Vibe Coding with Replit -- May 7, 2026

How to Use Environment Variables in Replit to Keep My Keys Safe

By Arjita SethiMay 7, 20265 min read
Direct Answer

Store API keys and sensitive information in Replit Secrets (environment variables) by opening the padlock icon in the Replit sidebar, creating a secret with a name like STRIPE_SECRET_KEY, and pasting the value. Reference it in your code as process.env.STRIPE_SECRET_KEY. Never paste API keys directly in code files -- Replit code is visible to anyone with access to your project. Secrets are encrypted and only available to your running app.

Why This Matters

Your Replit code files can be viewed by anyone you share your project with and potentially by others depending on your project settings. If you paste an API key directly into a code file -- "const apiKey = 'sk_live_xxxx'" -- that key is visible to anyone who sees the code. For keys that cost money when used (Stripe, OpenAI, Anthropic), this is a serious security risk.

Environment variables solve this problem. The key is stored separately from your code, encrypted by Replit, and injected into your app's environment when it runs. Your code references the key by name, not by value. The actual key value never appears in your code files.

The rule: every API key, every database password, every secret token goes in Replit Secrets. No exceptions. The thirty seconds it takes to add a secret instead of pasting it in code is worth it every time.

How to Add a Secret in Replit

Click the padlock icon in the left sidebar of the Replit editor. Click New Secret. Name it clearly -- STRIPE_SECRET_KEY, ANTHROPIC_API_KEY, DATABASE_URL. Paste the value. Click Save. The secret is now available in your code as process.env.STRIPE_SECRET_KEY (or whatever you named it).

How to Reference Secrets in Code

When Claude writes code that uses an API key, it uses process.env.KEY_NAME automatically -- Claude knows the convention. If you ever see a Claude-generated code snippet with a key pasted directly, ask it to replace that with the environment variable reference instead.

Frequently Asked Questions

How do I use environment variables in Replit?
Open the padlock icon (Secrets) in the Replit sidebar, create a new secret with a clear name (STRIPE_SECRET_KEY), paste the value, and reference it in code as process.env.STRIPE_SECRET_KEY.
Why should I use Replit Secrets instead of putting keys in my code?
Replit code files are visible to anyone with project access. Secrets are encrypted and only available to your running app. API keys pasted in code files are exposed to everyone who can see the project.
Can I use environment variables for database connection strings too?
Yes -- any sensitive configuration value goes in Secrets. Database URLs, passwords, connection strings, OAuth credentials, all of it.
How does Claude know to use environment variables?
Claude automatically uses process.env.KEY_NAME convention when writing code that requires API keys or sensitive configuration. If you see a key value directly in Claude-generated code, ask it to replace with the environment variable reference.
What happens to my Secrets when I fork or share a Replit project?
Secrets are not shared when a project is forked or shared. The person receiving the fork gets the code but not the secret values. They need to add their own keys. This is the correct behavior.
Build With AI

Build Secure Apps From Day One

The Vibe Coding track at Build with AI covers security best practices for non-technical builders.

Explore the University