Why Environment Variables Exist (.env Files Explained)
Stop Hardcoding API keys. It's dangerous, and there is a better way
Data enthusiast and software developer exploring web development, machine learning, and tech innovations. I share project insights, coding experiments, and practical approaches to solving real-world problems.
Level 0: Basics
Before we talk about hacking and security, let’s look at the name itself: Environment Variable.
You already know what a variable is. In Python, you say x = 10. The code knows that x holds the value 10.
But what is the Environment? The “Environment“ is just where your code lives. Right now, your code lives on your computer or laptop, the development environment. Later, it might live on a cloud server, the production environment.
The Analogy: The School Bag. Imagine your code is a student going to school. Hardcoding is like tattooing your home address on the student’s forehead. It’s permanent, everyone can see it, and it’s dangerous. Environment Variables are like putting a note in the student’s backpack. The student can reach into the bag and read the note when needed, but no one looking at the student can see the secret.
Why do you need this?
You are building a weather app. You sign up for a paid API, get your private key, and paste it directly into your code:
# main.py
API_KEY = "sk-12345-secret-key-do-not-share"
url = f"https://api.weather.com?key={API_KEY}"
You finish the project and push it to GitHub to show it to a recruiter. A while later, you get an email. “Usage Limit Exceeded”.
The Reality: Bots constantly scan GitHub for strings that look like keys (sk-…). A bot found your key and used it to mine crypto or spam requests. Now your account is banned. This happens to thousands of students every year. The industry solution is the .env file.
The How to Use
We are going to move that secret key out of your code and into a safe “backpack”. I will explain how to create an environment variable in Python.
Step 1: Install the tool
Python doesn’t read these files by default. We need a library called python-dotenv.
pip install python-dotenv
Step 2: Create the Secret File
Create a new file in your folder named .env (no name, just the extension). Add your secrets here. This file is plain text.
# .env file
API_KEY=my_super_secret_password_123
DB_PASSWORD=admin123
(Please note that there are no spaces around the = sign!!!)
Step 3: Connect it to Python
Now, update your Python code to look in the backpack.
import os
from dotenv import load_dotenv
# Load the secrets from the .env file
load_dotenv()
# Access them safely
my_key = os.getenv("API_KEY")
print(f"My key is: {my_key}")
If you run this, it works. But if you delete the .env file, my_key becomes None. The code logic is separated from the secret data.
The Most Important Step: .gitignore
If you push the .env file to GitHub, you defeat the purpose. You must tell Git to ignore it.
Create a file named .gitignore
Add this line
.env
Now, when you type git add ., Git will see the .env file and refuse to upload it. Your code goes to GitHub. Your secrets stay on your laptop.
How do your teammates run your code?
If the .env file is ignored, your teammate won’t have it. You must create a template file called .env.example.
# .env.example
API_KEY=insert_your_key_here
DB_PASSWORD=insert_password_here
You upload this file. It tells your teammate: “To run this, you need to make your own .env file with these variables.“
Conclusion
Hardcoding = Tattooing secrets on your forehead. (Don’t do it)
Environment Variables = Keeping secrets in your backpack. (Do this)
Check your GitHub repos. If you see a raw API key, remove it and switch to .env.
