Environment Variables

Store secrets and configuration securely.

Overview

Environment variables let you store configuration and secrets outside your script code. This is the right way to handle API keys, database credentials, and other sensitive values.

Setting environment variables

  1. Open your script in the dashboard
  2. Click the Environment tab
  3. Add key-value pairs

Variables are encrypted at rest and only decrypted when your script runs.

Using environment variables

Access them using Python's os.environ:

import os

API_KEY = os.environ.get("API_KEY")
DATABASE_URL = os.environ.get("DATABASE_URL")
DEBUG = os.environ.get("DEBUG", "false") == "true"

Use .get() with a default value for optional variables:

import os

# Required - will raise if not set
API_KEY = os.environ["API_KEY"]

# Optional - uses default if not set
TIMEOUT = int(os.environ.get("TIMEOUT", "30"))
LOG_LEVEL = os.environ.get("LOG_LEVEL", "INFO")

Example

import os
import requests

def main():
    api_key = os.environ.get("SLACK_WEBHOOK_URL")
    if not api_key:
        raise ValueError("SLACK_WEBHOOK_URL not set")

    message = "Daily report: all systems operational"

    requests.post(api_key, json={"text": message})
    print("Message sent to Slack")

if __name__ == "__main__":
    main()

Best practices

Never hardcode secrets. Always use environment variables for:

  • API keys and tokens
  • Database credentials
  • Webhook URLs
  • Any value that varies between environments

Validate required variables early. Check that required variables are set at the start of your script:

import os

required_vars = ["API_KEY", "WEBHOOK_URL"]
missing = [v for v in required_vars if not os.environ.get(v)]
if missing:
    raise ValueError(f"Missing required environment variables: {missing}")

Use descriptive names. STRIPE_API_KEY is better than KEY. DATABASE_URL is better than DB.

Limits

  • Key names: max 64 characters, uppercase only
  • Values: max 2048 characters

Keys cannot start with reserved prefixes: PYTHON, LD_, PATH, HOME, TMP, LANG.

Security

  • Variables are encrypted using AES-256
  • They're only decrypted in memory during script execution
  • Variables are not logged or included in run output
  • Each script has its own isolated set of variables