IndustriesWorkPlaybookHow it worksAboutBook a systems auditBring us your idea

What is an environment variable, in plain English?

Straight answer

An environment variable is a setting your app needs to run, like a database password or an API key, kept outside the code and set separately on each place the app runs. This keeps secrets out of the public code, where they could be stolen, and lets the same app use different settings in preview and live.

Information current as at 5 July 2026

Environment variable is a mouthful of a term for a simple and important idea. It is where your app keeps its secrets and its settings, safely apart from the code itself. Understanding it explains two things at once: why secrets must be handled carefully, and why an app that worked in preview so often breaks the moment it goes live.

Plain English
Environment variable
A setting or secret your app needs, stored outside the code and set per place the app runs.
Secret
A sensitive value like a password or key that must not be exposed publicly.
Environment
A particular place your app runs, such as your private preview or the live version.
Exposed key
A secret that has ended up somewhere public, such as in code a visitor can read.

The idea behind it

Your app needs certain sensitive settings to work: the password to its database, the keys to any services it uses for payments or email, and so on. There are two places these could go. You could write them directly into the code, which is easy but dangerous, because code often ends up somewhere it can be read. Or you could keep them separately, outside the code, and have the app look them up when it runs. That separate store is what environment variables are. The name is literal once you unpack it: they are values, variables, that belong to the environment the app is running in, rather than to the code itself. The code says use the database password, and the environment supplies the actual password at the moment it runs. The secret and the code stay apart, which is exactly the point.

Why secrets must stay out of the code

This separation is not fussiness; it is one of the most important safety practices there is. Code has a habit of travelling. It gets pushed to repositories, shared with helpers, deployed to hosts, and sometimes accidentally made public. Anything written into the code travels with it. So a database password or an API key sitting in the code is a password sitting in every copy of the code, waiting for one of those copies to end up somewhere a stranger can read it. And when a secret leaks, the consequences are real: someone can read your database, run up charges on your account, or misuse a service in your name. Keeping secrets as environment variables means the code can be shared freely without the secrets going with it. AI builders sometimes fail at this, leaving keys sitting in the code or logs, which is why an exposed key is one of the most common serious holes in AI-built apps.

No pressure
Show us what you built.

If you have made something and it needs to become real, send it over. We will tell you honestly what it needs to be live, safe and yours, whether that is a quick fix you can do or a proper build. No obligation.

The other job: different settings per environment

Environment variables do a second useful job that explains a common mystery. The same app often runs in more than one place: a private preview where you build and test, and the live version real customers use. These are different environments, and they may need different settings, perhaps a test database in preview and the real one when live. Because the settings live in the environment rather than the code, the same code can run in both places and simply pick up whichever values are set where it is running. This is elegant, but it has a sharp edge. When you deploy your app to the live host, the code travels but the environment variables do not come along automatically, because they belong to the environment, not the code. Unless you set them again on the live host, the live app has the instructions but none of the secrets, so it cannot connect to anything.

Why this explains the classic broken launch

This is the reason behind one of the most common frustrations people hit: the app works perfectly in preview, then shows a blank page or an error the moment it is live. It feels random, but it is almost always the same thing. The preview environment had all the secret settings filled in, so everything connected. The live environment is fresh and empty until you fill it in, and the deploy did not bring the secrets across on purpose. The app is not broken; it is missing its keys. The fix is to add every environment variable your app needs to the live host's settings and redeploy, so it picks them up. And the way to avoid the whole category of surprise is to keep a simple list of every secret your app depends on and confirm all of them are set on the live host before you call a launch finished. Understanding environment variables turns that mystery into a five-minute check.

Common questions

Questions, answered

What is an environment variable in one sentence?
It is a setting or secret your app needs to run, like a database password or an API key, kept outside the code and set separately on each place the app runs. It keeps secrets out of the public code and lets the same app use different settings in preview and live.
Why not just put the secrets in the code?
Because code travels: it gets shared, deployed, and sometimes made public, and any secret written into it travels too. A leaked key lets someone read your database or run up your bill. Keeping secrets as environment variables means the code can be shared without the secrets going with it.
Why does my app break when it goes live even though it worked in preview?
Almost always because the environment variables did not travel with the deploy. Preview had all the secrets filled in; the live host is empty until you set them. Add every secret to the live host's settings and redeploy, and the app connects again.
How do I know if a key of mine has been exposed?
Look at whether any secret keys appear in your code, in pages a visitor can view, or in logs. AI builders sometimes leave them there. If a key has ever sat somewhere public, treat it as compromised and regenerate it, then store the new one as an environment variable.
No pressure
Show us what you built.

If you have made something and it needs to become real, send it over. We will tell you honestly what it needs to be live, safe and yours, whether that is a quick fix you can do or a proper build. No obligation.

Start here

Two doors. Same senior team.

Whether you can name exactly what you want built, or you just know something is leaking, the next step is the same conversation.