Pass environment variables (OAuth, secrets)

We use docker for our CircleCI builds, and our built docker containers require OAuth tokens to be set through environment variables in order to access 3rd party APIs. The OAuth tokens cannot be checked in to our codebase (including our docker files, or docker-compose files).

How might we pass ENV variables from CircleCI’s build environment to our docker containers? I believe this can be achieved using ‘args’ of docker compose (https://docs.docker.com/compose/compose-file/#args). However, this is only supported by v2 of the docker-compose format, which requires docker-compose 1.6.0+ and docker engine 1.10.0+ (source: https://docs.docker.com/compose/compose-file/#version-2).

Under the current CircleCI infrastructure, how might we safely pass our OAuth tokens to our docker containers?