DocsOverviewQuick StartFrameworksDeploymentsDomainsEnv VarsFeature FlagsAI GatewayAPI ReferenceWebhooks

Environment Variables

Environment variables

Securely store and manage environment variables, API keys, and secrets. All values are encrypted at rest with AES-256-GCM before being written to the database.

Adding variables

Navigate to Project → Settings → Environment Variables. Click Add Variable, enter the key and value, select the target environments, and save. Variables take effect on the next deployment.

DATABASE_URL
postgresql://user:••••••••@host/db
ProductionPreviewDevelopment

Environment targets

Each variable can be scoped to one or more deployment environments. This lets you use different database URLs, API keys, or feature flags per environment.

Production

Applied to deployments from your production branch (default: main).

Preview

Applied to pull request deployments. Useful for connecting to staging databases.

Development

Pulled locally via the Deploxa CLI (deploxa env pull). Not used during CI builds.

Browser vs. server variables

Server-side variables are never exposed to the browser. To make a variable available in client-side JavaScript, prefix it with NEXT_PUBLIC_ (Next.js), VITE_ (Vite), or REACT_APP_ (CRA).

# Server-only (never sent to browser) DATABASE_URL=postgresql://... JWT_SECRET=supersecret # Exposed to the browser NEXT_PUBLIC_API_URL=https://api.example.com VITE_STRIPE_KEY=pk_live_...

Never put secrets in browser-exposed variables. They will appear in your compiled JavaScript bundle and be visible to anyone who downloads your page source.

Bulk import from .env file

You can paste the contents of a .env file directly into the bulk import textarea. Deploxa parses each line and creates the variables automatically. Quoted values, comments, and blank lines are all handled correctly.

# This is a comment — ignored DATABASE_URL="postgresql://user:pass@host/db" REDIS_URL=redis://localhost:6379 API_SECRET=my-secret-value # Blank lines are fine NODE_ENV=production

Encryption

AES-256-GCM at rest

Every variable value is encrypted before being written to the database. Keys are never stored in plaintext.

Per-org KMS keys (Team)

Team plan organizations can bring their own AWS KMS keys for envelope encryption, giving you full key custody.

Audit log

Every create, update, and delete of an environment variable is recorded in the organization audit log.

Accessing variables at runtime

Variables are injected into the build environment and the runtime process. Access them the same way you would locally:

Node.js

const dbUrl = process.env.DATABASE_URL;

Python

import os db_url = os.environ["DATABASE_URL"]

System-injected variables

Deploxa automatically injects these variables into every build and runtime environment:

VariableValue
DEPLOXA_URLThe public URL of this deployment
DEPLOXA_ENVproduction | preview | development
DEPLOXA_DEPLOYMENT_IDUnique ID of this deployment
DEPLOXA_GIT_COMMIT_SHAGit commit SHA being deployed
DEPLOXA_GIT_BRANCHBranch name being deployed
PORTPort your server should listen on (container deploys)
Custom DomainsFeature Flags