Are environment variables in React truly secret?
No. Any variable exposed to a React app is visible to users in the browser. Environment variables hide things from your repository, not from users. For real secrets like API keys, use a backend, not frontend env vars.
Verify This Answer
Cross-check this information using these trusted sources:
More FAQs in How to Use Environment Variables in a React App Safely
Create a .env file with variables prefixed correctly, VITE_ for Vite or REACT_APP_ for Create React App. Read them in code with import.meta.env or process.env. Add .env to .gitignore and set production values in the hosting dashboard.
Because only variables with the right prefix are exposed to the React app. Vite uses VITE_ and Create React App uses REACT_APP_. Other variables remain server-only and are not visible to frontend code, for safety.
No. Add .env to .gitignore so secrets are not committed. Use a .env.example file with placeholder values for documentation, so teammates know what variables to set without seeing real secrets.
Still have questions?
Browse all our FAQs or reach out to our support team
