Env vars keep secrets out of your code and let you configure apps per environment (dev, staging, prod).
The .env File
# .env (never commit this)
DATABASE_URL=postgres://localhost:5432/mydb
API_SECRET=sk_live_abc123
# .env.example (commit this)
DATABASE_URL=
API_SECRET=
Next.js Convention
NEXT_PUBLIC_*- exposed to the browser- Everything else - server-only
Common Mistakes
- Committing
.envto git - Forgetting to set vars in production dashboard
- Putting secrets in
NEXT_PUBLIC_variables