Open In App

Where should secret keys should be stored for a Node.js app ?

Last Updated : 27 Apr, 2021
Like Article

Securing the sensitive data/credentials like 3rd Party API credentials, Session Secret Key, DB Connection Credentials, Security Token, Encryption/Decryption Keys is extremely important as publicly exposing the credentials can result in your account being compromised, which could lead to unexpected charges on your account. Putting secret values in the source code (by hardcoding them), or submitting credentials (exposing) your private keys, passwords, or other sensitive details into version control can be really disastrous. The best way to handle configuration keys or credentials like API keys with Node.js is to use environment variables.

Environment variables: An environment variables have the ability to configure a value in the code from outside your application. An environment variable is dynamic name/value pair, and one can create any number of environment variables. Environment variables are present outside the application and reside in the Operating System or container of the application where the application is deployed. Most of the applications are deployed in a development environment first before being actually deployed to the production environment. Hence, we have to make sure that each environment has been configured correctly. Environment variables have the ability to provide different configuration options for different environments.

Some common examples of Environment variables are: 

  1. Database connection information
  2. API endpoints
  3. Third Party API Keys and secrets
  4. Email ID and password
  5. HTTP ports/address

Setting Environment Variable:

The syntax for setting an environment variable is as follows, where ENV_VARIABLE_NAME is the name of our environment variable and VALUE is the value for that particular variable.


Node.js provides process object which is global object that provides information about, and control over, the current Node.js process. As a global, it is always available to Node.js applications without using require(). The process object has a property .env which property returns an object containing the user environment.

Reading Environment Variables:

To read the environment variable from .env file, we require some parser to make it work. The parser reads the variables one by one and parses them to the environment. There is an npm package called dotenv is a zero-dependency module that loads environment variables from a .env file into process.env object.

Module Installation: To install this package, type the following command in the terminal:

npm install dotenv

Requiring Module: Require dotenv package in the app using the following code:


Now, we can access any environment variable using process.env.[ENV_VARIABLE_NAME]

Example: Let’s consider we are developing an E-commerce Node.js application where we have following environment variables like server PORT number, database connection URL & password, stripe API key, email ID and password, session secret key, etc. 

Step 1: Create a file named ‘.env’ in the root folder of the project which will store all our environment variables. For example, our file looks like the following:


DATABASE_PASSWORD=<your password>
STRIPE_API_KEY=<your stripe api key>
EMAIL_PASSWORD=<your email password>

Step 2: Create an index.js file where we will access our defined environment variable.


require('dotenv').config({ path: './TEST.env' })
console.log("PORT:", process.env.PORT);
console.log("DATABASE_URL:", process.env.DATABASE_URL);
console.log("DATABASE_PASSWORD:", process.env.DATABASE_PASSWORD);
console.log("EMAIL_ID:", process.env.EMAIL_ID);
console.log("STRIPE_API_KEY:", process.env.STRIPE_API_KEY);
console.log("EMAIL_PASSWORD:", process.env.EMAIL_PASSWORD);

Step 3: Run the index.js file using the following command:

node index.js


NOTE: Always add .env file to .gitignore to avoiding it from committing to version control systems. If you have ever commit .env file by mistake, then generate new API keys and change passwords as soon as possible to avoid any disastrous effects, and remove it from being tracked by version control system.

Like Article
Suggest improvement
Share your thoughts in the comments

Similar Reads