Best practice for .env variables #4902
-
|
I'm new to Capacitor and I've been looking all day for best practice around .env variables. In my React app, I have database string and API key stored in .env file (and "secrets" in production on Vercel). What's the best way to get these .env variables into Capacitor's iOS and Android builds since .env file isn't read in the mobile runtimes? I didn't see anything obvious in the capacitor configuration file docs but that's my best guess... Any tips would be much appreciated. Thanks! |
Beta Was this translation helpful? Give feedback.
Replies: 1 comment 1 reply
-
|
You don't. Those are sensitive server-side values you absolutely do not want in your client-side mobile app. Anything sensitive like that will be stored on a server and accessed indirectly through safely exposed APIs. If you absolutely must store client-side secrets (such as an encryption key) you'll need to explore advanced mobile security features, like those in Identity Vault. However, if you have non-sensitive secrets you want to build into your app, your framework of choice, such as React, should have the ability to pull in env vars through the features available in your build setup. I would consult that framework's docs for more info on that. |
Beta Was this translation helpful? Give feedback.
-
|
Thanks for the quick reply @mlynch. I'll be sure to keep all secrets server side for now. |
Beta Was this translation helpful? Give feedback.
You don't. Those are sensitive server-side values you absolutely do not want in your client-side mobile app. Anything sensitive like that will be stored on a server and accessed indirectly through safely exposed APIs. If you absolutely must store client-side secrets (such as an encryption key) you'll need to explore advanced mobile security features, like those in Identity Vault.
However, if you have non-sensitive secrets you want to build into your app, your framework of choice, such as React, should have the ability to pull in env vars through the features available in your build setup. I would consult that framework's docs for more info on that.