1--- 2title: Environment variables and secrets in EAS Build 3sidebar_title: Environment variables and secrets 4description: Learn how to use environment variables and secrets in an EAS Build. 5--- 6 7import { Collapsible } from '~/ui/components/Collapsible'; 8import { Step } from '~/ui/components/Step'; 9import { Terminal } from '~/ui/components/Snippet'; 10 11The [Environment variables in Expo guide](/guides/environment-variables) describes how to use **.env** files to set environment variables that can be inlined in your JavaScript code. The Expo CLI will substitute properly prefixed variables in your code (e.g.,`process.env.EXPO_PUBLIC_VARNAME`) with the corresponding environment variable values in **.env** files present on your development machine. 12 13Because your EAS Build job runs on a remote server, these **.env** files might not be available. For instance, **.env** files are excluded from your uploaded project if they are listed in **.gitignore** or not committed to your local version control system. Additionally, you may want to use environment variables outside of your JavaScript code to customize your app binary at build time, such as setting a bundle identifier or a private key for a error reporting service. Therefore, EAS Build lets you set per-build-profile environment variables within **eas.json** as well as sensitive values that should not be committed to source control via EAS Secrets. 14 15## Setting plaintext environment variables in eas.json 16 17### For use in application code 18 19If you set variables in a **.env** file for local development as described in the [environment variables guide](/guides/environment-variables), you can set those same variables in a build profile in **eas.json**. For instance, you might set an API URL variable to a local backend server when developing locally, a test server for testing, and a production server for production builds. 20 21In this case, your **.env** file might look like this: 22 23```bash .env 24EXPO_PUBLIC_API_URL=http://api.local 25``` 26 27Add any applicable **.env** files to your **.gitignore** (and **.easignore**, if your project has one) file so they are not uploaded with your EAS build job: 28```bash .gitignore 29# ignores all .env files 30.env* 31``` 32 33Then you can set the same environment variable for each build profile in **eas.json**: 34 35```json eas.json 36{ 37 "build": { 38 "production": { 39 "env": { 40 "EXPO_PUBLIC_API_URL": "https://api.production.com" 41 } 42 }, 43 "test": { 44 "env": { 45 "EXPO_PUBLIC_API_URL": "https://api.test.com" 46 } 47 } 48 } 49} 50``` 51 52Any reference to `process.env.EXPO_PUBLIC_API_URL` will be substituted for the applicable value depending on the environment. 53 54> `EXPO_PUBLIC_` variable replacement is available in SDK 49 and higher. See notes for [SDK 48 and lower](/guides/environment-variables#environment-variables-in-sdk-48-and-lower). 55 56### For use by your Expo config 57You can use environment variables in a [dynamic config](/workflow/configuration/#dynamic-configuration) (**app.config.js**) to change how your app is built. For instance, you might want to change your app icon or short name for a test build. 58 59Set the variable in your build profile: 60```json eas.json 61{ 62 "build": { 63 "test": { 64 "env": { 65 "APP_ICON": "./assets/icon-test.png", 66 "APP_NAME": "My App (Test)" 67 } 68 } 69 } 70} 71``` 72 73Then reference that variable in your **app.config.js**, providing fallbacks for local development: 74```js app.config.js 75module.exports = { 76 // use the variable if it's defined, otherwise use the fallback 77 icon: process.env.APP_ICON || './assets/icon.png', 78 name: process.env.APP_NAME || 'My App', 79}; 80``` 81 82> All environment variables in your **eas.json** build profile are available when evaluating **app.config.js**. It's a good practice to only use the `EXPO_PUBLIC_` prefix for variables used within your application code. 83 84### For use by other build steps 85Any environment variables set in your **eas.json** build profile are also available to other build steps. 86 87You can also set environment variables dynamically during the build process. The `set-env` executable is available in the `PATH` on EAS Build workers, and can be used to set environment variables that will be visible in the next build phases. 88 89For example, you can add the following in one of the [EAS Build hooks](/build-reference/npm-hooks/) and the environment variable `EXAMPLE_ENV` will be available until the end of the build job. 90 91<Terminal cmd={[ 'set-env EXAMPLE_ENV "example value"' ]} /> 92 93## Built-in environment variables 94 95The following environment variables are exposed to each build job and can be used within any build step. They are not set when evaluating **app.config.js** locally: 96 97- `CI=1` - indicates this is a CI environment 98- `EAS_BUILD=true` - indicates this is an EAS Build environment 99- `EAS_BUILD_PLATFORM` - either `android` or `ios` 100- `EAS_BUILD_RUNNER` - either `eas-build` for EAS Build cloud builds or `local-build-plugin` for [local builds](local-builds) 101- `EAS_BUILD_ID` - the build ID, e.g. `f51831f0-ea30-406a-8c5f-f8e1cc57d39c` 102- `EAS_BUILD_PROFILE` - the name of the build profile from **eas.json**, e.g. `production` 103- `EAS_BUILD_GIT_COMMIT_HASH` - the hash of the Git commit, e.g. `88f28ab5ea39108ade978de2d0d1adeedf0ece76` 104- `EAS_BUILD_NPM_CACHE_URL` - the URL of npm cache ([learn more](/build-reference/private-npm-packages)) 105- `EAS_BUILD_MAVEN_CACHE_URL` - the URL of Maven cache ([learn more](/build-reference/caching/#android-dependencies)) 106- `EAS_BUILD_COCOAPODS_CACHE_URL` - the URL of CocoaPods cache ([learn more](/build-reference/caching/#ios-dependencies)) 107- `EAS_BUILD_USERNAME` - the username of the user initiating the build (it's undefined for bot users) 108- `EAS_BUILD_WORKINGDIR` - the remote directory path with your project 109 110## Using secrets in environment variables 111 112To provide your build jobs with access to values that are too sensitive to include in your source code and Git repository, you can use "Secrets". 113 114A secret is made up of a name and a value. The name can only contain alphanumeric characters and underscores. The value is limited to 32 KiB. 115 116The value can be either a file or a string value. For a file, its contents are saved to a temporary file on EAS Build servers. The file path is available via the environment variable. For example, if you created a file secret named `SECRET_FILE`, EAS Build will create a file at `/Users/expo/workingdir/environment-secrets/__UNIQUE_RANDOM_UUID__`, and `SECRET_FILE` will be set to that path. 117 118The secret values are encrypted at rest and in transit and are only decrypted in a secure environment by EAS servers. 119 120You can create up to 100 account-wide secrets for each Expo account and 100 app-specific secrets for each app. Account-wide secrets will be exposed to every build environment across all of your apps. App-specific secrets only apply to the app they're defined for and will override any account-wide secrets with the same name. 121 122You can manage secrets through the Expo website and EAS CLI. 123 124> **warning** Always remember that **anything that is included in your client side code should be considered public and readable to any individual that can run the application**. 125> EAS Secrets are intended to be used to provide values to an EAS Build job so that they may be used during the build process. 126> Examples of correct usage include setting the `NPM_TOKEN` for installing private packages from npm, or a Sentry API key to create a release and upload your sourcemaps to their service. 127> EAS Secrets do not provide any additional security for values that you end up embedding in your application itself, such as an AWS access key or other private keys. 128 129### Secrets on the Expo website 130 131To create **account-wide secrets**, navigate to [the "Secrets" tab in your account or organization settings](https://expo.dev/accounts/[account]/settings/secrets). 132 133To create **app-specific secrets**, navigate to [the "Secrets" tab in your project dashboard](https://expo.dev/accounts/[account]/projects/[project]/secrets). If you haven't published your project yet and it isn't visible on the website, you can create it on the website from this link. 134 135### Adding secrets with EAS CLI 136 137To create a new secret, run `eas secret:create`: 138 139<Terminal 140 cmd={[ 141 '$ eas secret:create --scope project --name SECRET_NAME --value secretvalue --type string', 142 '✔ ️Created a new secret SECRET_NAME on project @fiberjw/goodweebs.', 143 ]} 144/> 145 146To view any existing secrets for this project, run `eas secret:list`: 147 148<Terminal 149 cmd={[ 150 '$ eas secret:list', 151 'Secrets for this account and project:', 152 '┌────────────────┬────────┬─────────┬──────────────────────────────────────┬─────────────────┐', 153 '│ Name │ Type │ Scope │ ID │ Updated at │', 154 '├────────────────┼────────┼─────────┼──────────────────────────────────────┼─────────────────┤', 155 '│ APP_UPLOAD_KEY │ string │ account │ 366bd434-b538-4192-887c-036c0eddedec │ Oct 05 11:51:46 │', 156 '├────────────────┼────────┼─────────┼──────────────────────────────────────┼─────────────────┤', 157 '│ NPM_TOKEN │ string │ project │ 03f4881f-88fd-4d94-9e35-a5c34d39c2f2 │ Oct 05 11:51:33 │', 158 '├────────────────┼────────┼─────────┼──────────────────────────────────────┼─────────────────┤', 159 '│ SECRET_FILE │ file │ project │ 72c7ac1e-78d0-4fa2-b105-229260cecc88 │ Oct 05 11:52:12 │', 160 '├────────────────┼────────┼─────────┼──────────────────────────────────────┼─────────────────┤', 161 '│ sentryApiKey │ string │ project │ 88dd0296-9119-4d50-a91b-1f646733f569 │ Oct 05 11:51:40 │', 162 '└────────────────┴────────┴─────────┴──────────────────────────────────────┴─────────────────┘', 163 ]} 164/> 165 166### Importing secrets from a dotenv file 167 168If you're using a **.env** file for storing your secrets locally, you can use the `eas secret:push` command to import all of them to EAS: 169 170<Terminal 171 cmd={[ 172 '$ eas secret:push --scope project --env-file ./eas/.env', 173 '✔ Creating secrets on account johndoe...', 174 '✔ Created the following secrets on account johndoe:', 175 '- ABC', 176 '- DEF', 177 '- GHI', 178 ]} 179/> 180 181Beware that EAS CLI will fail if some of the secrets defined in the dotenv file already exist on the server. To force override those secrets, pass the `--force` flag to the command. 182 183#### Doppler integration 184 185You can use the `eas secret:push` command to integrate EAS with your [Doppler](https://doppler.com/) project: 186 187<Terminal 188 cmd={[ 189 '$ doppler run --mount ./eas/.env -- eas secret:push --scope project --env-file ./eas/.env', 190 ]} 191/> 192 193### Accessing secrets in EAS Build 194 195After creating a secret, you can read it on subsequent EAS Build jobs with `process.env.VARIABLE_NAME` from Node.js or in shell scripts as `$VARIABLE_NAME`. 196 197## Common questions 198 199### Can EAS Build use .env files? 200Environment variables defined in a **.env** file are only considered by the Expo CLI. Therefore, if you upload a **.env** file to EAS Build, it can be used to inline `EXPO_PUBLIC_` variables into your application code. 201 202However, the recommended practice is to use **.env** files in your local environment, while defining environment variables for EAS Build in **eas.json**. Environment variables defined in your **eas.json** build profile will be used when evaluating your **app.config.js** when running `eas build` and will be available to all steps of the build process on the EAS Build server. 203 204This may result in some duplication of variables between **.env** files and **eas.json** build profiles, but makes it easier to see what variables will be applied across all environments. 205 206### How do I share environment variables between my local development environment, EAS Update, and EAS Build? 207Environment variables defined in **eas.json** are only available when running an EAS Build job. However, you may wish to change variables used within your application code based on the build profile while minimizing duplicating values you might keep in an **.env** file for local development or for when publishing to EAS Update. 208 209Our [Environment variables in EAS Update guide](eas-update/environment-variables/#sharing-environment-variables-between-local-development-eas-update-and-eas-build) describes a few approaches for sharing environment variables between all of these contexts. 210 211### How are naming collisions between secrets, the `env ` field in **eas.json**, and **.env** files handled? 212Environment variables are applied in the following order: 2131. **eas.json** build profile `env` field 2142. Environment variables defined in EAS Secrets 2153. **.env** files committed to source control and are not in **.easignore** 216 217Variable sources applied last will overwrite the previously loaded source for variables with the same name. So, a secret created on the Expo website or with `eas secret:create` will take precedence over an environment variable of the same name that is set through the `env` field in **eas.json**. 218 219For example, if you create a secret with the name `MY_TOKEN` and value `secret` and also set `"env": { "MY_TOKEN": "public" }` in your **eas.json**, then `process.env.MY_TOKEN` on EAS Build will evaluate to `secret`. 220 221### How do environment variables work for my Expo Development Client builds? 222 223Environment variables set in your build profile that impact **app.config.js** will be used for configuring the development build. When you run `npx expo start` to load your app inside of your development build, only environment variables that are available on your development machine will be used. 224 225### Can I just set my environment variables on a CI provider? 226 227Environment variables must be defined in **eas.json** to be made available to EAS Build builders. If you are [triggering builds from CI](/build/building-on-ci) this same rule applies, and you should be careful to not confuse setting environment variables on GitHub Actions (or the provider of your choice) with setting environment variables and secrets in **eas.json**. 228 229### How to upload a secret file and use it in my app config? 230 231A common use case for uploading file secrets to EAS is when you want to supply your build with the **google-services.json** and **GoogleService-Info.plist** files. Usually, those files should not be checked into the repository. 232 233Here's an example of how to upload **google-services.json** to EAS and use it in your app config: 234 235<Step label="1"> 236 237Upload the file to EAS. 238 239<Terminal 240 cmd={[ 241 '$ eas secret:create --scope project --name GOOGLE_SERVICES_JSON --type file --value ./path/to/google-services.json', 242 '✔ ️Created a new secret GOOGLE_SERVICES_JSON on project @user/myproject.', 243 ]} 244/> 245 246</Step> 247 248<Step label="2"> 249 250Use **app.config.js** to read the path to **google-services.json**. 251 252```js app.config.js 253export default { 254 // ... 255 android: { 256 googleServicesFile: process.env.GOOGLE_SERVICES_JSON, 257 // ... 258 }, 259}; 260``` 261 262</Step> 263