Environment Variables & Secrets (Keep Keys Safe)
The simple habit that stops you leaking API keys and passwords to the whole internet.
The fastest way to get burned in your first project is to paste an API key straight into your code and push it online. Environment variables are the simple, standard fix — and understanding them protects your money and your data.
What's a Secret?
A secret is any value that would be dangerous in the wrong hands: an API key, a database password, a payment token. If someone copies it, they can run up bills in your name or read your data.
What's an Environment Variable?
An environment variable is a value stored outside your code, in the environment where the app runs. Your code reads it by name (like API_KEY) without the actual value ever appearing in the source. Different machines can supply different values, and the secret never gets committed to version control.
THE ONE-LINE VERSION
Never put secrets in code. Store them as environment variables so the value lives outside the source and never leaks.
The Golden Rules
- Never hard-code a key or password in your files.
- Keep secrets on the backend — frontend code is visible to anyone.
- Add your secrets file (often
.env) to.gitignoreso it's never committed. - If a key ever leaks, rotate it (generate a new one) immediately.
When you brief an AI, say it explicitly: "read the API key from an environment variable, don't hard-code it." Good assistants will do the right thing when told.
A: A small local file holding your secrets as NAME=value lines. Your app loads it at runtime — and you keep it out of version control.
A: Rotate it right away — delete the old key and create a new one — then move it into an environment variable. A leaked key is only dangerous while it's still valid.
The Prompt Template
Make safe handling non-negotiable in your brief:
Read every secret (API keys, passwords) from environment
variables — never hard-code them.
Add the secrets file to .gitignore.
Show me how to set each variable.Next Steps
Secrets usually guard API access, and they live on the backend — both worth a read if you haven't yet.