modul 3 — shipping to production
env vars and secrets
An API key in the repo is public the moment you push. Environment variables keep config out of the code, and the platform keeps the secrets out of sight.
~2 min read · ~8 min with the exercise · v1.0 · verified: 2026-07-15
the string that can spend your money
A production project holds strings with power: the database password, the payment provider's secret key, the token that sends email in your name. Commit one of those to the repo and you've published it; a pushed secret counts as leaked, whatever you delete afterwards, because git history keeps it. The environment variable (a key-value pair configured outside the source code, so the value can differ per environment) exists so those strings live outside the code: the platform docs define them as "key-value pairs configured outside your source code so that each value can change depending on the Environment".