Environment Variables

Env vars hold secrets and config your app reads at boot. Nexos encrypts every value at rest with AES-256-GCM and injects them into every preview environment.

Auto-injected variables

Set automatically when the corresponding service is enabled. Do not define these yourself.

Setting your own variables

Three ways to set them:

• Dashboard — Project Settings → Environment Variables.
• nexos.yaml — env: block. Good for non-secret config. See nexos.yaml.
• Bulk .env import — paste or upload a .env file in the dashboard. Existing keys are updated; new keys created.

Listed values are masked — only the first four characters are shown. For real secrets, prefer the dashboard over committed YAML.

Encryption at rest

Every value is AES-256-GCM encrypted with a unique random IV before it lands in the database. The plaintext is decrypted only at deploy time, when the value is injected into the container. The encryption key is configured on the API server via ENCRYPTION_KEY (a 32-byte hex string).

API

# Create or update
curl -X PUT https://api.nexos.rs/api/projects/:id/env-vars \
  -H "Authorization: Bearer nxs_..." \
  -H "Content-Type: application/json" \
  -d '{"key": "STRIPE_SECRET_KEY", "value": "sk_test_..."}'

# List (values masked)
curl https://api.nexos.rs/api/projects/:id/env-vars \
  -H "Authorization: Bearer nxs_..."

# Delete
curl -X DELETE https://api.nexos.rs/api/projects/:id/env-vars/:varId \
  -H "Authorization: Bearer nxs_..."