Ever wondered how applications know your API keys, secret tokens, or database credentials without hardcoding them into your code?
That magic comes from environment variables. And in many modern web development projects (especially in Node.js, React, Next.js, etc.), we use .env and .env.local files to store these values.
Let’s break down what these files are, why they’re important, how they’re different, and some best practices to follow!
What is a .env file?
A .env file is a simple text file that stores environment variables in a key-value format.
Example:
DATABASE_URL="postgres://user:password@localhost:5432/mydb"
API_KEY="12345-abcdef"
PORT=3000
These variables can then be accessed inside your app using tools like dotenv in Node.js or automatically in frameworks like Next.js, React, or Vite.
Why is it important?
Here’s why .env files are essential:
- Separation of Secrets from Code
You should never hardcode API keys, database URLs, or other secrets into your codebase. .env files let you keep those values separate.
- Flexibility across Environments
Whether you're working on development, staging, or production—each environment may need different values.
With .env, you can easily switch between these.
- Cleaner Code
Instead of littering your codebase with config values, you reference environment variables like:
const apiKey = process.env.API_KEY;
- Version Control Safety
You can (and should!) add .env to your .gitignore file so sensitive data doesn’t get pushed to GitHub.
What about .env.local?
This is where things get a bit more contextual and powerful.
.env.local is commonly used in frameworks like Next.js or Create React App, and is specifically meant for local development only.
It lets you override values in .env or add machine-specific variables that shouldn't be committed to version control.
Example:
.env (committed to git)
API_URL=https://api.production.com
.env.local (not committed to git)
API_URL=http://localhost:4000
In this case, your local machine uses a development server, while production uses the live API.
.env vs .env.local — What’s the Difference?
| Feature | .env |
.env.local |
|---|---|---|
| Purpose | Shared base config | Local developer overrides |
| Should be committed? | Yes | No |
| Used in production? | Can be | Never |
| Use case | Default settings | Developer-specific changes |
Best Practices
-
Add
.env.localto.gitignoreYour secrets should never be in Git.
-
Use
.envfor non-sensitive defaultsE.g., logging level, app name, etc.
-
Prefix with NEXT_PUBLIC_ in Next.js
Only
envvars that begin withNEXT_PUBLIC_are exposed to the browser:
NEXT_PUBLIC_API_URL=https://my-api.com
require('dotenv').config();
console.log(process.env.API_KEY);
Common Mistakes to Avoid
- Hardcoding values:
const apiKey = "123456"; // DON'T DO THIS!
- Forgetting to restart dev server after changes
Always restart your dev server when you change env files, or they may not reload.
- Thinking .env.local works in production
It’s meant for local development only.
Conclusion
Using .env and .env.local files the right way is one of the simplest but most crucial best practices in modern app development.
They make your app more secure, configurable, and collaborative-friendly across teams and environments.
So next time you spin up a project, make sure your config is where it belongs—not buried inside your code, but safe and flexible inside a .env file!
Top comments (0)