Environment Variable is a dynamic-named value stored outside the application code that configures behavior at runtime, commonly used to inject secrets like API keys.
Environment Variable
Environment Variable is a dynamic-named value stored outside the application code that configures behavior at runtime, commonly used to inject secrets like API keys.
Why It Matters
Environment variables are the most common way developers store API keys, following the 12-Factor App methodology. However, they're also a major sprawl vector — env vars get copied across servers, containers, CI/CD configs, and local dev environments.
How It Works
The operating system or container runtime sets key-value pairs accessible to running processes via `process.env` (Node.js), `os.environ` (Python), etc. Applications read these values at startup without hardcoding them in source code.
Best Practices
- Use .env files only in development, not production
- Never commit .env files to version control
- Use a secrets manager in production environments
- Limit which processes and users can read environment variables
Common Mistakes
- Committing .env files to Git (even "accidentally" — it persists in history)
- Copying env vars across environments without audit
- Assuming environment variables are secure (any process with the right UID can read them)
How ShieldKey Helps
With ShieldKey, you store a Shield Token in your env var instead of the real API key. Even if the env var leaks, the Shield Token can be instantly revoked — unlike a leaked raw key.
Try ShieldKey FreeFAQ
Are environment variables secure?
Environment variables are better than hardcoded secrets but not truly secure. Any process running as the same user can read them. For production, use a secrets manager or proxy like ShieldKey.