Environment variables are key-value pairs available to a process from its environment. They are the standard way to configure applications differently across environments (development, staging, production) and to keep secrets (API keys, database passwords) out of source code. The .env file format is a convention for defining these variables locally during development.
The .env File Format
A .env file is a plain text file where each line defines one environment variable as a KEY=VALUE pair. Lines starting with a hash character are comments and are ignored. Values do not need to be quoted unless they contain spaces or special characters. A quoted value uses double quotes; the quotes are stripped when the variable is loaded.
Why You Must Never Commit .env Files
A .env file for a development environment typically contains API keys, database credentials, OAuth secrets, and other sensitive values. Committing this file to version control exposes all those secrets to anyone who can access the repository, now and in the future (Git history persists even after the file is deleted).
The correct pattern is to add .env to .gitignore and commit a .env.example file instead. The example file contains all the variable names with placeholder values or comments describing what each variable should contain. New team members copy .env.example to .env and fill in the actual values from your team's secrets store.
Accessing Environment Variables in Code
In Node.js, the dotenv package reads a .env file and populates process.env with its contents. Frameworks like Next.js, Vite, and Create React App have built-in support for .env files. In Python, the python-dotenv package does the same. In Docker Compose, environment variables are defined in an env_file section. In CI/CD pipelines, variables are configured in the platform's secrets or environment settings.
Using the DevHexLab Env Parser
Open the tool at /tools/developer/env-parser. Paste the contents of your .env file. The tool displays each variable name and value in a table, highlights syntax errors like missing equals signs or duplicate keys, and shows comments. This is useful for auditing a .env file, preparing documentation, or converting variables to another format.
Frequently Asked Questions
What is the difference between an environment variable and a secret?
In practice they are often the same thing. Secrets are sensitive values (credentials, keys). Environment variables are the mechanism for passing them to the application. Both should be managed with a secrets manager in production rather than .env files.
Can I use .env files in production?
It is not recommended. Production secrets should be managed by a dedicated secrets manager like AWS Secrets Manager, HashiCorp Vault, or the secrets features of your cloud platform. .env files are a development convenience.
What does NEXT_PUBLIC_ mean in Next.js .env files?
In Next.js, variables prefixed with NEXT_PUBLIC_ are exposed to the browser bundle. All other variables are available only on the server. Never prefix secrets with NEXT_PUBLIC_.
Use .env locally, secrets managers in production, and always gitignore .env.