Docs · Guides

Environment variables & secrets.

Configuration lives outside your code. Set variables per project in the dashboard; they’re present in your build and injected into your running app — encrypted at rest either way.

Setting variables

Open your project’s Env Vars tab and add key/value pairs. To migrate an existing app, paste your whole .env file into the bulk editor — it parses the standard format:

DATABASE_URL=postgres://…
STRIPE_SECRET_KEY=sk_live_…
RESEND_API_KEY=re_…

Changes apply on the next deploy — redeploy after editing so the build and the running process both see the new values.

Sensitive variables

Mark a variable sensitive and its value becomes write-only: it still reaches your app normally, but the dashboard never displays it again. Use this for API keys, tokens, and anything you wouldn’t want visible over a shoulder.

Build time vs. runtime

Variables are present during the build and at runtime. The distinction that matters is your framework’s browser-exposure rule:

  • Next.js — browser code only sees NEXT_PUBLIC_*, baked at build time.
  • Vite — browser code only sees VITE_* via import.meta.env, baked at build time.
  • Servers (Node, Python, Go, …) — read anything from the environment at runtime; no prefix rules.

Variables Canner sets for you

  • PORT — the port your server must listen on.
  • DATABASE_URL — set automatically when you provision a Postgres database.
  • NODE_ENV=production for Node builds and runtimes.

Preview deploys share the project’s variables — if a preview needs different values (a staging API, say), that’s a signal to split it into its own project.