Browser (build-time, via Vite)
Read in client code with
import.meta.env.VITE_*. Values are bundled into the JS output, so never put secrets here.
Server (runtime, via process.env)
Read inside
.handler() of a server function, never at module top level (env injection happens at call time).
Storing secrets
In production, set the server-side variables via your hosting provider’s secrets manager (Cloudflare Workers secrets, Vercel env vars, Fly secrets, etc.) — never commit them to the repo. The browserVITE_* values are safe to bake into the build.