3.4 Hiding API Keys with Environment Variables (dotenv) and Pushing Code to GitHub

3.4 Hiding API Keys with Environment Variables (dotenv) and Pushing Code to GitHub

In this lesson, we will address how to can hide an API key using environment variables and open source the code on GitHub.


🔗 dotenv:
🔗 GitHub:

🎥 Git and GitHub:

🚂 Website:
💖 Patreon:
🛒 Store:
📚 Books:

🎥 Coding Challenges:
🎥 Intro to Programming:

🔗 p5.js:
🔗 Processing:

📄 Code of Conduct:

35 thoughts on “3.4 Hiding API Keys with Environment Variables (dotenv) and Pushing Code to GitHub

  1. I had a question: Can the same effect be accomplished with a config.json and including that in the gitignore?

  2. .env is not bundled if we build apk. is right ? my .env not working on the apk. i have an encrypted .env.pro, it runs in the simulator, it doesn't work when build on debug / release. Do you have any tutorials to make env run on debug / release apk version? thanks.

  3. Using dotenv package and store the API_KEY in .env file does not completely hide the API_KEY. It is fine for GitHub because someone visiting this repo they wont be able to see the API_KEY. But if the project is deployed in sever then anyone can see the API_KEY from the browser when they visit this particular website. The best way to hide the API_KEY is store it in the backend and make the API calls from the backend only. Only send the response data to the frontend. And to add more security you can set up CORS for the API_KEY so even if someone gets access to the API_KEY they wont be able to send request as the request will be rejected and only the request from the domains mention in the CORS will be able to make successful request using this API_KEY.

  4. but this works just for development on github… if I go in production like a jam stack project? it is not hidden right?

  5. Typing those command line commands made me feel like a real programmer 😎 Thank you for this awesome playlist!

  6. I always feel like a student when listening to you. Your videos are perfectly engaging. Thanks so much for this variable

  7. require('dotenv').config is a sever-side technology not a browser, hence, I am getting an error on my console. How are you not getting this error?

  8. Seems like the only reason why API keys are hidden is because the project is made public on github. Am I anywhere closed to the truth?

  9. always sounds to me like you're saying "I'm going to post this in the video's subscription," but I'm sure you're saying "video's description".

  10. if you are working on linux you may experience a problem when running the code, "undefined" gets returned, thats because you need to set the env variable yourself.
    go to bashrc and do export ENV_VARIABLE=VALUE no spaces around the equal and if the VALUE has spaces add quotes around it

  11. It says require is not defined for me in the console. I followed the steps in terminal, have the lastest version of node etc.???

  12. so if someone down loads the repository to try out the web app will they still be able to use is even though they wont have the api key… (for me i didn't want to show the world my database URL and password)

  13. Hi, Great tutorial!. I am new to this. I need to hide api keys but I don´t know how to install the dotenv. I tried to run install command you showed in he video, but I am doing something wrong in the terminal of my mac. Any recommendation anyone? Thanks

  14. Spectacular tutorial! Thank you. It's very clear. I wonder if using any browser inspector, can anyone see the API_KEY? Looking inside the code or in the Request to the API message?

  15. Thank you so much i have been searching one good video for days. finally got this one. this one is quick, understandable

Leave a Reply

Your email address will not be published. Required fields are marked *