Environment Variables Explained — Never Hardcode Secrets
What environment variables are, why hardcoding secrets is dangerous, and how to use environment variables to keep your code and your users safe.
What Are Environment Variables?
Imagine you have a locked box. Instead of writing the combination directly on the box (where anyone could read it), you keep the combination in your head and type it in when you need to open the box. That way, if someone steals the box, they still can't open it.
Environment variables work the same way. They're named values that live outside your code — on your computer, a server, or a hosting platform. When your program runs, it asks for those values by name. Your API keys, database passwords, and secret tokens never have to appear in your code files at all.
Here's a simple example. Imagine you want your app to connect to a database. Instead of writing the password directly in your code like this:
# Anyone who sees this file now knows your password password = "super-secret-123"
You store the password in an environment variable instead, and your code reads it when it needs it:
# The password never appears in the code file password = os.environ["DB_PASSWORD"]
Why You Should Never Hardcode Secrets
When you put a secret like a password or API key directly in your code, it stays there forever — even after you delete it from your app. That's because code gets saved in Git, shared with teammates, uploaded to GitHub, and sometimes even published publicly by mistake. Once a secret is out in the world, you have to assume it's compromised.
Hardcoded secrets have caused some of the biggest data breaches in recent years. A single API key committed to GitHub can give a stranger access to your users' data, your payment systems, or your AWS account — and you'll be paying the bill.
Environment variables solve this by keeping secrets out of the code entirely. The secret lives in one place (the environment), and your code just reads the name. You can share your code freely, push it to GitHub, and let anyone read it — the secrets simply aren't there.
💡 Key Insight
Hardcoding a secret is like writing your password on the outside of a locked box. Once that box moves through the internet — Git repos, Slack messages, emails — you have no way to get the password back. Environment variables keep the lock and the combination in completely different places.
Setting and Using Environment Variables
Here's how to use environment variables in your project, step by step:
- Create a file called
.envin your project folder. This file holds your secrets. Add it to your.gitignoreso Git never saves it. - Write your secrets in the .env file, one per line, using a simple format:
NAME=value - Install a library that reads the .env file and loads it into your environment. In Python, that's the
python-dotenvlibrary. - Read the values in your code using the library's command, then use
os.environ["NAME"]to get them. - Set the same environment variables on your hosting platform (Railway, Render, Vercel, etc.) so the app works the same way in production.
The key thing to remember: your .env file never leaves your machine. Only the names of your environment variables go into your code — never the actual values.
A Simple Python Example
Here's a tiny Python app that sends a message. It uses an API key stored in an environment variable — so the key never has to appear in the code.
API_KEY=sk-abc123xyz789 DATABASE_URL=postgres://localhost/mydb
import os from dotenv import load_dotenv # Load .env file — runs once at startup load_dotenv() # Read the API key from the environment api_key = os.environ["API_KEY"] # Use it — the actual key value is never in this file print(f"Sending request with API key: {api_key[:8]}...")
The code is clean and safe. Even if someone downloads your code from GitHub, they can't use it without their own API key.
Knowledge Check
Test what you learned with this quick quiz.