diff --git a/datasette/app.py b/datasette/app.py
index 16a29e20..70bd3c12 100644
--- a/datasette/app.py
+++ b/datasette/app.py
@@ -268,7 +268,16 @@ class Datasette:
         )
         if plugins is None:
             return None
-        return plugins.get(plugin_name)
+        plugin_config = plugins.get(plugin_name)
+        # Resolve any $file and $env keys
+        if isinstance(plugin_config, dict):
+            for key, value in plugin_config.items():
+                if isinstance(value, dict):
+                    if list(value.keys()) == ["$env"]:
+                        plugin_config[key] = os.environ.get(list(value.values())[0])
+                    elif list(value.keys()) == ["$file"]:
+                        plugin_config[key] = open(list(value.values())[0]).read()
+        return plugin_config
 
     def app_css_hash(self):
         if not hasattr(self, "_app_css_hash"):
diff --git a/docs/plugins.rst b/docs/plugins.rst
index be335546..609fa844 100644
--- a/docs/plugins.rst
+++ b/docs/plugins.rst
@@ -219,6 +219,39 @@ Here is an example of some plugin configuration for a specific table::
 
 This tells the ``datasette-cluster-map`` column which latitude and longitude columns should be used for a table called ``Street_Tree_List`` inside a database file called ``sf-trees.db``.
 
+Secret configuration values
+~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Any values embedded in ``metadata.json`` will be visible to anyone who views the ``/-/metadata`` page of your Datasette instance. Some plugins may need configuration that should stay secret - API keys for example. There are two ways in which you can store secret configuration values.
+
+**As environment variables**. If your secret lives in an environment variable that is available to the Datasette process, you can indicate that the configuration value should be read from that environment variable like so::
+
+    {
+        "plugins": {
+            "datasette-auth-github": {
+                "client_secret": {
+                    "$env": "GITHUB_CLIENT_SECRET"
+                }
+            }
+        }
+    }
+
+
+**As values in separate files**. Your secrets can also live in files on disk. To specify a secret should be read from a file, provide the full file path like this::
+
+    {
+        "plugins": {
+            "datasette-auth-github": {
+                "client_secret": {
+                    "$file": "/secrets/client-secret"
+                }
+            }
+        }
+    }
+
+Writing plugins that accept configuration
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
 When you are writing plugins, you can access plugin configuration like this using the ``datasette.plugin_config()`` method. If you know you need plugin configuration for a specific table, you can access it like this::
 
     plugin_config = datasette.plugin_config(
diff --git a/tests/fixtures.py b/tests/fixtures.py
index fab6509e..db5f06e2 100644
--- a/tests/fixtures.py
+++ b/tests/fixtures.py
@@ -15,6 +15,10 @@ import time
 from urllib.parse import unquote
 
 
+# This temp file is used by one of the plugin config tests
+TEMP_PLUGIN_SECRET_FILE = os.path.join(tempfile.gettempdir(), "plugin-secret")
+
+
 class TestResponse:
     def __init__(self, status, headers, body):
         self.status = status
@@ -246,7 +250,11 @@ METADATA = {
     "source_url": "https://github.com/simonw/datasette/blob/master/tests/fixtures.py",
     "about": "About Datasette",
     "about_url": "https://github.com/simonw/datasette",
-    "plugins": {"name-of-plugin": {"depth": "root"}},
+    "plugins": {
+        "name-of-plugin": {"depth": "root"},
+        "env-plugin": {"foo": {"$env": "FOO_ENV"}},
+        "file-plugin": {"foo": {"$file": TEMP_PLUGIN_SECRET_FILE}},
+    },
     "databases": {
         "fixtures": {
             "description": "Test tables description",
diff --git a/tests/test_plugins.py b/tests/test_plugins.py
index 9bdd491a..f42eebd7 100644
--- a/tests/test_plugins.py
+++ b/tests/test_plugins.py
@@ -1,7 +1,8 @@
 from bs4 import BeautifulSoup as Soup
-from .fixtures import app_client  # noqa
+from .fixtures import app_client, make_app_client, TEMP_PLUGIN_SECRET_FILE  # noqa
 import base64
 import json
+import os
 import re
 import pytest
 import urllib
@@ -125,6 +126,18 @@ def test_plugin_config(app_client):
     assert None is app_client.ds.plugin_config("unknown-plugin")
 
 
+def test_plugin_config_env(app_client):
+    os.environ["FOO_ENV"] = "FROM_ENVIRONMENT"
+    assert {"foo": "FROM_ENVIRONMENT"} == app_client.ds.plugin_config("env-plugin")
+    del os.environ["FOO_ENV"]
+
+
+def test_plugin_config_file(app_client):
+    open(TEMP_PLUGIN_SECRET_FILE, "w").write("FROM_FILE")
+    assert {"foo": "FROM_FILE"} == app_client.ds.plugin_config("file-plugin")
+    os.remove(TEMP_PLUGIN_SECRET_FILE)
+
+
 @pytest.mark.parametrize(
     "path,expected_extra_body_script",
     [