Guides / What is a .env File?

What is a .env File?

4 min read · Configuration

The short answer

A .env file(pronounced "dot env") is a plain text file that stores environment variables as KEY=value pairs. Applications read these values at startup instead of having them hardcoded in the source code.

A typical .env file looks like this:

DATABASE_URL=postgresql://user:pass@localhost:5432/mydb
API_KEY=sk-abc123xyz
PORT=3000
NODE_ENV=development
DEBUG=false

Why not just hardcode values?

Hardcoding secrets in source code is a serious security risk. If you commit a database password or API key to a public repository, it is permanently exposed — even if you delete it in a later commit, it remains in the git history.

Environment variables solve this by keeping secrets outside the codebase:

  • Each developer has their own .env with their local credentials
  • Production uses environment variables injected by the deployment platform
  • The .env file is listed in .gitignore and never committed

.env file syntax

The format is simple with a few rules:

# Comments start with a hash
KEY=value              # No spaces around =
QUOTED="hello world"   # Quotes allow spaces
EMPTY=                 # Empty value is allowed
MULTIWORD=one two      # No quotes needed for this
  • No spaces around the = sign
  • Quotes are optional but needed for values with spaces
  • Lines starting with # are comments
  • Variables are usually uppercase by convention

Loading .env in your app

In Node.js — install the dotenv package:

npm install dotenv

// At the top of your entry file:
require('dotenv').config();
// or (ESM):
import 'dotenv/config';

console.log(process.env.DATABASE_URL); // "postgresql://..."

In Python — install python-dotenv:

pip install python-dotenv

from dotenv import load_dotenv
import os

load_dotenv()
print(os.getenv('DATABASE_URL'))

In Next.js — built-in support, no package needed. Files named .env, .env.local, .env.production are loaded automatically.

Common .env file variants

.env — base defaults

Shared defaults that apply to all environments. Safe to commit if it contains no secrets (use placeholder values).

.env.local — local overrides

Machine-specific values. Always in .gitignore. Takes priority over .env.

.env.example — template

A committed file showing which variables are required, with empty or fake values. New developers copy this to .env.local to get started.

.env.production — production config

Production-specific values. Usually these come from the hosting platform (Vercel, Railway, AWS) rather than a file.

Best practices

  • Always add .env and .env.local to .gitignore
  • Commit a .env.example with all required keys but no real values
  • Never log environment variables — they may contain secrets
  • Rotate any secret that was accidentally committed immediately
  • In production, use your platform's secrets manager instead of .env files on disk
  • Validate required environment variables at startup so your app fails fast with a clear error

Convert between .env and JSON

Paste your .env variables and convert them to JSON, or import JSON config and export as .env format.