {
+          "Content-Type": "application/x-www-form-urlencoded"
+        }
+      }
+    );
+
+    if (!response.data) {
+      throw new InternalServerError({
+        message: "Failed to exchange OAuth code: Empty response"
+      });
+    }
+
+    return response.data;
+  } catch (error: unknown) {
+    if (error instanceof AxiosError) {
+      throw new BadRequestError({
+        // eslint-disable-next-line @typescript-eslint/no-unsafe-member-access
+        message: `Failed to exchange OAuth code: ${error.response?.data?.message || error.message || "Unknown error"}`
+      });
+    }
+    throw new BadRequestError({
+      message: "Unable to exchange OAuth code"
+    });
+  }
+};
+
+export const validateHerokuConnectionCredentials = async (config: THerokuConnectionConfig) => {
+  const { credentials: inputCredentials, method } = config;
+
+  let authToken: string;
+  let oauthData: HerokuOAuthTokenResponse | null = null;
+
+  if (method === HerokuConnectionMethod.OAuth && "code" in inputCredentials) {
+    oauthData = await exchangeHerokuOAuthCode(inputCredentials.code);
+    authToken = oauthData.access_token;
+  } else if (method === HerokuConnectionMethod.AuthToken && "authToken" in inputCredentials) {
+    authToken = inputCredentials.authToken;
+  } else {
+    throw new BadRequestError({
+      message: "Invalid credentials for the selected connection method"
+    });
+  }
+
+  let response: AxiosResponse<THerokuApp[]> | null = null;
+
+  try {
+    response = await request.get<THerokuApp[]>(`${IntegrationUrls.HEROKU_API_URL}/apps`, {
+      headers: {
+        Authorization: `Bearer ${authToken}`,
+        Accept: "application/vnd.heroku+json; version=3"
+      }
+    });
+  } catch (error: unknown) {
+    if (error instanceof AxiosError) {
+      throw new BadRequestError({
+        message: `Failed to validate credentials: ${error.message || "Unknown error"}`
+      });
+    }
+    throw new BadRequestError({
+      message: "Unable to validate connection: verify credentials"
+    });
+  }
+
+  if (!response?.data) {
+    throw new InternalServerError({
+      message: "Failed to get apps: Response was empty"
+    });
+  }
+
+  if (method === HerokuConnectionMethod.OAuth && oauthData) {
+    return {
+      authToken,
+      refreshToken: oauthData.refresh_token,
+      expiresIn: oauthData.expires_in,
+      tokenType: oauthData.token_type,
+      userId: oauthData.user_id,
+      sessionNonce: oauthData.session_nonce
+    };
+  }
+
+  return inputCredentials;
+};
+
+export const listHerokuApps = async ({
+  appConnection,
+  appConnectionDAL,
+  kmsService
+}: {
+  appConnection: THerokuConnection;
+  appConnectionDAL: Pick<TAppConnectionDALFactory, "updateById">;
+  kmsService: Pick<TKmsServiceFactory, "createCipherPairWithDataKey">;
+}): Promise<THerokuApp[]> => {
+  let authCredential = appConnection.credentials.authToken;
+  if (
+    appConnection.method === HerokuConnectionMethod.OAuth &&
+    appConnection.credentials.refreshToken &&
+    appConnection.credentials.expiresAt < new Date()
+  ) {
+    authCredential = await refreshHerokuToken(
+      appConnection.credentials.refreshToken,
+      appConnection.id,
+      appConnection.orgId,
+      appConnectionDAL,
+      kmsService
+    );
+  }
+
+  const { data } = await request.get<THerokuApp[]>(`${IntegrationUrls.HEROKU_API_URL}/apps`, {
+    headers: {
+      Authorization: `Bearer ${authCredential}`,
+      Accept: "application/vnd.heroku+json; version=3"
+    }
+  });
+
+  if (!data) {
+    throw new InternalServerError({
+      message: "Failed to get apps: Response was empty"
+    });
+  }
+
+  return data.map((res) => ({ name: res.name, id: res.id }));
+};
--- a/backend/src/services/app-connection/heroku/heroku-connection-schemas.ts
+++ b/backend/src/services/app-connection/heroku/heroku-connection-schemas.ts
@@ -0,0 +1,103 @@
+import z from "zod";
+
+import { AppConnections } from "@app/lib/api-docs";
+import { AppConnection } from "@app/services/app-connection/app-connection-enums";
+import {
+  BaseAppConnectionSchema,
+  GenericCreateAppConnectionFieldsSchema,
+  GenericUpdateAppConnectionFieldsSchema
+} from "@app/services/app-connection/app-connection-schemas";
+
+import { HerokuConnectionMethod } from "./heroku-connection-enums";
+
+export const HerokuConnectionAuthTokenCredentialsSchema = z.object({
+  authToken: z.string().trim().min(1, "Auth Token required").startsWith("HRKU-", "Token must start with 'HRKU-")
+});
+
+export const HerokuConnectionOAuthCredentialsSchema = z.object({
+  code: z.string().trim().min(1, "OAuth code required")
+});
+
+export const HerokuConnectionOAuthOutputCredentialsSchema = z.object({
+  authToken: z.string().trim(),
+  refreshToken: z.string().trim(),
+  expiresAt: z.date()
+});
+
+// Schema for refresh token input during initial setup
+export const HerokuConnectionRefreshTokenCredentialsSchema = z.object({
+  refreshToken: z.string().trim().min(1, "Refresh token required")
+});
+
+const BaseHerokuConnectionSchema = BaseAppConnectionSchema.extend({
+  app: z.literal(AppConnection.Heroku)
+});
+
+export const HerokuConnectionSchema = z.intersection(
+  BaseHerokuConnectionSchema,
+  z.discriminatedUnion("method", [
+    z.object({
+      method: z.literal(HerokuConnectionMethod.AuthToken),
+      credentials: HerokuConnectionAuthTokenCredentialsSchema
+    }),
+    z.object({
+      method: z.literal(HerokuConnectionMethod.OAuth),
+      credentials: HerokuConnectionOAuthOutputCredentialsSchema
+    })
+  ])
+);
+
+export const SanitizedHerokuConnectionSchema = z.discriminatedUnion("method", [
+  BaseHerokuConnectionSchema.extend({
+    method: z.literal(HerokuConnectionMethod.AuthToken),
+    credentials: HerokuConnectionAuthTokenCredentialsSchema.pick({})
+  }),
+  BaseHerokuConnectionSchema.extend({
+    method: z.literal(HerokuConnectionMethod.OAuth),
+    credentials: HerokuConnectionOAuthOutputCredentialsSchema.pick({})
+  })
+]);
+
+export const ValidateHerokuConnectionCredentialsSchema = z.discriminatedUnion("method", [
+  z.object({
+    method: z.literal(HerokuConnectionMethod.AuthToken).describe(AppConnections.CREATE(AppConnection.Heroku).method),
+    credentials: HerokuConnectionAuthTokenCredentialsSchema.describe(
+      AppConnections.CREATE(AppConnection.Heroku).credentials
+    )
+  }),
+  z.object({
+    method: z.literal(HerokuConnectionMethod.OAuth).describe(AppConnections.CREATE(AppConnection.Heroku).method),
+    credentials: z
+      .union([
+        HerokuConnectionOAuthCredentialsSchema,
+        HerokuConnectionRefreshTokenCredentialsSchema,
+        HerokuConnectionOAuthOutputCredentialsSchema
+      ])
+      .describe(AppConnections.CREATE(AppConnection.Heroku).credentials)
+  })
+]);
+
+export const CreateHerokuConnectionSchema = ValidateHerokuConnectionCredentialsSchema.and(
+  GenericCreateAppConnectionFieldsSchema(AppConnection.Heroku)
+);
+
+export const UpdateHerokuConnectionSchema = z
+  .object({
+    credentials: z
+      .union([
+        HerokuConnectionAuthTokenCredentialsSchema,
+        HerokuConnectionOAuthOutputCredentialsSchema,
+        HerokuConnectionRefreshTokenCredentialsSchema,
+        HerokuConnectionOAuthCredentialsSchema
+      ])
+      .optional()
+      .describe(AppConnections.UPDATE(AppConnection.Heroku).credentials)
+  })
+  .and(GenericUpdateAppConnectionFieldsSchema(AppConnection.Heroku));
+
+export const HerokuConnectionListItemSchema = z.object({
+  name: z.literal("Heroku"),
+  app: z.literal(AppConnection.Heroku),
+  methods: z.nativeEnum(HerokuConnectionMethod).array(),
+  oauthClientId: z.string().optional()
+});
--- a/backend/src/services/app-connection/heroku/heroku-connection-service.ts
+++ b/backend/src/services/app-connection/heroku/heroku-connection-service.ts
@@ -0,0 +1,35 @@
+import { logger } from "@app/lib/logger";
+import { OrgServiceActor } from "@app/lib/types";
+import { TKmsServiceFactory } from "@app/services/kms/kms-service";
+
+import { TAppConnectionDALFactory } from "../app-connection-dal";
+import { AppConnection } from "../app-connection-enums";
+import { listHerokuApps as getHerokuApps } from "./heroku-connection-fns";
+import { THerokuConnection } from "./heroku-connection-types";
+
+type TGetAppConnectionFunc = (
+  app: AppConnection,
+  connectionId: string,
+  actor: OrgServiceActor
+) => Promise<THerokuConnection>;
+
+export const herokuConnectionService = (
+  getAppConnection: TGetAppConnectionFunc,
+  appConnectionDAL: Pick<TAppConnectionDALFactory, "updateById">,
+  kmsService: Pick<TKmsServiceFactory, "createCipherPairWithDataKey">
+) => {
+  const listApps = async (connectionId: string, actor: OrgServiceActor) => {
+    const appConnection = await getAppConnection(AppConnection.Heroku, connectionId, actor);
+    try {
+      const apps = await getHerokuApps({ appConnection, appConnectionDAL, kmsService });
+      return apps;
+    } catch (error) {
+      logger.error(error, `Failed to establish connection with Heroku for app ${connectionId}`);
+      return [];
+    }
+  };
+
+  return {
+    listApps
+  };
+};
--- a/backend/src/services/app-connection/heroku/heroku-connection-types.ts
+++ b/backend/src/services/app-connection/heroku/heroku-connection-types.ts
@@ -0,0 +1,27 @@
+import z from "zod";
+
+import { DiscriminativePick } from "@app/lib/types";
+
+import { AppConnection } from "../app-connection-enums";
+import {
+  CreateHerokuConnectionSchema,
+  HerokuConnectionSchema,
+  ValidateHerokuConnectionCredentialsSchema
+} from "./heroku-connection-schemas";
+
+export type THerokuConnection = z.infer<typeof HerokuConnectionSchema>;
+
+export type THerokuConnectionInput = z.infer<typeof CreateHerokuConnectionSchema> & {
+  app: AppConnection.Heroku;
+};
+
+export type TValidateHerokuConnectionCredentialsSchema = typeof ValidateHerokuConnectionCredentialsSchema;
+
+export type THerokuConnectionConfig = DiscriminativePick<THerokuConnectionInput, "method" | "app" | "credentials"> & {
+  orgId: string;
+};
+
+export type THerokuApp = {
+  name: string;
+  id: string;
+};
--- a/backend/src/services/app-connection/heroku/index.ts
+++ b/backend/src/services/app-connection/heroku/index.ts
@@ -0,0 +1,4 @@
+export * from "./heroku-connection-enums";
+export * from "./heroku-connection-fns";
+export * from "./heroku-connection-schemas";
+export * from "./heroku-connection-types";
--- a/backend/src/services/secret-sync/heroku/heroku-sync-constants.ts
+++ b/backend/src/services/secret-sync/heroku/heroku-sync-constants.ts
@@ -0,0 +1,10 @@
+import { AppConnection } from "@app/services/app-connection/app-connection-enums";
+import { SecretSync } from "@app/services/secret-sync/secret-sync-enums";
+import { TSecretSyncListItem } from "@app/services/secret-sync/secret-sync-types";
+
+export const HEROKU_SYNC_LIST_OPTION: TSecretSyncListItem = {
+  name: "Heroku",
+  destination: SecretSync.Heroku,
+  connection: AppConnection.Heroku,
+  canImportSecrets: true
+};
--- a/backend/src/services/secret-sync/heroku/heroku-sync-fns.ts
+++ b/backend/src/services/secret-sync/heroku/heroku-sync-fns.ts
@@ -0,0 +1,170 @@
+import { request } from "@app/lib/config/request";
+import { TAppConnectionDALFactory } from "@app/services/app-connection/app-connection-dal";
+import { HerokuConnectionMethod, refreshHerokuToken, THerokuConnection } from "@app/services/app-connection/heroku";
+import { IntegrationUrls } from "@app/services/integration-auth/integration-list";
+import { TKmsServiceFactory } from "@app/services/kms/kms-service";
+import {
+  THerokuConfigVars,
+  THerokuListVariables,
+  THerokuSyncWithCredentials,
+  THerokuUpdateVariables
+} from "@app/services/secret-sync/heroku/heroku-sync-types";
+import { SecretSyncError } from "@app/services/secret-sync/secret-sync-errors";
+import { matchesSchema } from "@app/services/secret-sync/secret-sync-fns";
+import { TSecretMap } from "@app/services/secret-sync/secret-sync-types";
+
+type THerokuSyncFactoryDeps = {
+  appConnectionDAL: Pick<TAppConnectionDALFactory, "updateById">;
+  kmsService: Pick<TKmsServiceFactory, "createCipherPairWithDataKey">;
+};
+
+const getValidAuthToken = async (
+  connection: THerokuConnection,
+  appConnectionDAL: Pick<TAppConnectionDALFactory, "updateById">,
+  kmsService: Pick<TKmsServiceFactory, "createCipherPairWithDataKey">
+): Promise<string> => {
+  if (
+    connection.method === HerokuConnectionMethod.OAuth &&
+    connection.credentials.refreshToken &&
+    connection.credentials.expiresAt < new Date()
+  ) {
+    const authToken = await refreshHerokuToken(
+      connection.credentials.refreshToken,
+      connection.id,
+      connection.orgId,
+      appConnectionDAL,
+      kmsService
+    );
+    return authToken;
+  }
+  return connection.credentials.authToken;
+};
+
+const getHerokuConfigVars = async ({ authToken, app }: THerokuListVariables): Promise<THerokuConfigVars> => {
+  const { data } = await request.get<THerokuConfigVars>(
+    `${IntegrationUrls.HEROKU_API_URL}/apps/${encodeURIComponent(app)}/config-vars`,
+    {
+      headers: {
+        Authorization: `Bearer ${authToken}`,
+        Accept: "application/vnd.heroku+json; version=3"
+      }
+    }
+  );
+
+  return data;
+};
+
+const updateHerokuConfigVars = async ({ authToken, app, configVars }: THerokuUpdateVariables) => {
+  return request.patch(`${IntegrationUrls.HEROKU_API_URL}/apps/${encodeURIComponent(app)}/config-vars`, configVars, {
+    headers: {
+      Authorization: `Bearer ${authToken}`,
+      Accept: "application/vnd.heroku+json; version=3",
+      "Content-Type": "application/json"
+    }
+  });
+};
+
+export const HerokuSyncFns = {
+  syncSecrets: async (
+    secretSync: THerokuSyncWithCredentials,
+    secretMap: TSecretMap,
+    { appConnectionDAL, kmsService }: THerokuSyncFactoryDeps
+  ) => {
+    const {
+      connection,
+      environment,
+      destinationConfig: { app }
+    } = secretSync;
+
+    const authToken = await getValidAuthToken(connection, appConnectionDAL, kmsService);
+
+    try {
+      const updatedConfigVars: THerokuConfigVars = {};
+
+      for (const [key, { value }] of Object.entries(secretMap)) {
+        updatedConfigVars[key] = value;
+      }
+
+      if (!secretSync.syncOptions.disableSecretDeletion) {
+        const currentConfigVars = await getHerokuConfigVars({ authToken, app });
+
+        for (const key of Object.keys(currentConfigVars)) {
+          if (matchesSchema(key, environment?.slug || "", secretSync.syncOptions.keySchema) && !(key in secretMap)) {
+            updatedConfigVars[key] = null;
+          }
+        }
+      }
+
+      await updateHerokuConfigVars({
+        authToken,
+        app,
+        configVars: updatedConfigVars
+      });
+    } catch (error) {
+      throw new SecretSyncError({
+        error,
+        secretKey: "batch_update"
+      });
+    }
+  },
+
+  removeSecrets: async (
+    secretSync: THerokuSyncWithCredentials,
+    secretMap: TSecretMap,
+    { appConnectionDAL, kmsService }: THerokuSyncFactoryDeps
+  ) => {
+    const {
+      connection,
+      destinationConfig: { app }
+    } = secretSync;
+
+    const authToken = await getValidAuthToken(connection, appConnectionDAL, kmsService);
+
+    try {
+      const currentConfigVars = await getHerokuConfigVars({ authToken, app });
+      const configVarsToUpdate: Record<string, null> = {};
+
+      for (const key of Object.keys(secretMap)) {
+        if (key in currentConfigVars) {
+          configVarsToUpdate[key] = null;
+        }
+      }
+
+      if (Object.keys(configVarsToUpdate).length > 0) {
+        await updateHerokuConfigVars({
+          authToken,
+          app,
+          configVars: configVarsToUpdate
+        });
+      }
+    } catch (error) {
+      throw new SecretSyncError({
+        error,
+        secretKey: "batch_remove"
+      });
+    }
+  },
+
+  getSecrets: async (
+    secretSync: THerokuSyncWithCredentials,
+    { appConnectionDAL, kmsService }: THerokuSyncFactoryDeps
+  ): Promise<TSecretMap> => {
+    const {
+      connection,
+      destinationConfig: { app }
+    } = secretSync;
+
+    const authToken = await getValidAuthToken(connection, appConnectionDAL, kmsService);
+
+    const data = await getHerokuConfigVars({ authToken, app });
+    const transformed = Object.entries(data).reduce((acc, [key, value]) => {
+      if (!value) {
+        return acc;
+      }
+      acc[key] = { value };
+      return acc;
+    }, {} as TSecretMap);
+
+    return transformed;
+  }
+};
--- a/backend/src/services/secret-sync/heroku/heroku-sync-schemas.ts
+++ b/backend/src/services/secret-sync/heroku/heroku-sync-schemas.ts
@@ -0,0 +1,44 @@
+import { z } from "zod";
+
+import { SecretSyncs } from "@app/lib/api-docs";
+import { AppConnection } from "@app/services/app-connection/app-connection-enums";
+import { SecretSync } from "@app/services/secret-sync/secret-sync-enums";
+import {
+  BaseSecretSyncSchema,
+  GenericCreateSecretSyncFieldsSchema,
+  GenericUpdateSecretSyncFieldsSchema
+} from "@app/services/secret-sync/secret-sync-schemas";
+import { TSyncOptionsConfig } from "@app/services/secret-sync/secret-sync-types";
+
+const HerokuSyncDestinationConfigSchema = z.object({
+  app: z.string().trim().min(1, "App required").describe(SecretSyncs.DESTINATION_CONFIG.HEROKU.app),
+  appName: z.string().trim().min(1, "App name required").describe(SecretSyncs.DESTINATION_CONFIG.HEROKU.appName)
+});
+
+const HerokuSyncOptionsConfig: TSyncOptionsConfig = { canImportSecrets: true };
+
+export const HerokuSyncSchema = BaseSecretSyncSchema(SecretSync.Heroku, HerokuSyncOptionsConfig).extend({
+  destination: z.literal(SecretSync.Heroku),
+  destinationConfig: HerokuSyncDestinationConfigSchema
+});
+
+export const CreateHerokuSyncSchema = GenericCreateSecretSyncFieldsSchema(
+  SecretSync.Heroku,
+  HerokuSyncOptionsConfig
+).extend({
+  destinationConfig: HerokuSyncDestinationConfigSchema
+});
+
+export const UpdateHerokuSyncSchema = GenericUpdateSecretSyncFieldsSchema(
+  SecretSync.Heroku,
+  HerokuSyncOptionsConfig
+).extend({
+  destinationConfig: HerokuSyncDestinationConfigSchema.optional()
+});
+
+export const HerokuSyncListItemSchema = z.object({
+  name: z.literal("Heroku"),
+  connection: z.literal(AppConnection.Heroku),
+  destination: z.literal(SecretSync.Heroku),
+  canImportSecrets: z.literal(true)
+});
--- a/backend/src/services/secret-sync/heroku/heroku-sync-types.ts
+++ b/backend/src/services/secret-sync/heroku/heroku-sync-types.ts
@@ -0,0 +1,24 @@
+import { z } from "zod";
+
+import { THerokuConnection } from "@app/services/app-connection/heroku";
+
+import { CreateHerokuSyncSchema, HerokuSyncListItemSchema, HerokuSyncSchema } from "./heroku-sync-schemas";
+
+export type THerokuSync = z.infer<typeof HerokuSyncSchema>;
+export type THerokuSyncInput = z.infer<typeof CreateHerokuSyncSchema>;
+export type THerokuSyncListItem = z.infer<typeof HerokuSyncListItemSchema>;
+
+export type THerokuSyncWithCredentials = THerokuSync & {
+  connection: THerokuConnection;
+};
+
+export type THerokuConfigVars = Record<string, string | null>;
+
+export type THerokuListVariables = {
+  authToken: string;
+  app: string;
+};
+
+export type THerokuUpdateVariables = THerokuListVariables & {
+  configVars: THerokuConfigVars;
+};
--- a/backend/src/services/secret-sync/heroku/index.ts
+++ b/backend/src/services/secret-sync/heroku/index.ts
@@ -0,0 +1,4 @@
+export * from "./heroku-sync-constants";
+export * from "./heroku-sync-fns";
+export * from "./heroku-sync-schemas";
+export * from "./heroku-sync-types";
--- a/backend/src/services/secret-sync/secret-sync-enums.ts
+++ b/backend/src/services/secret-sync/secret-sync-enums.ts
@@ -16,6 +16,7 @@ export enum SecretSync {
  TeamCity = "teamcity",
  OCIVault = "oci-vault",
  OnePass = "1password",
+  Heroku = "heroku",
  Render = "render",
  Flyio = "flyio"
 }
--- a/backend/src/services/secret-sync/secret-sync-fns.ts
+++ b/backend/src/services/secret-sync/secret-sync-fns.ts
@@ -33,6 +33,7 @@ import { FLYIO_SYNC_LIST_OPTION, FlyioSyncFns } from "./flyio";
 import { GCP_SYNC_LIST_OPTION } from "./gcp";
 import { GcpSyncFns } from "./gcp/gcp-sync-fns";
 import { HC_VAULT_SYNC_LIST_OPTION, HCVaultSyncFns } from "./hc-vault";
+import { HEROKU_SYNC_LIST_OPTION, HerokuSyncFns } from "./heroku";
 import { HUMANITEC_SYNC_LIST_OPTION } from "./humanitec";
 import { HumanitecSyncFns } from "./humanitec/humanitec-sync-fns";
 import { RENDER_SYNC_LIST_OPTION, RenderSyncFns } from "./render";
@@ -60,6 +61,7 @@ const SECRET_SYNC_LIST_OPTIONS: Record<SecretSync, TSecretSyncListItem> = {
  [SecretSync.TeamCity]: TEAMCITY_SYNC_LIST_OPTION,
  [SecretSync.OCIVault]: OCI_VAULT_SYNC_LIST_OPTION,
  [SecretSync.OnePass]: ONEPASS_SYNC_LIST_OPTION,
+  [SecretSync.Heroku]: HEROKU_SYNC_LIST_OPTION,
  [SecretSync.Render]: RENDER_SYNC_LIST_OPTION,
  [SecretSync.Flyio]: FLYIO_SYNC_LIST_OPTION
 };
@@ -207,6 +209,8 @@ export const SecretSyncFns = {
          appConnectionDAL,
          kmsService
        }).syncSecrets(secretSync, schemaSecretMap);
+      case SecretSync.Heroku:
+        return HerokuSyncFns.syncSecrets(secretSync, schemaSecretMap, { appConnectionDAL, kmsService });
      case SecretSync.Vercel:
        return VercelSyncFns.syncSecrets(secretSync, schemaSecretMap);
      case SecretSync.Windmill:
@@ -300,6 +304,9 @@ export const SecretSyncFns = {
      case SecretSync.OnePass:
        secretMap = await OnePassSyncFns.getSecrets(secretSync);
        break;
+      case SecretSync.Heroku:
+        secretMap = await HerokuSyncFns.getSecrets(secretSync, { appConnectionDAL, kmsService });
+        break;
      case SecretSync.Render:
        secretMap = await RenderSyncFns.getSecrets(secretSync);
        break;
@@ -373,6 +380,8 @@ export const SecretSyncFns = {
        return OCIVaultSyncFns.removeSecrets(secretSync, schemaSecretMap);
      case SecretSync.OnePass:
        return OnePassSyncFns.removeSecrets(secretSync, schemaSecretMap);
+      case SecretSync.Heroku:
+        return HerokuSyncFns.removeSecrets(secretSync, schemaSecretMap, { appConnectionDAL, kmsService });
      case SecretSync.Render:
        return RenderSyncFns.removeSecrets(secretSync, schemaSecretMap);
      case SecretSync.Flyio:
--- a/backend/src/services/secret-sync/secret-sync-maps.ts
+++ b/backend/src/services/secret-sync/secret-sync-maps.ts
@@ -19,6 +19,7 @@ export const SECRET_SYNC_NAME_MAP: Record<SecretSync, string> = {
  [SecretSync.TeamCity]: "TeamCity",
  [SecretSync.OCIVault]: "OCI Vault",
  [SecretSync.OnePass]: "1Password",
+  [SecretSync.Heroku]: "Heroku",
  [SecretSync.Render]: "Render",
  [SecretSync.Flyio]: "Fly.io"
 };
@@ -41,6 +42,7 @@ export const SECRET_SYNC_CONNECTION_MAP: Record<SecretSync, AppConnection> = {
  [SecretSync.TeamCity]: AppConnection.TeamCity,
  [SecretSync.OCIVault]: AppConnection.OCI,
  [SecretSync.OnePass]: AppConnection.OnePass,
+  [SecretSync.Heroku]: AppConnection.Heroku,
  [SecretSync.Render]: AppConnection.Render,
  [SecretSync.Flyio]: AppConnection.Flyio
 };
@@ -63,6 +65,7 @@ export const SECRET_SYNC_PLAN_MAP: Record<SecretSync, SecretSyncPlanType> = {
  [SecretSync.TeamCity]: SecretSyncPlanType.Regular,
  [SecretSync.OCIVault]: SecretSyncPlanType.Enterprise,
  [SecretSync.OnePass]: SecretSyncPlanType.Regular,
+  [SecretSync.Heroku]: SecretSyncPlanType.Regular,
  [SecretSync.Render]: SecretSyncPlanType.Regular,
  [SecretSync.Flyio]: SecretSyncPlanType.Regular
 };
--- a/backend/src/services/secret-sync/secret-sync-types.ts
+++ b/backend/src/services/secret-sync/secret-sync-types.ts
@@ -80,6 +80,7 @@ import {
  THCVaultSyncListItem,
  THCVaultSyncWithCredentials
 } from "./hc-vault/hc-vault-sync-types";
+import { THerokuSync, THerokuSyncInput, THerokuSyncListItem, THerokuSyncWithCredentials } from "./heroku";
 import {
  THumanitecSync,
  THumanitecSyncInput,
@@ -124,6 +125,7 @@ export type TSecretSync =
  | TTeamCitySync
  | TOCIVaultSync
  | TOnePassSync
+  | THerokuSync
  | TRenderSync
  | TFlyioSync;

@@ -145,6 +147,7 @@ export type TSecretSyncWithCredentials =
  | TTeamCitySyncWithCredentials
  | TOCIVaultSyncWithCredentials
  | TOnePassSyncWithCredentials
+  | THerokuSyncWithCredentials
  | TRenderSyncWithCredentials
  | TFlyioSyncWithCredentials;

@@ -166,6 +169,7 @@ export type TSecretSyncInput =
  | TTeamCitySyncInput
  | TOCIVaultSyncInput
  | TOnePassSyncInput
+  | THerokuSyncInput
  | TRenderSyncInput
  | TFlyioSyncInput;

@@ -187,6 +191,7 @@ export type TSecretSyncListItem =
  | TTeamCitySyncListItem
  | TOCIVaultSyncListItem
  | TOnePassSyncListItem
+  | THerokuSyncListItem
  | TRenderSyncListItem
  | TFlyioSyncListItem;

--- a/docs/api-reference/endpoints/app-connections/heroku/available.mdx
+++ b/docs/api-reference/endpoints/app-connections/heroku/available.mdx
@@ -0,0 +1,4 @@
+---
+title: "Available"
+openapi: "GET /api/v1/app-connections/heroku/available"
+---
--- a/docs/api-reference/endpoints/app-connections/heroku/create.mdx
+++ b/docs/api-reference/endpoints/app-connections/heroku/create.mdx
@@ -0,0 +1,10 @@
+---
+title: "Create"
+openapi: "POST /api/v1/app-connections/heroku"
+---
+
+<Note>
+    Heroku OAuth Connections must be created through the Infisical UI.
+    Check out the configuration docs for [Heroku OAuth Connections](/integrations/app-connections/heroku) for a step-by-step
+    guide.
+</Note>
--- a/docs/api-reference/endpoints/app-connections/heroku/delete.mdx
+++ b/docs/api-reference/endpoints/app-connections/heroku/delete.mdx
@@ -0,0 +1,4 @@
+---
+title: "Delete"
+openapi: "DELETE /api/v1/app-connections/heroku/{connectionId}"
+---
--- a/docs/api-reference/endpoints/app-connections/heroku/get-by-id.mdx
+++ b/docs/api-reference/endpoints/app-connections/heroku/get-by-id.mdx
@@ -0,0 +1,4 @@
+---
+title: "Get by ID"
+openapi: "GET /api/v1/app-connections/heroku/{connectionId}"
+---
--- a/docs/api-reference/endpoints/app-connections/heroku/get-by-name.mdx
+++ b/docs/api-reference/endpoints/app-connections/heroku/get-by-name.mdx
@@ -0,0 +1,4 @@
+---
+title: "Get by Name"
+openapi: "GET /api/v1/app-connections/heroku/connection-name/{connectionName}"
+---
--- a/docs/api-reference/endpoints/app-connections/heroku/list.mdx
+++ b/docs/api-reference/endpoints/app-connections/heroku/list.mdx
@@ -0,0 +1,4 @@
+---
+title: "List"
+openapi: "GET /api/v1/app-connections/heroku"
+---
--- a/docs/api-reference/endpoints/app-connections/heroku/update.mdx
+++ b/docs/api-reference/endpoints/app-connections/heroku/update.mdx
@@ -0,0 +1,10 @@
+---
+title: "Update"
+openapi: "PATCH /api/v1/app-connections/heroku/{connectionId}"
+---
+
+<Note>
+    Heroku OAuth Connections must be updated through the Infisical UI.
+    Check out the configuration docs for [Heroku OAuth Connections](/integrations/app-connections/heroku) for a step-by-step
+    guide.
+</Note>
--- a/docs/api-reference/endpoints/secret-syncs/heroku/create.mdx
+++ b/docs/api-reference/endpoints/secret-syncs/heroku/create.mdx
@@ -0,0 +1,4 @@
+---
+title: "Create"
+openapi: "POST /api/v1/secret-syncs/heroku"
+---
--- a/docs/api-reference/endpoints/secret-syncs/heroku/delete.mdx
+++ b/docs/api-reference/endpoints/secret-syncs/heroku/delete.mdx
@@ -0,0 +1,4 @@
+---
+title: "Delete"
+openapi: "DELETE /api/v1/secret-syncs/heroku/{syncId}"
+---
--- a/docs/api-reference/endpoints/secret-syncs/heroku/get-by-id.mdx
+++ b/docs/api-reference/endpoints/secret-syncs/heroku/get-by-id.mdx
@@ -0,0 +1,4 @@
+---
+title: "Get by ID"
+openapi: "GET /api/v1/secret-syncs/heroku/{syncId}"
+---
--- a/docs/api-reference/endpoints/secret-syncs/heroku/get-by-name.mdx
+++ b/docs/api-reference/endpoints/secret-syncs/heroku/get-by-name.mdx
@@ -0,0 +1,4 @@
+---
+title: "Get by Name"
+openapi: "GET /api/v1/secret-syncs/heroku/sync-name/{syncName}"
+---
--- a/docs/api-reference/endpoints/secret-syncs/heroku/import-secrets.mdx
+++ b/docs/api-reference/endpoints/secret-syncs/heroku/import-secrets.mdx
@@ -0,0 +1,4 @@
+---
+title: "Import Secrets"
+openapi: "POST /api/v1/secret-syncs/heroku/{syncId}/import-secrets"
+---
--- a/docs/api-reference/endpoints/secret-syncs/heroku/list.mdx
+++ b/docs/api-reference/endpoints/secret-syncs/heroku/list.mdx
@@ -0,0 +1,4 @@
+---
+title: "List"
+openapi: "GET /api/v1/secret-syncs/heroku"
+---
--- a/docs/api-reference/endpoints/secret-syncs/heroku/remove-secrets.mdx
+++ b/docs/api-reference/endpoints/secret-syncs/heroku/remove-secrets.mdx
@@ -0,0 +1,4 @@
+---
+title: "Remove Secrets"
+openapi: "POST /api/v1/secret-syncs/heroku/{syncId}/remove-secrets"
+---
--- a/docs/api-reference/endpoints/secret-syncs/heroku/sync-secrets.mdx
+++ b/docs/api-reference/endpoints/secret-syncs/heroku/sync-secrets.mdx
@@ -0,0 +1,4 @@
+---
+title: "Sync Secrets"
+openapi: "POST /api/v1/secret-syncs/heroku/{syncId}/sync-secrets"
+---
--- a/docs/api-reference/endpoints/secret-syncs/heroku/update.mdx
+++ b/docs/api-reference/endpoints/secret-syncs/heroku/update.mdx
@@ -0,0 +1,4 @@
+---
+title: "Update"
+openapi: "PATCH /api/v1/secret-syncs/heroku/{syncId}"
+---
--- a/docs/images/app-connections/heroku/heroku-api-token.png
+++ b/docs/images/app-connections/heroku/heroku-api-token.png
--- a/docs/images/app-connections/heroku/heroku-connection.png
+++ b/docs/images/app-connections/heroku/heroku-connection.png
--- a/docs/images/app-connections/heroku/heroku-create-oauth-method.png
+++ b/docs/images/app-connections/heroku/heroku-create-oauth-method.png
--- a/docs/images/app-connections/heroku/heroku-create-token-method.png
+++ b/docs/images/app-connections/heroku/heroku-create-token-method.png
--- a/docs/images/app-connections/heroku/heroku-select-connection.png
+++ b/docs/images/app-connections/heroku/heroku-select-connection.png
--- a/docs/images/secret-syncs/heroku/heroku-created.png
+++ b/docs/images/secret-syncs/heroku/heroku-created.png
--- a/docs/images/secret-syncs/heroku/heroku-destination.png
+++ b/docs/images/secret-syncs/heroku/heroku-destination.png
--- a/docs/images/secret-syncs/heroku/heroku-details.png
+++ b/docs/images/secret-syncs/heroku/heroku-details.png
--- a/docs/images/secret-syncs/heroku/heroku-options.png
+++ b/docs/images/secret-syncs/heroku/heroku-options.png
--- a/docs/images/secret-syncs/heroku/heroku-review.png
+++ b/docs/images/secret-syncs/heroku/heroku-review.png
--- a/docs/images/secret-syncs/heroku/heroku-source.png
+++ b/docs/images/secret-syncs/heroku/heroku-source.png
--- a/docs/images/secret-syncs/heroku/select-heroku-option.png
+++ b/docs/images/secret-syncs/heroku/select-heroku-option.png
--- a/docs/integrations/app-connections/heroku.mdx
+++ b/docs/integrations/app-connections/heroku.mdx
@@ -0,0 +1,121 @@
+---
+title: "Heroku App Connection"
+description: "Learn how to configure a Heroku App Connection for Infisical using OAuth or Auth Token methods."
+---
+
+Infisical supports two methods for connecting to Heroku: **OAuth** and **Auth Token**. Choose the method that best fits your setup and security requirements.
+
+<Tabs>
+  <Tab title="OAuth Method">
+    The OAuth method provides secure authentication through Heroku's OAuth flow.
+
+    <Accordion title="Self-Hosted Instance Setup">
+      Using the Heroku App Connection with OAuth on a self-hosted instance of Infisical requires configuring an API client in Heroku and registering your instance with it.
+
+      **Prerequisites:**
+      - A Heroku account with existing applications
+      - Self-hosted Infisical instance
+
+      <Steps>
+        <Step title="Create an API client in Heroku">
+          Navigate to your user Account settings > Applications to create a new API client.
+
+          ![Heroku config settings](/images/integrations/heroku/integrations-heroku-config-settings.png)
+          ![Heroku config applications](/images/integrations/heroku/integrations-heroku-config-applications.png)
+          ![Heroku config new app](/images/integrations/heroku/integrations-heroku-config-new-app.png)
+
+          Create the API client. As part of the form, set the **OAuth callback URL** to `https://your-domain.com/integrations/heroku/oauth2/callback`.
+
+          <Tip>
+            The domain you defined in the OAuth callback URL should be equivalent to the `SITE_URL` configured in your Infisical instance.
+          </Tip>
+
+          ![Heroku config new app form](/images/integrations/heroku/integrations-heroku-config-new-app-form.png)
+        </Step>
+        <Step title="Add your Heroku API client credentials to Infisical">
+          Obtain the **Client ID** and **Client Secret** for your Heroku API client.
+
+          ![Heroku config credentials](/images/integrations/heroku/integrations-heroku-config-credentials.png)
+
+          Back in your Infisical instance, add two new environment variables for the credentials of your Heroku API client:
+
+          - `CLIENT_ID_HEROKU`: The **Client ID** of your Heroku API client.
+          - `CLIENT_SECRET_HEROKU`: The **Client Secret** of your Heroku API client.
+
+          Once added, restart your Infisical instance and use the Heroku App Connection.
+        </Step>
+      </Steps>
+    </Accordion>
+
+    ## Setup Heroku OAuth Connection in Infisical
+
+    <Steps>
+      <Step title="Navigate to App Connections">
+        Navigate to the **App Connections** tab on the **Organization Settings** page.
+        ![App Connections Tab](/images/app-connections/general/add-connection.png)
+      </Step>
+      <Step title="Add Connection">
+        Select the **Heroku App Connection** option from the connection options modal.
+        ![Select Heroku Connection](/images/app-connections/heroku/heroku-select-connection.png)
+      </Step>
+      <Step title="Choose OAuth Method">
+        Select the **OAuth** method and click **Connect to Heroku**.
+
+        ![Connect via Heroku OAuth](/images/app-connections/heroku/heroku-create-oauth-method.png)
+      </Step>
+      <Step title="Grant Access">
+        You will be redirected to Heroku to grant Infisical access to your Heroku account. Once granted, you will be redirected back to Infisical's App Connections page.
+        ![Heroku Authorization](/images/integrations/heroku/integrations-heroku-auth.png)
+      </Step>
+      <Step title="Connection Created">
+        Your **Heroku App Connection** is now available for use.
+        ![Heroku OAuth Connection](/images/app-connections/heroku/heroku-connection.png)
+      </Step>
+    </Steps>
+
+  </Tab>
+
+  <Tab title="Auth Token Method">
+    The Auth Token method uses a Heroku API token for authentication, providing a straightforward setup process.
+
+    ## Setup Heroku Auth Token Connection in Infisical
+
+    <Steps>
+      <Step title="Generate Heroku API Token">
+        Log in to your Heroku account and navigate to Account Settings.
+
+        Under the **Authorizations** section on the **Applications** tab, reveal and copy your Authorization token. If you don't have one, click **Create Authorization** to create a new token.
+
+        <Warning>
+          Keep your Authorization token secure and do not share it. Anyone with access to this token can manage your Heroku applications.
+        </Warning>
+
+        ![Heroku API Token](/images/app-connections/heroku/heroku-api-token.png)
+      </Step>
+      <Step title="Navigate to App Connections">
+        Navigate to the **App Connections** tab on the **Organization Settings** page.
+        ![App Connections Tab](/images/app-connections/general/add-connection.png)
+      </Step>
+      <Step title="Add Connection">
+        Select the **Heroku App Connection** option from the connection options modal.
+        ![Select Heroku Connection](/images/app-connections/heroku/heroku-select-connection.png)
+      </Step>
+      <Step title="Configure Auth Token">
+        Select the **Auth Token** method and paste your Heroku Authorization token in the provided field.
+
+        ![Configure Auth Token](/images/app-connections/heroku/heroku-create-token-method.png)
+
+        Click **Connect** to establish the connection.
+      </Step>
+      <Step title="Connection Created">
+        Your **Heroku App Connection** is now available for use.
+        ![Heroku Auth Token Connection](/images/app-connections/heroku/heroku-connection.png)
+      </Step>
+    </Steps>
+
+    <Info>
+      Auth Token connections require manual token rotation when your Heroku Authorization expires or is regenerated. Monitor your connection status and update the token as needed.
+    </Info>
+
+  </Tab>
+</Tabs>
--- a/docs/integrations/secret-syncs/heroku.mdx
+++ b/docs/integrations/secret-syncs/heroku.mdx
@@ -0,0 +1,144 @@
+---
+title: "Heroku Sync"
+description: "Learn how to configure a Heroku Sync for Infisical."
+---
+
+**Prerequisites:**
+
+- Set up and add secrets to [Infisical Cloud](https://app.infisical.com)
+- Create a [Heroku App Connection](/integrations/app-connections/heroku)
+
+<Tabs>
+    <Tab title="Infisical UI">
+        1. Navigate to **Project** > **Integrations** and select the **Secret Syncs** tab. Click on the **Add Sync** button.
+        ![Secret Syncs Tab](/images/secret-syncs/general/secret-sync-tab.png)
+
+        2. Select the **Heroku** option.
+        ![Select Heroku](/images/secret-syncs/heroku/select-heroku-option.png)
+
+        3. Configure the **Source** from where secrets should be retrieved, then click **Next**.
+        ![Configure Source](/images/secret-syncs/heroku/heroku-source.png)
+
+            - **Environment**: The project environment to retrieve secrets from.
+            - **Secret Path**: The folder path to retrieve secrets from.
+
+        <Tip>
+            If you need to sync secrets from multiple folder locations, check out [secret imports](/documentation/platform/secret-reference#secret-imports).
+        </Tip>
+
+        4. Configure the **Destination** to where secrets should be deployed, then click **Next**.
+        ![Configure Destination](/images/secret-syncs/heroku/heroku-destination.png)
+
+            - **Heroku App Connection**: The Heroku App Connection to authenticate with.
+            - **Heroku App**: The Heroku application to sync secrets to.
+
+        5. Configure the **Sync Options** to specify how secrets should be synced, then click **Next**.
+        ![Configure Options](/images/secret-syncs/heroku/heroku-options.png)
+
+            - **Initial Sync Behavior**: Determines how Infisical should resolve the initial sync.
+                - **Import - Prefer values from Infisical**: Import secrets from Heroku to Infisical; if a secret with the same name already exists in Infisical, do nothing. Afterwards, sync secrets to Heroku.
+                - **Import - Prefer values from Heroku**: Import secrets from Heroku to Infisical; if a secret with the same name already exists in Infisical, replace its value with the one from Heroku. Afterwards, sync secrets to Heroku.
+                - **Overwrite Destination Secrets**: Removes any secrets at the destination endpoint not present in Infisical.
+            - **Key Schema**: Template that determines how secret names are transformed when syncing, using `{{secretKey}}` as a placeholder for the original secret name and `{{environment}}` for the environment.
+            <Note>
+                We highly recommend using a Key Schema to ensure that Infisical only manages the specific keys you intend, keeping everything else untouched.
+            </Note>
+            - **Auto-Sync Enabled**: If enabled, secrets will automatically be synced from the source location when changes occur. Disable to enforce manual syncing only.
+            - **Disable Secret Deletion**: If enabled, Infisical will not remove secrets from the sync destination. Enable this option if you intend to manage some secrets manually outside of Infisical.
+
+        6. Configure the **Details** of your Heroku Sync, then click **Next**.
+        ![Configure Details](/images/secret-syncs/heroku/heroku-details.png)
+
+            - **Name**: The name of your sync. Must be slug-friendly.
+            - **Description**: An optional description for your sync.
+
+        7. Review your Heroku Sync configuration, then click **Create Sync**.
+        ![Confirm Configuration](/images/secret-syncs/heroku/heroku-review.png)
+
+        8. If enabled, your Heroku Sync will begin syncing your secrets to the destination endpoint.
+        ![Sync Secrets](/images/secret-syncs/heroku/heroku-created.png)
+
+    </Tab>
+    <Tab title="API">
+        To create a **Heroku Sync**, make an API request to the [Create Heroku Sync](/api-reference/endpoints/secret-syncs/heroku/create) API endpoint.
+
+        ### Sample request
+
+        ```bash Request
+        curl    --request POST \
+        --url https://app.infisical.com/api/v1/secret-syncs/heroku \
+        --header 'Content-Type: application/json' \
+        --data '{
+            "name": "my-heroku-sync",
+            "projectId": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
+            "description": "an example sync",
+            "connectionId": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
+            "environment": "dev",
+            "secretPath": "/my-secrets",
+            "isEnabled": true,
+            "syncOptions": {
+                "initialSyncBehavior": "overwrite-destination",
+                "disableSecretDeletion": true
+            },
+            "destinationConfig": {
+                "app": "8dd25736052a4b50",
+                "appName": "my-app"
+            }
+        }'
+        ```
+
+        ### Sample response
+
+        ```bash Response
+        {
+            "secretSync": {
+                "id": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
+                "name": "my-heroku-sync",
+                "description": "an example sync",
+                "isEnabled": true,
+                "version": 1,
+                "folderId": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
+                "connectionId": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
+                "createdAt": "2023-11-07T05:31:56Z",
+                "updatedAt": "2023-11-07T05:31:56Z",
+                "syncStatus": "succeeded",
+                "lastSyncJobId": "123",
+                "lastSyncMessage": null,
+                "lastSyncedAt": "2023-11-07T05:31:56Z",
+                "importStatus": null,
+                "lastImportJobId": null,
+                "lastImportMessage": null,
+                "lastImportedAt": null,
+                "removeStatus": null,
+                "lastRemoveJobId": null,
+                "lastRemoveMessage": null,
+                "lastRemovedAt": null,
+                "syncOptions": {
+                    "initialSyncBehavior": "overwrite-destination",
+                    "disableSecretDeletion": true
+                },
+                "projectId": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
+                "connection": {
+                    "app": "heroku",
+                    "name": "my-heroku-connection",
+                    "id": "3c90c3cc-0d44-4b50-8888-8dd25736052a"
+                },
+                "environment": {
+                    "slug": "dev",
+                    "name": "Development",
+                    "id": "3c90c3cc-0d44-4b50-8888-8dd25736052a"
+                },
+                "folder": {
+                    "id": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
+                    "path": "/my-secrets"
+                },
+                "destination": "heroku",
+                "destinationConfig": {
+                    "app": "8dd25736052a4b50",
+                    "appName": "my-app"
+                }
+            }
+        }
+        ```
+    </Tab>
+</Tabs>
--- a/docs/mint.json
+++ b/docs/mint.json
@@ -509,6 +509,7 @@
            "integrations/app-connections/github",
            "integrations/app-connections/github-radar",
            "integrations/app-connections/hashicorp-vault",
+            "integrations/app-connections/heroku",
            "integrations/app-connections/humanitec",
            "integrations/app-connections/ldap",
            "integrations/app-connections/mssql",
@@ -544,6 +545,7 @@
            "integrations/secret-syncs/gcp-secret-manager",
            "integrations/secret-syncs/github",
            "integrations/secret-syncs/hashicorp-vault",
+            "integrations/secret-syncs/heroku",
            "integrations/secret-syncs/humanitec",
            "integrations/secret-syncs/oci-vault",
            "integrations/secret-syncs/render",
@@ -1327,6 +1329,18 @@
                "api-reference/endpoints/app-connections/hashicorp-vault/delete"
              ]
            },
+            {
+              "group": "Heroku",
+              "pages": [
+                "api-reference/endpoints/app-connections/heroku/list",
+                "api-reference/endpoints/app-connections/heroku/available",
+                "api-reference/endpoints/app-connections/heroku/get-by-id",
+                "api-reference/endpoints/app-connections/heroku/get-by-name",
+                "api-reference/endpoints/app-connections/heroku/create",
+                "api-reference/endpoints/app-connections/heroku/update",
+                "api-reference/endpoints/app-connections/heroku/delete"
+              ]
+            },
            {
              "group": "Humanitec",
              "pages": [
@@ -1642,6 +1656,19 @@
                "api-reference/endpoints/secret-syncs/hashicorp-vault/remove-secrets"
              ]
            },
+            {
+              "group": "Heroku",
+              "pages": [
+                "api-reference/endpoints/secret-syncs/heroku/list",
+                "api-reference/endpoints/secret-syncs/heroku/get-by-id",
+                "api-reference/endpoints/secret-syncs/heroku/get-by-name",
+                "api-reference/endpoints/secret-syncs/heroku/create",
+                "api-reference/endpoints/secret-syncs/heroku/update",
+                "api-reference/endpoints/secret-syncs/heroku/delete",
+                "api-reference/endpoints/secret-syncs/heroku/sync-secrets",
+                "api-reference/endpoints/secret-syncs/heroku/remove-secrets"
+              ]
+            },
            {
              "group": "Humanitec",
              "pages": [
--- a/frontend/src/components/secret-syncs/forms/SecretSyncDestinationFields/HerokuSyncFields.tsx
+++ b/frontend/src/components/secret-syncs/forms/SecretSyncDestinationFields/HerokuSyncFields.tsx
@@ -0,0 +1,76 @@
+import { Controller, useFormContext, useWatch } from "react-hook-form";
+import { SingleValue } from "react-select";
+import { faCircleInfo } from "@fortawesome/free-solid-svg-icons";
+import { FontAwesomeIcon } from "@fortawesome/react-fontawesome";
+
+import { SecretSyncConnectionField } from "@app/components/secret-syncs/forms/SecretSyncConnectionField";
+import { FilterableSelect, FormControl, Tooltip } from "@app/components/v2";
+import { THerokuApp } from "@app/hooks/api/appConnections/heroku";
+import { useHerokuConnectionListApps } from "@app/hooks/api/appConnections/heroku/queries";
+import { SecretSync } from "@app/hooks/api/secretSyncs";
+
+import { TSecretSyncForm } from "../schemas";
+
+export const HerokuSyncFields = () => {
+  const { control, setValue } = useFormContext<
+    TSecretSyncForm & { destination: SecretSync.Heroku }
+  >();
+
+  const connectionId = useWatch({ name: "connection.id", control });
+
+  const { data: apps, isLoading: isAppsLoading } = useHerokuConnectionListApps(connectionId, {
+    enabled: Boolean(connectionId)
+  });
+
+  return (
+    <>
+      <SecretSyncConnectionField
+        onChange={() => {
+          setValue("destinationConfig.app", "");
+          setValue("destinationConfig.appName", "");
+        }}
+      />
+
+      <Controller
+        name="destinationConfig.app"
+        control={control}
+        render={({ field: { value, onChange }, fieldState: { error } }) => (
+          <FormControl
+            isError={Boolean(error)}
+            errorText={error?.message}
+            label="App"
+            helperText={
+              <Tooltip
+                className="max-w-md"
+                content="Ensure the app exists in the connection's Heroku instance URL."
+              >
+                <div>
+                  <span>Don&#39;t see the app you&#39;re looking for?</span>{" "}
+                  <FontAwesomeIcon icon={faCircleInfo} className="text-mineshaft-400" />
+                </div>
+              </Tooltip>
+            }
+          >
+            <FilterableSelect
+              menuPlacement="top"
+              isLoading={isAppsLoading && Boolean(connectionId)}
+              isDisabled={!connectionId}
+              value={apps?.find((app) => app.id === value) ?? null}
+              onChange={(option) => {
+                onChange((option as SingleValue<THerokuApp>)?.id ?? "");
+                setValue(
+                  "destinationConfig.appName",
+                  (option as SingleValue<THerokuApp>)?.name ?? ""
+                );
+              }}
+              options={apps}
+              placeholder="Select an app..."
+              getOptionLabel={(option) => option.name}
+              getOptionValue={(option) => option.id}
+            />
+          </FormControl>
+        )}
+      />
+    </>
+  );
+};
--- a/frontend/src/components/secret-syncs/forms/SecretSyncDestinationFields/SecretSyncDestinationFields.tsx
+++ b/frontend/src/components/secret-syncs/forms/SecretSyncDestinationFields/SecretSyncDestinationFields.tsx
@@ -15,6 +15,7 @@ import { FlyioSyncFields } from "./FlyioSyncFields";
 import { GcpSyncFields } from "./GcpSyncFields";
 import { GitHubSyncFields } from "./GitHubSyncFields";
 import { HCVaultSyncFields } from "./HCVaultSyncFields";
+import { HerokuSyncFields } from "./HerokuSyncFields";
 import { HumanitecSyncFields } from "./HumanitecSyncFields";
 import { OCIVaultSyncFields } from "./OCIVaultSyncFields";
 import { RenderSyncFields } from "./RenderSyncFields";
@@ -63,6 +64,8 @@ export const SecretSyncDestinationFields = () => {
      return <OCIVaultSyncFields />;
    case SecretSync.OnePass:
      return <OnePassSyncFields />;
+    case SecretSync.Heroku:
+      return <HerokuSyncFields />;
    case SecretSync.Render:
      return <RenderSyncFields />;
    case SecretSync.Flyio:
--- a/frontend/src/components/secret-syncs/forms/SecretSyncOptionsFields/SecretSyncOptionsFields.tsx
+++ b/frontend/src/components/secret-syncs/forms/SecretSyncOptionsFields/SecretSyncOptionsFields.tsx
@@ -52,6 +52,7 @@ export const SecretSyncOptionsFields = ({ hideInitialSync }: Props) => {
    case SecretSync.TeamCity:
    case SecretSync.OnePass:
    case SecretSync.OCIVault:
+    case SecretSync.Heroku:
    case SecretSync.Render:
    case SecretSync.Flyio:
      AdditionalSyncOptionsFieldsComponent = null;
--- a/frontend/src/components/secret-syncs/forms/SecretSyncReviewFields/HerokuSyncReviewFields.tsx
+++ b/frontend/src/components/secret-syncs/forms/SecretSyncReviewFields/HerokuSyncReviewFields.tsx
@@ -0,0 +1,18 @@
+import { useFormContext } from "react-hook-form";
+
+import { GenericFieldLabel } from "@app/components/secret-syncs";
+import { TSecretSyncForm } from "@app/components/secret-syncs/forms/schemas";
+import { SecretSync } from "@app/hooks/api/secretSyncs";
+
+export const HerokuSyncReviewFields = () => {
+  const { watch } = useFormContext<TSecretSyncForm & { destination: SecretSync.Heroku }>();
+  const appName = watch("destinationConfig.appName");
+  const appId = watch("destinationConfig.app");
+
+  return (
+    <>
+      <GenericFieldLabel label="App">{appName}</GenericFieldLabel>
+      <GenericFieldLabel label="App ID">{appId}</GenericFieldLabel>
+    </>
+  );
+};
--- a/frontend/src/components/secret-syncs/forms/SecretSyncReviewFields/SecretSyncReviewFields.tsx
+++ b/frontend/src/components/secret-syncs/forms/SecretSyncReviewFields/SecretSyncReviewFields.tsx
@@ -24,6 +24,7 @@ import { FlyioSyncReviewFields } from "./FlyioSyncReviewFields";
 import { GcpSyncReviewFields } from "./GcpSyncReviewFields";
 import { GitHubSyncReviewFields } from "./GitHubSyncReviewFields";
 import { HCVaultSyncReviewFields } from "./HCVaultSyncReviewFields";
+import { HerokuSyncReviewFields } from "./HerokuSyncReviewFields";
 import { HumanitecSyncReviewFields } from "./HumanitecSyncReviewFields";
 import { OCIVaultSyncReviewFields } from "./OCIVaultSyncReviewFields";
 import { OnePassSyncReviewFields } from "./OnePassSyncReviewFields";
@@ -106,6 +107,9 @@ export const SecretSyncReviewFields = () => {
    case SecretSync.OnePass:
      DestinationFieldsComponent = <OnePassSyncReviewFields />;
      break;
+    case SecretSync.Heroku:
+      DestinationFieldsComponent = <HerokuSyncReviewFields />;
+      break;
    case SecretSync.Render:
      DestinationFieldsComponent = <RenderSyncReviewFields />;
      break;
--- a/frontend/src/components/secret-syncs/forms/schemas/heroku-sync-destination-schema.ts
+++ b/frontend/src/components/secret-syncs/forms/schemas/heroku-sync-destination-schema.ts
@@ -0,0 +1,14 @@
+import { z } from "zod";
+
+import { BaseSecretSyncSchema } from "@app/components/secret-syncs/forms/schemas/base-secret-sync-schema";
+import { SecretSync } from "@app/hooks/api/secretSyncs";
+
+export const HerokuSyncDestinationSchema = BaseSecretSyncSchema().merge(
+  z.object({
+    destination: z.literal(SecretSync.Heroku),
+    destinationConfig: z.object({
+      app: z.string().trim().min(1, "App ID required"),
+      appName: z.string().trim().min(1, "App name required")
+    })
+  })
+);
--- a/frontend/src/components/secret-syncs/forms/schemas/secret-sync-schema.ts
+++ b/frontend/src/components/secret-syncs/forms/schemas/secret-sync-schema.ts
@@ -12,6 +12,7 @@ import { FlyioSyncDestinationSchema } from "./flyio-sync-destination-schema";
 import { GcpSyncDestinationSchema } from "./gcp-sync-destination-schema";
 import { GitHubSyncDestinationSchema } from "./github-sync-destination-schema";
 import { HCVaultSyncDestinationSchema } from "./hc-vault-sync-destination-schema";
+import { HerokuSyncDestinationSchema } from "./heroku-sync-destination-schema";
 import { HumanitecSyncDestinationSchema } from "./humanitec-sync-destination-schema";
 import { OCIVaultSyncDestinationSchema } from "./oci-vault-sync-destination-schema";
 import { RenderSyncDestinationSchema } from "./render-sync-destination-schema";
@@ -38,6 +39,7 @@ const SecretSyncUnionSchema = z.discriminatedUnion("destination", [
  TeamCitySyncDestinationSchema,
  OCIVaultSyncDestinationSchema,
  OnePassSyncDestinationSchema,
+  HerokuSyncDestinationSchema,
  RenderSyncDestinationSchema,
  FlyioSyncDestinationSchema
 ]);
--- a/frontend/src/helpers/appConnections.ts
+++ b/frontend/src/helpers/appConnections.ts
@@ -37,6 +37,7 @@ import {
  VercelConnectionMethod,
  WindmillConnectionMethod
 } from "@app/hooks/api/appConnections/types";
+import { HerokuConnectionMethod } from "@app/hooks/api/appConnections/types/heroku-connection";
 import { OCIConnectionMethod } from "@app/hooks/api/appConnections/types/oci-connection";
 import { RenderConnectionMethod } from "@app/hooks/api/appConnections/types/render-connection";

@@ -81,6 +82,7 @@ export const APP_CONNECTION_MAP: Record<
  [AppConnection.TeamCity]: { name: "TeamCity", image: "TeamCity.png" },
  [AppConnection.OCI]: { name: "OCI", image: "Oracle.png", enterprise: true },
  [AppConnection.OnePass]: { name: "1Password", image: "1Password.png" },
+  [AppConnection.Heroku]: { name: "Heroku", image: "Heroku.png" },
  [AppConnection.Render]: { name: "Render", image: "Render.png" },
  [AppConnection.Flyio]: { name: "Fly.io", image: "Flyio.svg" }
 };
@@ -95,6 +97,7 @@ export const getAppConnectionMethodDetails = (method: TAppConnection["method"])
    case AzureClientSecretsConnectionMethod.OAuth:
    case AzureDevOpsConnectionMethod.OAuth:
    case GitHubConnectionMethod.OAuth:
+    case HerokuConnectionMethod.OAuth:
      return { name: "OAuth", icon: faPassport };
    case AwsConnectionMethod.AccessKey:
    case OCIConnectionMethod.AccessKey:
@@ -129,6 +132,8 @@ export const getAppConnectionMethodDetails = (method: TAppConnection["method"])
      return { name: "App Role", icon: faUser };
    case LdapConnectionMethod.SimpleBind:
      return { name: "Simple Bind", icon: faLink };
+    case HerokuConnectionMethod.AuthToken:
+      return { name: "Auth Token", icon: faKey };
    case RenderConnectionMethod.ApiKey:
      return { name: "API Key", icon: faKey };
    default:
--- a/frontend/src/helpers/secretSyncs.ts
+++ b/frontend/src/helpers/secretSyncs.ts
@@ -62,6 +62,10 @@ export const SECRET_SYNC_MAP: Record<SecretSync, { name: string; image: string }
    name: "1Password",
    image: "1Password.png"
  },
+  [SecretSync.Heroku]: {
+    name: "Heroku",
+    image: "Heroku.png"
+  },
  [SecretSync.Render]: {
    name: "Render",
    image: "Render.png"
@@ -90,6 +94,7 @@ export const SECRET_SYNC_CONNECTION_MAP: Record<SecretSync, AppConnection> = {
  [SecretSync.TeamCity]: AppConnection.TeamCity,
  [SecretSync.OCIVault]: AppConnection.OCI,
  [SecretSync.OnePass]: AppConnection.OnePass,
+  [SecretSync.Heroku]: AppConnection.Heroku,
  [SecretSync.Render]: AppConnection.Render,
  [SecretSync.Flyio]: AppConnection.Flyio
 };
--- a/frontend/src/hooks/api/appConnections/enums.ts
+++ b/frontend/src/hooks/api/appConnections/enums.ts
@@ -23,6 +23,7 @@ export enum AppConnection {
  TeamCity = "teamcity",
  OCI = "oci",
  OnePass = "1password",
+  Heroku = "heroku",
  Render = "render",
  Flyio = "flyio"
 }
--- a/frontend/src/hooks/api/appConnections/heroku/index.ts
+++ b/frontend/src/hooks/api/appConnections/heroku/index.ts
@@ -0,0 +1,2 @@
+export * from "./queries";
+export * from "./types";
--- a/frontend/src/hooks/api/appConnections/heroku/queries.tsx
+++ b/frontend/src/hooks/api/appConnections/heroku/queries.tsx
@@ -0,0 +1,36 @@
+import { useQuery, UseQueryOptions } from "@tanstack/react-query";
+
+import { apiRequest } from "@app/config/request";
+
+import { appConnectionKeys } from "../queries";
+import { THerokuApp } from "./types";
+
+const herokuConnectionKeys = {
+  all: [...appConnectionKeys.all, "heroku"] as const,
+  listApps: (connectionId: string) => [...herokuConnectionKeys.all, "apps", connectionId] as const
+};
+
+export const useHerokuConnectionListApps = (
+  connectionId: string,
+  options?: Omit<
+    UseQueryOptions<
+      THerokuApp[],
+      unknown,
+      THerokuApp[],
+      ReturnType<typeof herokuConnectionKeys.listApps>
+    >,
+    "queryKey" | "queryFn"
+  >
+) => {
+  return useQuery({
+    queryKey: herokuConnectionKeys.listApps(connectionId),
+    queryFn: async () => {
+      const { data } = await apiRequest.get<THerokuApp[]>(
+        `/api/v1/app-connections/heroku/${connectionId}/apps`
+      );
+
+      return data;
+    },
+    ...options
+  });
+};
--- a/frontend/src/hooks/api/appConnections/heroku/types.ts
+++ b/frontend/src/hooks/api/appConnections/heroku/types.ts
@@ -0,0 +1,4 @@
+export type THerokuApp = {
+  id: string;
+  name: string;
+};
--- a/frontend/src/hooks/api/appConnections/types/app-options.ts
+++ b/frontend/src/hooks/api/appConnections/types/app-options.ts
@@ -106,6 +106,11 @@ export type TOCIConnectionOption = TAppConnectionOptionBase & {
  app: AppConnection.OCI;
 };

+export type THerokuConnectionOption = TAppConnectionOptionBase & {
+  app: AppConnection.Heroku;
+  oauthClientId?: string;
+};
+
 export type TOnePassConnectionOption = TAppConnectionOptionBase & {
  app: AppConnection.OnePass;
 };
@@ -141,6 +146,7 @@ export type TAppConnectionOption =
  | TTeamCityConnectionOption
  | TOCIConnectionOption
  | TOnePassConnectionOption
+  | THerokuConnectionOption
  | TRenderConnectionOption
  | TFlyioConnectionOption;

@@ -169,6 +175,7 @@ export type TAppConnectionOptionMap = {
  [AppConnection.TeamCity]: TTeamCityConnectionOption;
  [AppConnection.OCI]: TOCIConnectionOption;
  [AppConnection.OnePass]: TOnePassConnectionOption;
+  [AppConnection.Heroku]: THerokuConnectionOption;
  [AppConnection.Render]: TRenderConnectionOption;
  [AppConnection.Flyio]: TFlyioConnectionOption;
 };
--- a/frontend/src/hooks/api/appConnections/types/heroku-connection.ts
+++ b/frontend/src/hooks/api/appConnections/types/heroku-connection.ts
@@ -0,0 +1,22 @@
+import { AppConnection } from "@app/hooks/api/appConnections/enums";
+import { TRootAppConnection } from "@app/hooks/api/appConnections/types/root-connection";
+
+export enum HerokuConnectionMethod {
+  AuthToken = "auth-token",
+  OAuth = "oauth"
+}
+
+export type THerokuConnection = TRootAppConnection & { app: AppConnection.Heroku } & (
+    | {
+        method: HerokuConnectionMethod.AuthToken;
+        credentials: {
+          authToken: string;
+        };
+      }
+    | {
+        method: HerokuConnectionMethod.OAuth;
+        credentials: {
+          code: string;
+        };
+      }
+  );
--- a/frontend/src/hooks/api/appConnections/types/index.ts
+++ b/frontend/src/hooks/api/appConnections/types/index.ts
@@ -14,6 +14,7 @@ import { TGcpConnection } from "./gcp-connection";
 import { TGitHubConnection } from "./github-connection";
 import { TGitHubRadarConnection } from "./github-radar-connection";
 import { THCVaultConnection } from "./hc-vault-connection";
+import { THerokuConnection } from "./heroku-connection";
 import { THumanitecConnection } from "./humanitec-connection";
 import { TLdapConnection } from "./ldap-connection";
 import { TMsSqlConnection } from "./mssql-connection";
@@ -41,6 +42,7 @@ export * from "./gcp-connection";
 export * from "./github-connection";
 export * from "./github-radar-connection";
 export * from "./hc-vault-connection";
+export * from "./heroku-connection";
 export * from "./humanitec-connection";
 export * from "./ldap-connection";
 export * from "./mssql-connection";
@@ -79,6 +81,7 @@ export type TAppConnection =
  | TTeamCityConnection
  | TOCIConnection
  | TOnePassConnection
+  | THerokuConnection
  | TRenderConnection
  | TFlyioConnection;

@@ -132,6 +135,7 @@ export type TAppConnectionMap = {
  [AppConnection.TeamCity]: TTeamCityConnection;
  [AppConnection.OCI]: TOCIConnection;
  [AppConnection.OnePass]: TOnePassConnection;
+  [AppConnection.Heroku]: THerokuConnection;
  [AppConnection.Render]: TRenderConnection;
  [AppConnection.Flyio]: TFlyioConnection;
 };
--- a/frontend/src/hooks/api/secretSyncs/enums.ts
+++ b/frontend/src/hooks/api/secretSyncs/enums.ts
@@ -16,6 +16,7 @@ export enum SecretSync {
  TeamCity = "teamcity",
  OCIVault = "oci-vault",
  OnePass = "1password",
+  Heroku = "heroku",
  Render = "render",
  Flyio = "flyio"
 }
--- a/frontend/src/hooks/api/secretSyncs/types/heroku-sync.ts
+++ b/frontend/src/hooks/api/secretSyncs/types/heroku-sync.ts
@@ -0,0 +1,16 @@
+import { AppConnection } from "@app/hooks/api/appConnections/enums";
+import { SecretSync } from "@app/hooks/api/secretSyncs";
+import { TRootSecretSync } from "@app/hooks/api/secretSyncs/types/root-sync";
+
+export type THerokuSync = TRootSecretSync & {
+  destination: SecretSync.Heroku;
+  destinationConfig: {
+    app: string;
+    appName: string;
+  };
+  connection: {
+    app: AppConnection.Heroku;
+    name: string;
+    id: string;
+  };
+};
--- a/frontend/src/hooks/api/secretSyncs/types/index.ts
+++ b/frontend/src/hooks/api/secretSyncs/types/index.ts
@@ -14,6 +14,7 @@ import { TFlyioSync } from "./flyio-sync";
 import { TGcpSync } from "./gcp-sync";
 import { TGitHubSync } from "./github-sync";
 import { THCVaultSync } from "./hc-vault-sync";
+import { THerokuSync } from "./heroku-sync";
 import { THumanitecSync } from "./humanitec-sync";
 import { TOCIVaultSync } from "./oci-vault-sync";
 import { TTeamCitySync } from "./teamcity-sync";
@@ -46,6 +47,7 @@ export type TSecretSync =
  | TTeamCitySync
  | TOCIVaultSync
  | TOnePassSync
+  | THerokuSync
  | TRenderSync
  | TFlyioSync;

--- a/frontend/src/pages/organization/AppConnections/AppConnectionsPage/components/AppConnectionForm/AppConnectionForm.tsx
+++ b/frontend/src/pages/organization/AppConnections/AppConnectionsPage/components/AppConnectionForm/AppConnectionForm.tsx
@@ -23,6 +23,7 @@ import { GcpConnectionForm } from "./GcpConnectionForm";
 import { GitHubConnectionForm } from "./GitHubConnectionForm";
 import { GitHubRadarConnectionForm } from "./GitHubRadarConnectionForm";
 import { HCVaultConnectionForm } from "./HCVaultConnectionForm";
+import { HerokuConnectionForm } from "./HerokuAppConnectionForm";
 import { HumanitecConnectionForm } from "./HumanitecConnectionForm";
 import { LdapConnectionForm } from "./LdapConnectionForm";
 import { MsSqlConnectionForm } from "./MsSqlConnectionForm";
@@ -121,6 +122,8 @@ const CreateForm = ({ app, onComplete }: CreateFormProps) => {
      return <OCIConnectionForm onSubmit={onSubmit} />;
    case AppConnection.OnePass:
      return <OnePassConnectionForm onSubmit={onSubmit} />;
+    case AppConnection.Heroku:
+      return <HerokuConnectionForm onSubmit={onSubmit} />;
    case AppConnection.Render:
      return <RenderConnectionForm onSubmit={onSubmit} />;
    case AppConnection.Flyio:
@@ -209,6 +212,8 @@ const UpdateForm = ({ appConnection, onComplete }: UpdateFormProps) => {
      return <OCIConnectionForm onSubmit={onSubmit} appConnection={appConnection} />;
    case AppConnection.OnePass:
      return <OnePassConnectionForm onSubmit={onSubmit} appConnection={appConnection} />;
+    case AppConnection.Heroku:
+      return <HerokuConnectionForm onSubmit={onSubmit} appConnection={appConnection} />;
    case AppConnection.Render:
      return <RenderConnectionForm onSubmit={onSubmit} appConnection={appConnection} />;
    case AppConnection.Flyio:
--- a/frontend/src/pages/organization/AppConnections/AppConnectionsPage/components/AppConnectionForm/HerokuAppConnectionForm.tsx
+++ b/frontend/src/pages/organization/AppConnections/AppConnectionsPage/components/AppConnectionForm/HerokuAppConnectionForm.tsx
@@ -0,0 +1,253 @@
+/* eslint-disable no-case-declarations */
+/* eslint-disable no-nested-ternary */
+import crypto from "crypto";
+
+import { useState } from "react";
+import { Controller, FormProvider, useForm } from "react-hook-form";
+import { zodResolver } from "@hookform/resolvers/zod";
+import { z } from "zod";
+
+import {
+  Button,
+  FormControl,
+  ModalClose,
+  SecretInput,
+  Select,
+  SelectItem
+} from "@app/components/v2";
+import { APP_CONNECTION_MAP, getAppConnectionMethodDetails } from "@app/helpers/appConnections";
+import { isInfisicalCloud } from "@app/helpers/platform";
+import { useGetAppConnectionOption } from "@app/hooks/api/appConnections";
+import { AppConnection } from "@app/hooks/api/appConnections/enums";
+import {
+  HerokuConnectionMethod,
+  THerokuConnection
+} from "@app/hooks/api/appConnections/types/heroku-connection";
+
+import {
+  genericAppConnectionFieldsSchema,
+  GenericAppConnectionsFields
+} from "./GenericAppConnectionFields";
+
+type Props = {
+  appConnection?: THerokuConnection;
+  onSubmit: (formData: FormData) => Promise<void>;
+};
+
+const formSchema = z.discriminatedUnion("method", [
+  genericAppConnectionFieldsSchema.extend({
+    app: z.literal(AppConnection.Heroku),
+    method: z.literal(HerokuConnectionMethod.AuthToken),
+    credentials: z.object({
+      authToken: z.string().min(1, "Auth token is required")
+    })
+  }),
+  genericAppConnectionFieldsSchema.extend({
+    app: z.literal(AppConnection.Heroku),
+    method: z.literal(HerokuConnectionMethod.OAuth),
+    credentials: z.object({
+      code: z.string().min(1, "Code is required")
+    })
+  })
+]);
+
+type FormData = z.infer<typeof formSchema>;
+
+export const HerokuConnectionForm = ({ appConnection, onSubmit: formSubmit }: Props) => {
+  const isUpdate = Boolean(appConnection);
+  const [isRedirecting, setIsRedirecting] = useState(false);
+
+  const {
+    option: { oauthClientId },
+    isLoading
+  } = useGetAppConnectionOption(AppConnection.Heroku);
+
+  const form = useForm<FormData>({
+    resolver: zodResolver(formSchema),
+    defaultValues:
+      appConnection?.method === HerokuConnectionMethod.OAuth
+        ? { ...appConnection, credentials: { code: "custom" } }
+        : (appConnection ??
+          ({
+            app: AppConnection.Heroku,
+            method: HerokuConnectionMethod.AuthToken,
+            credentials: {
+              authToken: ""
+            }
+          } as FormData))
+  });
+
+  const {
+    handleSubmit,
+    control,
+    watch,
+    setValue,
+    formState: { isSubmitting, isDirty }
+  } = form;
+
+  const selectedMethod = watch("method");
+
+  const onSubmit = async (formData: FormData) => {
+    try {
+      switch (formData.method) {
+        case HerokuConnectionMethod.AuthToken:
+          await formSubmit(formData);
+          break;
+
+        case HerokuConnectionMethod.OAuth:
+          if (!oauthClientId) {
+            return;
+          }
+          setIsRedirecting(true);
+
+          // Generate CSRF token
+          const state = crypto.randomBytes(16).toString("hex");
+
+          // Store state and form data for callback
+          localStorage.setItem("latestCSRFToken", state);
+          localStorage.setItem(
+            "herokuConnectionFormData",
+            JSON.stringify({
+              ...formData,
+              connectionId: appConnection?.id,
+              isUpdate
+            })
+          );
+
+          // Redirect to Heroku OAuth
+          const oauthUrl = new URL("https://id.heroku.com/oauth/authorize");
+          oauthUrl.searchParams.set("client_id", oauthClientId);
+          oauthUrl.searchParams.set("response_type", "code");
+          oauthUrl.searchParams.set("scope", "write-protected");
+          oauthUrl.searchParams.set("state", state);
+
+          window.location.assign(oauthUrl.toString());
+          break;
+
+        default:
+          throw new Error("Unhandled Heroku Connection method");
+      }
+    } catch (error) {
+      console.error("Error handling form submission:", error);
+      setIsRedirecting(false);
+    }
+  };
+
+  let isMissingConfig: boolean;
+
+  switch (selectedMethod) {
+    case HerokuConnectionMethod.OAuth:
+      isMissingConfig = !oauthClientId;
+      break;
+    case HerokuConnectionMethod.AuthToken:
+      isMissingConfig = false;
+      break;
+    default:
+      throw new Error(`Unhandled Heroku Connection method: ${selectedMethod}`);
+  }
+
+  const methodDetails = getAppConnectionMethodDetails(selectedMethod);
+
+  return (
+    <FormProvider {...form}>
+      <form onSubmit={handleSubmit(onSubmit)}>
+        {!isUpdate && <GenericAppConnectionsFields />}
+
+        <Controller
+          name="method"
+          control={control}
+          render={({ field: { value, onChange }, fieldState: { error } }) => (
+            <FormControl
+              tooltipText={`The method you would like to use to connect with ${
+                APP_CONNECTION_MAP[AppConnection.Heroku].name
+              }. This field cannot be changed after creation.`}
+              errorText={
+                !isLoading && isMissingConfig && selectedMethod === HerokuConnectionMethod.OAuth
+                  ? `Environment variables have not been configured. ${
+                      isInfisicalCloud()
+                        ? "Please contact Infisical."
+                        : `See Docs to configure Heroku ${methodDetails.name} Connections.`
+                    }`
+                  : error?.message
+              }
+              isError={Boolean(error?.message) || isMissingConfig}
+              label="Method"
+            >
+              <Select
+                isDisabled={isUpdate}
+                value={value}
+                onValueChange={(val) => {
+                  console.log("val", val === HerokuConnectionMethod.OAuth);
+                  onChange(val);
+                  if (val === HerokuConnectionMethod.OAuth) {
+                    setValue("credentials.code", "custom");
+                  }
+                }}
+                className="w-full border border-mineshaft-500"
+                position="popper"
+                dropdownContainerClassName="max-w-none"
+              >
+                {Object.values(HerokuConnectionMethod).map((method) => {
+                  return (
+                    <SelectItem value={method} key={method}>
+                      {getAppConnectionMethodDetails(method).name}{" "}
+                      {method === HerokuConnectionMethod.AuthToken ? " (Recommended)" : ""}
+                    </SelectItem>
+                  );
+                })}
+              </Select>
+            </FormControl>
+          )}
+        />
+
+        {selectedMethod === HerokuConnectionMethod.AuthToken && (
+          <Controller
+            name="credentials.authToken"
+            control={control}
+            render={({ field: { value, onChange }, fieldState: { error } }) => (
+              <FormControl
+                label="Auth Token"
+                errorText={error?.message}
+                isError={Boolean(error?.message)}
+                tooltipText="Your Heroku Auth Token"
+              >
+                <SecretInput
+                  containerClassName="text-gray-400 group-focus-within:!border-primary-400/50 border border-mineshaft-500 bg-mineshaft-900 px-2.5 py-1.5"
+                  value={value}
+                  onChange={(e) => onChange(e.target.value)}
+                />
+              </FormControl>
+            )}
+          />
+        )}
+
+        <div className="mt-8 flex items-center">
+          <Button
+            className="mr-4"
+            size="sm"
+            type="submit"
+            colorSchema="secondary"
+            isLoading={isSubmitting || isRedirecting}
+            isDisabled={
+              isSubmitting ||
+              (!isUpdate && !isDirty) ||
+              (isMissingConfig && selectedMethod === HerokuConnectionMethod.OAuth) ||
+              isRedirecting
+            }
+          >
+            {isRedirecting && selectedMethod === HerokuConnectionMethod.OAuth
+              ? "Redirecting to Heroku..."
+              : isUpdate
+                ? "Reconnect to Heroku"
+                : "Connect to Heroku"}
+          </Button>
+          <ModalClose asChild>
+            <Button colorSchema="secondary" variant="plain">
+              Cancel
+            </Button>
+          </ModalClose>
+        </div>
+      </form>
+    </FormProvider>
+  );
+};
--- a/frontend/src/pages/secret-manager/IntegrationsListPage/components/SecretSyncsTab/SecretSyncTable/SecretSyncDestinationCol/HerokuSyncDestinationCol.tsx
+++ b/frontend/src/pages/secret-manager/IntegrationsListPage/components/SecretSyncsTab/SecretSyncTable/SecretSyncDestinationCol/HerokuSyncDestinationCol.tsx
@@ -0,0 +1,14 @@
+import { THerokuSync } from "@app/hooks/api/secretSyncs/types/heroku-sync";
+
+import { getSecretSyncDestinationColValues } from "../helpers";
+import { SecretSyncTableCell } from "../SecretSyncTableCell";
+
+type Props = {
+  secretSync: THerokuSync;
+};
+
+export const HerokuSyncDestinationCol = ({ secretSync }: Props) => {
+  const { primaryText, secondaryText } = getSecretSyncDestinationColValues(secretSync);
+
+  return <SecretSyncTableCell primaryText={primaryText} secondaryText={secondaryText} />;
+};
--- a/frontend/src/pages/secret-manager/IntegrationsListPage/components/SecretSyncsTab/SecretSyncTable/SecretSyncDestinationCol/SecretSyncDestinationCol.tsx
+++ b/frontend/src/pages/secret-manager/IntegrationsListPage/components/SecretSyncsTab/SecretSyncTable/SecretSyncDestinationCol/SecretSyncDestinationCol.tsx
@@ -12,6 +12,7 @@ import { FlyioSyncDestinationCol } from "./FlyioSyncDestinationCol";
 import { GcpSyncDestinationCol } from "./GcpSyncDestinationCol";
 import { GitHubSyncDestinationCol } from "./GitHubSyncDestinationCol";
 import { HCVaultSyncDestinationCol } from "./HCVaultSyncDestinationCol";
+import { HerokuSyncDestinationCol } from "./HerokuSyncDestinationCol";
 import { HumanitecSyncDestinationCol } from "./HumanitecSyncDestinationCol";
 import { OCIVaultSyncDestinationCol } from "./OCIVaultSyncDestinationCol";
 import { RenderSyncDestinationCol } from "./RenderSyncDestinationCol";
@@ -60,6 +61,8 @@ export const SecretSyncDestinationCol = ({ secretSync }: Props) => {
      return <OnePassSyncDestinationCol secretSync={secretSync} />;
    case SecretSync.AzureDevOps:
      return <AzureDevOpsSyncDestinationCol secretSync={secretSync} />;
+    case SecretSync.Heroku:
+      return <HerokuSyncDestinationCol secretSync={secretSync} />;
    case SecretSync.Render:
      return <RenderSyncDestinationCol secretSync={secretSync} />;
    case SecretSync.Flyio:
--- a/frontend/src/pages/secret-manager/IntegrationsListPage/components/SecretSyncsTab/SecretSyncTable/helpers/index.ts
+++ b/frontend/src/pages/secret-manager/IntegrationsListPage/components/SecretSyncsTab/SecretSyncTable/helpers/index.ts
@@ -116,6 +116,10 @@ export const getSecretSyncDestinationColValues = (secretSync: TSecretSync) => {
      primaryText = destinationConfig.devopsProjectName;
      secondaryText = destinationConfig.devopsProjectId;
      break;
+    case SecretSync.Heroku:
+      primaryText = destinationConfig.appName;
+      secondaryText = destinationConfig.app;
+      break;
    case SecretSync.Render:
      primaryText = destinationConfig.serviceName ?? destinationConfig.serviceId;
      secondaryText = "Service";
--- a/frontend/src/pages/secret-manager/SecretSyncDetailsByIDPage/components/SecretSyncDestinationSection/HerokuSyncDestinationSection.tsx
+++ b/frontend/src/pages/secret-manager/SecretSyncDetailsByIDPage/components/SecretSyncDestinationSection/HerokuSyncDestinationSection.tsx
@@ -0,0 +1,19 @@
+import { GenericFieldLabel } from "@app/components/secret-syncs";
+import { THerokuSync } from "@app/hooks/api/secretSyncs/types/heroku-sync";
+
+type Props = {
+  secretSync: THerokuSync;
+};
+
+export const HerokuSyncDestinationSection = ({ secretSync }: Props) => {
+  const {
+    destinationConfig: { app, appName }
+  } = secretSync;
+
+  return (
+    <>
+      <GenericFieldLabel label="App Name">{appName}</GenericFieldLabel>
+      <GenericFieldLabel label="App ID">{app}</GenericFieldLabel>
+    </>
+  );
+};
--- a/frontend/src/pages/secret-manager/SecretSyncDetailsByIDPage/components/SecretSyncDestinationSection/SecretSyncDestinatonSection.tsx
+++ b/frontend/src/pages/secret-manager/SecretSyncDetailsByIDPage/components/SecretSyncDestinationSection/SecretSyncDestinatonSection.tsx
@@ -23,6 +23,7 @@ import { FlyioSyncDestinationSection } from "./FlyioSyncDestinationSection";
 import { GcpSyncDestinationSection } from "./GcpSyncDestinationSection";
 import { GitHubSyncDestinationSection } from "./GitHubSyncDestinationSection";
 import { HCVaultSyncDestinationSection } from "./HCVaultSyncDestinationSection";
+import { HerokuSyncDestinationSection } from "./HerokuSyncDestinationSection";
 import { HumanitecSyncDestinationSection } from "./HumanitecSyncDestinationSection";
 import { OCIVaultSyncDestinationSection } from "./OCIVaultSyncDestinationSection";
 import { RenderSyncDestinationSection } from "./RenderSyncDestinationSection";
@@ -96,6 +97,9 @@ export const SecretSyncDestinationSection = ({ secretSync, onEditDestination }:
    case SecretSync.AzureDevOps:
      DestinationComponents = <AzureDevOpsSyncDestinationSection secretSync={secretSync} />;
      break;
+    case SecretSync.Heroku:
+      DestinationComponents = <HerokuSyncDestinationSection secretSync={secretSync} />;
+      break;
    case SecretSync.Render:
      DestinationComponents = <RenderSyncDestinationSection secretSync={secretSync} />;
      break;
--- a/frontend/src/pages/secret-manager/SecretSyncDetailsByIDPage/components/SecretSyncOptionsSection/SecretSyncOptionsSection.tsx
+++ b/frontend/src/pages/secret-manager/SecretSyncDetailsByIDPage/components/SecretSyncOptionsSection/SecretSyncOptionsSection.tsx
@@ -55,6 +55,7 @@ export const SecretSyncOptionsSection = ({ secretSync, onEditOptions }: Props) =
    case SecretSync.TeamCity:
    case SecretSync.OCIVault:
    case SecretSync.OnePass:
+    case SecretSync.Heroku:
    case SecretSync.Render:
    case SecretSync.Flyio:
      AdditionalSyncOptionsComponent = null;
--- a/frontend/src/pages/secret-manager/integrations/HerokuOauthCallbackPage/HerokuOauthCallbackPage.tsx
+++ b/frontend/src/pages/secret-manager/integrations/HerokuOauthCallbackPage/HerokuOauthCallbackPage.tsx
@@ -3,43 +3,99 @@ import { useNavigate, useSearch } from "@tanstack/react-router";

 import { ROUTE_PATHS } from "@app/const/routes";
 import { useWorkspace } from "@app/context";
-import { useAuthorizeIntegration } from "@app/hooks/api";
+import { useCreateAppConnection, useUpdateAppConnection } from "@app/hooks/api/appConnections";
+import { HerokuConnectionMethod } from "@app/hooks/api/appConnections/types/heroku-connection";

 export const HerokuOAuthCallbackPage = () => {
  const navigate = useNavigate();
-  const { mutateAsync } = useAuthorizeIntegration();
+  const { mutateAsync: createAppConnection } = useCreateAppConnection();
+  const { mutateAsync: updateAppConnection } = useUpdateAppConnection();

  const { code, state } = useSearch({
    from: ROUTE_PATHS.SecretManager.Integratons.HerokuOauthCallbackPage.id
  });
+
  const { currentWorkspace } = useWorkspace();

  useEffect(() => {
    (async () => {
      try {
-        // validate state
-        if (state !== localStorage.getItem("latestCSRFToken")) return;
-        localStorage.removeItem("latestCSRFToken");
-        const integrationAuth = await mutateAsync({
-          workspaceId: currentWorkspace.id,
-          code: code as string,
-          integration: "heroku"
-        });
+        // Validate CSRF state token
+        const storedState = localStorage.getItem("latestCSRFToken");
+        if (state !== storedState) {
+          console.error("CSRF token mismatch");
+          navigate({
+            to: "/organization/app-connections",
+            search: { error: "invalid_state" }
+          });
+          return;
+        }

+        // Clean up CSRF token
+        localStorage.removeItem("latestCSRFToken");
+
+        // Retrieve stored form data
+        const storedFormData = localStorage.getItem("herokuConnectionFormData");
+        if (!storedFormData) {
+          console.error("No stored form data found");
+          navigate({
+            to: "/organization/app-connections",
+            search: { error: "missing_form_data" }
+          });
+          return;
+        }
+
+        const formData = JSON.parse(storedFormData);
+        localStorage.removeItem("herokuConnectionFormData");
+
+        // Prepare app connection data with OAuth credentials
+        const connectionData = {
+          ...formData,
+          method: HerokuConnectionMethod.OAuth,
+          credentials: {
+            code: code as string
+          }
+        };
+
+        let appConnection;
+
+        // Create or update app connection
+        if (formData.isUpdate && formData.connectionId) {
+          appConnection = await updateAppConnection({
+            connectionId: formData.connectionId,
+            ...connectionData
+          });
+        } else {
+          appConnection = await createAppConnection({
+            workspaceId: currentWorkspace.id,
+            ...connectionData
+          });
+        }
+
+        // Navigate to success page or app connections list
        navigate({
-          to: "/secret-manager/$projectId/integrations/heroku/create",
-          params: {
-            projectId: currentWorkspace.id
-          },
+          to: "/organization/app-connections",
          search: {
-            integrationAuthId: integrationAuth.id
+            success: formData.isUpdate ? "connection_updated" : "connection_created",
+            connectionId: appConnection.id
          }
        });
      } catch (err) {
-        console.error(err);
+        console.error("Error handling Heroku OAuth callback:", err);
+        navigate({
+          to: "/organization/app-connections",
+          search: { error: "connection_failed" }
+        });
      }
    })();
-  }, []);
+  }, [code, state, navigate, createAppConnection, updateAppConnection, currentWorkspace.id]);

-  return <div />;
+  return (
+    <div className="flex h-screen items-center justify-center">
+      <div className="text-center">
+        <div className="mx-auto mb-4 h-8 w-8 animate-spin rounded-full border-b-2 border-primary" />
+        <p className="text-gray-600">Connecting to Heroku...</p>
+      </div>
+    </div>
+  );
 };
Author	SHA1	Message	Date
carlosmonastyrski	c52180c890	feat(secret-sync): minor fix on heroku docs	2025-06-19 15:17:36 -03:00
carlosmonastyrski	7581300a67	feat(secret-sync): minor fix on heroku sync	2025-06-19 13:38:20 -03:00
carlosmonastyrski	7473e3e21e	Add Heroku PR suggestions	2025-06-19 09:28:43 -03:00
carlosmonastyrski	6720217cee	Merge remote-tracking branch 'origin/main' into feat/addHerokuSecretSync	2025-06-19 08:47:03 -03:00
carlosmonastyrski	02f311515c	feat(secret-sync): Add PR suggestions for Heroku Integration	2025-06-17 21:19:21 -03:00
carlosmonastyrski	840b64a049	fix mint.json openapi url used for local test	2025-06-17 10:54:52 -03:00
carlosmonastyrski	c2612f242c	feat(secret-sync): Add Heroku Secret Sync	2025-06-17 10:52:55 -03:00