Environment variables
Configure secrets, API keys, and runtime values for your service.
Environment variables let you pass configuration into your service without hard-coding it in your repository. Database URLs, API keys, feature flags, third-party secrets — anything you don't want committed to Git lives here.
Variables are encrypted at rest and only made available to your running service.
Adding a variable
- Open your service.
- Go to the Environment Variables tab.
- Click + Add variable.
- Enter a
KEYandVALUE. - Click Save.
By convention, keys are uppercase with underscores (DATABASE_URL,
STRIPE_SECRET_KEY).
Adding or editing a variable does not affect already-running instances. To apply your changes immediately, click Redeploy on the service overview.
Reading variables in your app
Each variable becomes an environment variable inside your service's processes. Read them the way you'd read any other env var:
const dbUrl = process.env.DATABASE_URL
const stripeKey = process.env.STRIPE_SECRET_KEYimport os
db_url = os.environ["DATABASE_URL"]
stripe_key = os.environ.get("STRIPE_SECRET_KEY")dbURL := os.Getenv("DATABASE_URL")
stripeKey := os.Getenv("STRIPE_SECRET_KEY")db_url = ENV.fetch("DATABASE_URL")
stripe_key = ENV["STRIPE_SECRET_KEY"]Editing or deleting
- Click a row to edit its value. Values are masked by default; click the eye icon to reveal.
- Click the trash icon to delete. Confirmation is required.
Both actions take effect on the next release of your service.
Bulk import from .env
If you already have a .env file:
- Open the Environment Variables tab.
- Click the ⋯ menu → Import .env.
- Paste the contents.
DATABASE_URL=postgres://user:pw@host:5432/db
STRIPE_SECRET_KEY=sk_live_xxxxx
ALLOWED_ORIGINS=https://app.example.com,https://example.comRules:
- Lines starting with
#are treated as comments. - Quotes around values are removed on import.
- Existing keys are overwritten by the import.
Bulk export
From the same ⋯ menu, click Download .env. The download is plaintext — handle with care, especially on shared screens.
Build-time vs runtime
Inhank Cloud makes your environment variables available in both phases:
- During the build — useful for frameworks that bake values into the
output (e.g.
NEXT_PUBLIC_API_URLfor Next.js,VITE_*for Vite). - During runtime — your server reads them at startup with
process.env.X,os.environ["X"], etc.
For most apps, you don't need to think about which phase a variable is used in — adding it once just works.
For static-site frameworks (Vite, Astro, Next.js), variables prefixed
with VITE_, PUBLIC_, or NEXT_PUBLIC_ are baked into the static
output and shipped in your browser bundle. Don't put secrets in these
prefixes — they're readable by anyone who visits your site.
Reserved variables
A handful of variables are managed by the platform. Setting them yourself has no effect:
| Key | Set by Inhank Cloud to | Why |
|---|---|---|
PORT | 8080 (your container port) | The port traffic is routed to. |
INHANK_PROJECT_ID | Your project unique ID | Useful for log correlation. |
INHANK_DEPLOYMENT_ID | Current deployment's ID | Useful for log correlation. |
INHANK_GIT_BRANCH | Current git branch | Useful for log correlation. |
INHANK_COMMIT_SHA | Current commit hash | For reporting versions in your UI. |
Best practices
- Never commit secrets to Git. Even in a private repo — once it's in history, it's hard to remove.
- Use one secret per service. Don't share a single env-var set across multiple services from one repo; each service should have its own.
- Rotate credentials regularly. Database passwords, API keys, signing secrets — update them every few months and on team changes.
- Use sandbox credentials in development. Production credentials should only live in your production service's environment.
- Read once at startup. Cache
process.env.Xinto a constant at boot. Most apps don't pick up env var changes without a restart, and readingprocess.envon every request is slower than necessary.
Common mistakes
"My app starts fine locally but crashes on Inhank Cloud"
The most common cause: a variable that's in your local .env file is not
set in Inhank Cloud. Compare your .env against the Environment
Variables tab and add anything missing.
"I added a variable but it isn't showing up"
You probably haven't redeployed yet. Variables take effect on the next release. Click Redeploy on the service overview.
"I changed PORT and now my app is broken"
PORT is reserved — your custom value is overridden by the platform.
Always read the PORT env variable and listen on whatever value it has.
"My build script can't see a variable"
Variables are available during both build and runtime, but only after they're saved. If your build runs immediately after you save a new variable, it should be picked up. If not, click Deploy again — the new build will see the new value.
Limits
| Limit | |
|---|---|
| Maximum variables per service | 200 |
| Maximum key length | 256 characters |
| Maximum value length | 64 KiB |
| Allowed characters in key | A–Z, 0–9, _. Must start with a letter or _. |
Security
- Variables are encrypted at rest with industry-standard ciphers; the encryption key is stored separately from the database.
- Decrypted values exist only in memory when the service is running.
- Inhank Cloud staff cannot read your variable values.
- Values are masked in build logs by default; if you ever see an unmasked secret, please report it.
