← All terms Day 28 · AI Infrastructure

define env-file --plain-english

Illustration for "Env File" — Day 28 of the Non-Technical Technical Dictionary

Env File

TLDR:Where your secret keys live, out of the code.

There are people who run bots all day doing one thing: scanning public code for secrets somebody forgot to hide. They find a leaked key, and within minutes they're spending your money. This is the file that keeps you off that list.

Here's the problem it solves. Your code needs sensitive things just to run:

  • API keys (the proof your AI is allowed to order off an app's window)
  • passwords
  • database logins

But the code itself often ends up public, sitting on GitHub for the whole internet to read. So if you write your password straight into the code, you've taped your house key to the front door and posted the address online. Bad.

So the secrets don't go in the code. They go in a separate file, off to the side, that never gets shared. That file is called .env (say it "dot env," short for environment).

The locked drawer.

Think of a play. There's the script, and there's the cast list with the actors' real names and home addresses.

  • The script gets handed to everyone. That's your code. Public, fine, share it freely.
  • The real names and addresses stay in a locked drawer backstage. That's your .env. Nobody outside the building sees it.

Your code never contains the actual password. It just contains an instruction: "go grab the password from the drawer." The .env file is the drawer that holds the real thing. The code points at the secret. The .env is the secret.

Why this is genuinely clever, not just safe.

Because the secrets live outside the code, the same code runs everywhere. You just swap what's in the drawer:

  1. On your laptop, the drawer holds your test keys.

  2. On your teammate's laptop, their keys.

  3. On the live server, the real production keys.

Same script, different drawer at each theater. Nobody has to touch the code to change which secrets it uses. That's the whole trick.

The one rule that bites people.

Say it with me:

.env files never get committed or pushed to GitHub.

A leaked key is the classic rookie mistake, and it's expensive. The good news is the tools have your back. There's a standard "pretend this file doesn't exist" setting called a .gitignore file. You list .env in it once, and your time machine simply refuses to ever save or upload that drawer. Set it and forget it.

# .gitignore
.env

One heads-up that trips everyone up the first time: that dot at the front of .env makes it a hidden file. You won't see it in your folders by default. To reveal hidden files:

  • Mac: in Finder, press Cmd + Shift + . (the period key).
  • Windows: open File Explorer, go to View, turn on "Hidden items."

You don't have to write any of this from scratch. When an AI sets up a project for you, it usually creates the .env and the .gitignore on its own, and drops the keys in the right place. Knowing what they are just means you'll understand it when your agent says "I'll put that in your env file," instead of nodding along.

Keep the keys in the drawer. Keep the drawer out of the code.