Environment Variables

Environment variables hold secrets and configuration your app reads at boot — API keys, feature flags, third-party credentials. You set them once per project; Nexos injects them into every preview environment and encrypts every value at rest with AES-256-GCM.

Two kinds of variables. The ones you set (API keys, flags) and the ones Nexos injects automatically (DATABASE_URL, REDIS_URL, S3 credentials). Both show up in process.env — your app doesn't need to tell them apart.

Creating and Managing Environment Variables

Set environment variables through the project settings page in the dashboard. Each variable has a key and a value:

STRIPE_SECRET_KEY=sk_test_...
SENDGRID_API_KEY=SG...
FEATURE_FLAG_NEW_UI=true

Via the API:

# Create or update an environment variable
curl -X PUT https://api.nexos.dev/api/projects/:id/env-vars \
  -H "Authorization: Bearer <token>" \
  -H "Content-Type: application/json" \
  -d '{"key": "STRIPE_SECRET_KEY", "value": "sk_test_..."}'

# List environment variables (values are masked)
curl https://api.nexos.dev/api/projects/:id/env-vars \
  -H "Authorization: Bearer <token>"

# Delete an environment variable
curl -X DELETE https://api.nexos.dev/api/projects/:id/env-vars/:varId \
  -H "Authorization: Bearer <token>"

When listing variables through the dashboard or API, values are masked for security. Only the first four characters are shown.

Encryption at Rest

Every environment variable value is encrypted with AES-256-GCM before it is stored in the database. Each value gets its own randomly generated initialization vector (IV), which is stored alongside the ciphertext.

The encryption key is configured via the ENCRYPTION_KEY environment variable on the API server. It must be a 256-bit (32-byte) hex-encoded string.

Values are decrypted only at deployment time, when they are injected into the container as environment variables. The plaintext values never touch the database.

Auto-Injected System Variables

Nexos automatically injects the following environment variables into every application container, based on the services enabled for the project:

Variable	Description	Example
`PORT`	The port your application should listen on	`3000`
`DATABASE_URL`	PostgreSQL connection string (if Postgres is enabled)	`postgresql://user:pass@db:5432/app`
`REDIS_URL`	Redis connection string (if Redis is enabled)	`redis://redis:6379`

System variables are injected automatically and cannot be overridden by user-defined variables. Your application should use these to connect to its services.

Importing from .env Files

You can bulk-import environment variables from a .env file through the dashboard. Click Import .env in the project settings and paste or upload your file:

# .env file format
STRIPE_SECRET_KEY=sk_test_abc123
SENDGRID_API_KEY=SG.abc123
APP_SECRET=my-secret-value

# Comments and empty lines are ignored
# Lines without = are skipped

The import parses each line, extracts the key-value pairs, encrypts the values, and stores them. Existing variables with the same key are updated. New variables are created.

Important: Never commit .env files to your repository. Use the Nexos dashboard or API to manage secrets securely.