Environment Variables (.env files)
A .env file is a small text file that holds secrets like API keys outside your code. Your app reads from it at runtime. Never commit it to Git.
What it is
A .env file (pronounced “dot env”) is a small text file at the root of your project that holds secret values your app needs at runtime, such as API keys, database URLs, or auth tokens. The “env” stands for environment.
Your code reads from .env instead of hardcoding the values, so the secrets stay on your machine and out of GitHub.
Simple analogy
Your code is the recipe. The .env file is the secret-ingredients note kept in a locked drawer. Anyone can read the recipe. Only you have the drawer key.
Why this matters for designers
You will often set values in .env files when working with AI APIs or local dev setups. If a guide says “add your API key to .env”, this is what it means.
What a .env file looks like
# .env — sits at the root of your project, never goes to Git
OPENAI_API_KEY="sk-proj-abc123..."
ANTHROPIC_API_KEY="sk-ant-xyz789..."
FIGMA_ACCESS_TOKEN="fig_abc123"
TURSO_DATABASE_URL="libsql://your-db.turso.io"Each line is NAME=value. Your code refers to these by name (for example process.env.OPENAI_API_KEY in JavaScript).
The three rules
- Add
.envto.gitignorethe day you create it. This is the single line in.gitignorethat prevents accidental leaks. Without it,git addwill happily commit your secrets. - Commit a
.env.exampleinstead. Same variable names, fake values likeOPENAI_API_KEY=sk-.... That is the file teammates use to set up the project on their own machines. - Each environment has its own. Local laptop, staging server, production. Different values, sometimes different keys. Never reuse one key everywhere.
Common mistakes
- Committing
.envbecause it was missed in.gitignore. Rotate the keys immediately if this happens. - Putting the actual secret value into source code “just for now.” Five seconds of typing turns into a leaked credential when the file gets pasted into AI or pushed to a repo.
- Sharing
.envfiles over Slack or email. Use a shared password manager (1Password, Bitwarden) for team secrets, not chat.
Related
- Safe AI for Designers: the five rules — the full security checklist for working with AI
- Personal Access Token — a related kind of secret used by GitHub and other services