Replit Secrets & Environment Variables
The complete guide to managing API keys, credentials, and sensitive configuration securely in Replit.
Get Starter ScanTL;DR: Use Replit Secrets, Not .env Files
Replit Secrets are encrypted, hidden from forks, and not visible in version history. Regular .env files are visible in your code. Always use the Secrets tab (lock icon in sidebar) for API keys and credentials.
Secrets vs Environment Variables
| Feature | Replit Secrets | .env Files |
|---|---|---|
| Encrypted at rest | ||
| Hidden from code editor | ||
| Hidden in forked Repls | ||
| Not in version history | ||
| Accessible at runtime |
How to Use Replit Secrets
1Open the Secrets Tab
Click the lock icon in the left sidebar, or press Cmd/Ctrl + Shift + S
2Add Your Secret
Click "New Secret" and enter a key and value:
OPENAI_API_KEYsk-proj-xxxxx...3Access in Your Code
Access secrets via environment variables:
# Python
import os
api_key = os.environ['OPENAI_API_KEY']
// JavaScript/Node.js
const apiKey = process.env.OPENAI_API_KEY
// TypeScript
const apiKey = process.env.OPENAI_API_KEY as stringSecurity Best Practices
Always use Secrets for sensitive data
API keys, database credentials, OAuth secrets, JWT secrets - anything sensitive goes in Secrets, not in code or .env files.
Use descriptive key names
Use clear names like STRIPE_SECRET_KEY instead of KEY1. Include the service name and key type.
Validate secrets exist before using
Check that required secrets are set and fail fast with a helpful error message if they're missing.
if (!process.env.API_KEY) {
throw new Error('API_KEY secret is required')
}Be careful with collaborators
Collaborators with edit access can see your Secrets. Only invite trusted people to Repls with sensitive credentials.
Rotate secrets regularly
Especially if a collaborator leaves or you suspect a secret may be compromised. Most services let you regenerate API keys.
Common Mistakes to Avoid
Hardcoding secrets in code
// ❌ NEVER do this
const apiKey = "sk-proj-abc123..."Committing .env files
If you must use .env files locally, add them to .gitignore. Better yet, use Secrets exclusively.
Logging secrets
// ❌ NEVER do this
console.log('API Key:', process.env.API_KEY)Exposing secrets to the frontend
In full-stack apps, secrets are only available server-side. Don't pass them to React/Vue components.
Replit Secrets Security Checklist
Frequently Asked Questions
What's the difference between Replit Secrets and environment variables?
Replit Secrets are environment variables with extra security features. They're encrypted at rest, hidden from the code editor, not visible in forked Repls, and don't appear in version history. Regular environment variables in .env files are visible in your code.
Can collaborators see my Replit Secrets?
Yes, collaborators with edit access can see your Secrets. Be careful who you invite to collaborate on Repls containing sensitive API keys or credentials. If someone leaves your team, rotate any secrets they had access to.
Do Replit Secrets work in deployments?
Yes, Replit Secrets are available in both development and deployed environments. The same secrets you set in the Secrets tab are accessible when your Repl is deployed. You don't need to configure them separately.
Get Starter Scan for Exposed Secrets
Even with Secrets configured properly, secrets can leak through code mistakes. Scan your deployed app to find exposed API keys.
Get Starter ScanLast updated: January 15, 2026