Skip to main content

Browser (build-time, via Vite)

Read in client code with import.meta.env.VITE_*. Values are bundled into the JS output, so never put secrets here.

Server (runtime, via process.env)

Read inside .handler() of a server function, never at module top level (env injection happens at call time).

Storing secrets

In production, set the server-side variables via your hosting provider’s secrets manager (Cloudflare Workers secrets, Vercel env vars, Fly secrets, etc.) — never commit them to the repo. The browser VITE_* values are safe to bake into the build.