Environment Variables

Set per-app secrets and config that get injected into deployments, dev sandboxes, and code generation. Owner-only, masked by default, and validated against reserved names.

When to Use Env Vars

Environment variables are the right place for anything you do not want hardcoded into your app: API keys for third-party services, webhook secrets, feature flags, environment-specific URLs, anything that should be different between staging and production.

If you find yourself pasting sk_live_... or a webhook signing secret into a generated file, stop and move it to an env var instead.

Setting Variables

Open the Environment Variables panel

From the app editor sidebar, open Environment Variables. You will see the current set of variables (values masked) or an empty state if none are configured.

Add or edit a variable

Click New Variable. Enter a name (uppercase by convention, e.g. STRIPE_SECRET_KEY) and a value. Save.

Reveal a value when you need it

Click the eye icon next to a variable to reveal the full value. By default the panel shows only a masked preview so values do not leak in screenshots or screenshares.

Reference it from your app

From a Function or deployed backend code, read it with process.env.STRIPE_SECRET_KEY (TypeScript) or os.environ["STRIPE_SECRET_KEY"] (Python).

Where Values Are Used

One value, three injection points. You do not have to set the same secret in multiple places.

Deployed app

Available to backend handlers at runtime via the standard env var APIs.

Dev sandbox / preview

When you test your app in the editor preview, the same values are injected so behavior matches what you will see after deploy.

Code generation context

The AI knows which env vars are configured, so when it generates new code it references them by name rather than asking you to fill in placeholders.

Naming Rules

Valid names match ^[A-Za-z_][A-Za-z0-9_]*$: start with a letter or underscore, then letters / digits / underscores. Convention is SCREAMING_SNAKE_CASE.

Reserved prefixes

To prevent collisions with platform internals, these prefixes are blocked: GOOGLE_, GCLOUD_, GCS_, FIREBASE_, AWS_, AZURE_, K_, CLOUD_RUN_, LD_, PYTHONPATH, NODE_PATH, INTERNAL_. Standard process names like PORT, HOME, PATH, USER, SHELL are also reserved.

Rename to a non-reserved prefix (e.g. MY_AWS_REGION instead of AWS_REGION) and the value will be accepted.

Security

Only the app owner can read or set env vars. Collaborators inherit through the standard app-owner check.
Values are masked by default in the list view. The full value is only returned when you explicitly request Reveal.
Values are not embedded into client-side JavaScript bundles. Backend-only by default.
The audit log records who set or deleted each variable for traceability.

For workspace-wide secrets that apply across many apps, consider keeping them in a secrets manager and pulling at deploy time. Per-app env vars are intentionally per-app, not workspace-shared.

Limits

Max variables per app	20
Max name length	64 characters
Max value length	4,096 characters (4 KB)
Name pattern	Starts with letter or underscore; letters / digits / underscores only
Plan requirement	All plans, including Free

FAQs

Where are environment variables used?▾

Per-app env vars are injected into three places: your deployed app at runtime, the dev sandbox when you preview backend code, and the code generation context so the AI knows what config is available to reference. The same value works in all three.

How do I keep an env var secret?▾

Set it in the Environment Variables panel; never paste secrets into source code. Listed values are masked by default in the panel; the full value is only revealed when you explicitly click Reveal.

Why was my variable name rejected?▾

A reserved prefix or pattern. Names matching system-managed prefixes (GOOGLE_, AWS_, FIREBASE_, K_, CLOUD_RUN_, INTERNAL_, etc.) are blocked to prevent collisions with platform internals. Pick a different prefix (e.g. MY_STRIPE_KEY instead of FIREBASE_KEY).

Can I use env vars in my generated frontend code?▾

Values are exposed to backend handlers (Functions, deployed server code) at runtime. They are not bundled into client-side JavaScript by default to avoid leaking secrets. If you need a non-secret value in the browser, hardcode it in the prompt or use a config endpoint that returns it.

What plans support env vars?▾

All plans, including Free. Limits are the same across plans: up to 20 variables per app, 4 KB per value, and a 64-character name limit.

Ready to build?

Create your first app for free, no credit card required.

Scheduled Jobs Deployment