Secrets & Environment Variables
Updated Mar 29, 2026Guides
Safely manage API keys, credentials, and configuration.
Environment Variables
Manage environment variables in the Environment tab:
- Add variables for Dev and Prod separately
- Variables are injected into your backend at runtime
- Never hardcoded in source code
Secret Detection
XAIO automatically detects when you paste secrets (API keys, passwords, tokens) into the chat:
- A warning dialog appears before sending
- You can choose to mask the secret or send it anyway
- Detected patterns: API keys, passwords, tokens, connection strings
Best Practices
- Never hardcode secrets — Use environment variables instead
- Use different keys for Dev and Prod — Separate API keys for each environment
- Tell the AI about your env vars: "Use the STRIPE_API_KEY environment variable for payments"
- Don't paste full connection strings in chat — Add them in the Environment tab instead
How the AI Uses Env Vars
When you ask the AI to integrate an external service, it automatically:
- Creates an environment variable for the API key
- References it via process.env (frontend) or os.getenv (backend)
- Never hardcodes the actual value
Integration-Managed Variables
Some environment variables are managed by integrations (e.g., DATABASE_URL from PostgreSQL). These are marked as read-only and cannot be edited manually.