Environment Variables

Environment variables let you store configuration values — API keys, database URLs, feature flags — outside your source code. They keep sensitive data safe, allow different values per environment, and prevent secrets from leaking into version control or browser bundles.

How Environment Variables Work in Skappa

Skappa supports environment variables for both build time and runtime. Variables are encrypted at rest and decrypted only when your app is building or running. They are never exposed in logs, build output, or the client-side bundle (unless you explicitly opt in with the NEXT_PUBLIC_ prefix).

Adding Variables

Open your project settings, navigate to the "Environment" tab, and click "Add Variable." Enter a name and value:

OPENAI_API_KEY=sk-proj-abc123...
DATABASE_URL=postgresql://user:pass@host:5432/db
NEXT_PUBLIC_APP_URL=https://myapp.com

Accessing Variables in Code

Server-side code (API routes, server components, middleware) can access any variable with process.env.YOUR_VARIABLE. Client-side code can only access variables prefixed with NEXT_PUBLIC_.

// Server-side (safe for secrets)
const apiKey = process.env.OPENAI_API_KEY

// Client-side (visible to users — no secrets!)
const appUrl = process.env.NEXT_PUBLIC_APP_URL

Security Best Practices

• Never put secrets (API keys, passwords, tokens) in NEXT_PUBLIC_ variables — they are visible in the browser.
• Route all third-party API calls through your own server-side API routes to keep keys hidden.
• Rotate secrets periodically and immediately if you suspect a leak.
• After rotating, update the variable in Skappa settings and redeploy to apply the new value.

Common Variables

OPENAI_API_KEY          — AI-powered features (server-side only)
STRIPE_SECRET_KEY       — Payment processing (server-side only)
DATABASE_URL            — Database connection string
NEXT_PUBLIC_SUPABASE_URL — Supabase project URL (client-safe)
NEXT_PUBLIC_SUPABASE_ANON_KEY — Supabase anon key (client-safe)