3.4 Hiding API Keys with Environment Variables (dotenv) and Pushing Code to GitHub

As someone who just started learning to code and my first interview being: "The hell you doing your API key is public", this was a godsend video. Very to the point and clear explanation. Subscribed

This is a great tutorial! Thank you for being quick and to the point, as well as informative and helpful!

It was never boring! Actually, you made this serious topic so fun like magic. Also, I loved the ending credit of the train. Creative idea!!! Thank you so much!!!!

no words can describe your awesome explanation

What a great series man, I'm grateful everyone can use resources like this. Going from knowing almost 0 JS to deploying my app was very satisfying.
One update though: if you get this error like me: "npm ERR! Missing script: "start"", add this to the end of your package.json file, before the finishing curly brace:
,"scripts": {
"start": "node index.js"
},

From hiding api keys to adding local source to GitHub ..well summarized things in 10 mins ..great video !

Bro, thank you very much, this is exactly what I needed, you're so good at explaining things

Nice video! I've just recently pushed some API keys to Github. Fortunately they have a service that lets you know when you've screwed up.

As someone who has done this before on my own projects I can say this is legit. Immediate subscribe.

How i didn't know this channel? Awesome tutorial and one of the best teachers that i have ever seen on youtube. Keep up!

I just love the way you teach things! Doesn't even let me feel boring for a single sec! 😊🚀

Thanks a lot ! That's clear and the objectives are so well explained ! I didn't even know that we could code on ecstasy !

Useful stuff as always. Waiting for the next video!

I was suffering to understand the environment variable and its benefits this video the best explanation I have ever seen.

I'm getting the api key returned in my terminal, but now my data is not being returned in the browser and getting console error: Uncaught ReferenceError: require is not defined. Help please

You're so good at explaining things! Thank you!

Thank you so much i have been searching one good video for days. finally got this one. this one is quick, understandable

Great tutorial, but I do want to mention one thing. Environmental variables help you hide your sensitive information for version control purposes. If you build a public website and have environmental variables showing on client side, a user can open the debugger and hover over those variables and see the values of them. Make sure that you use these variables on back-end (server) side if you don't want anyone to see their values.

Hey, love your videos! they're so straight to the point Thank you for putting this out for free 🙏

U made it so fun to watch ....❤

Simple and straight to the point thank you👏🏿

You're a great teacher!!!

Great explanation

Using dotenv package and store the API_KEY in .env file does not completely hide the API_KEY. It is fine for GitHub because someone visiting this repo they wont be able to see the API_KEY. But if the project is deployed in sever then anyone can see the API_KEY from the browser when they visit this particular website. The best way to hide the API_KEY is store it in the backend and make the API calls from the backend only. Only send the response data to the frontend. And to add more security you can set up CORS for the API_KEY so even if someone gets access to the API_KEY they wont be able to send request as the request will be rejected and only the request from the domains mention in the CORS will be able to make successful request using this API_KEY.

Thank you! This is exactly the video and explanation I needed!

Spectacular tutorial! Thank you. It's very clear. I wonder if using any browser inspector, can anyone see the API_KEY? Looking inside the code or in the Request to the API message?

It says require is not defined for me in the console. I followed the steps in terminal, have the lastest version of node etc.???

It works amazingly, thanks a million!

2:00 start
5:30 Create a sample .env
Make sure .gitignore has .env listed

Thank you very much for your explanation 😊

Thanks so much this is helpful.

Very engaging! thank you for the lesson.

Amazing video sir!

can you use .env and gitignore in a vanilla js project?

THank you! I find this fun to learn

you are the goat, thanks so much

Great presentation. Thank you very much

BTW you are amazing teacher!

THIS SAVED MY LIFE THANK YOU

Awesome content and explanation, thanks man!

incredible video, I spend like 1 year in a College trying to use GitHub as they told me without actually know what I was doing. thank you! Just a question... Can I add to the .env file a private key from firebase?

thanx man , this was helpful

Thanks a lot! This has been a lifesaver

super helpful - thank you!

eagerly waiting for the next video of this series....
I want to know more about the available hosting services for node.

Typing those command line commands made me feel like a real programmer 😎 Thank you for this awesome playlist!

could continue this series with PWA. This has been popular with web technology in this modern day.

Very nice, thank you, very educational and entertaining! :)

sheefmahn brilliant series of videos. any videos where you interact with a Database-as-a-Service? SQL or not

Hi, how about if i am using Docker and dont want to publish my .env file in git. But my application is require env file. Can you pls help how to use .env file in Docker container or K8

Muchas gracias bro 😀!

So, so useful. Thanks!

From a “security/ privacy” standpoint, how is this any better than just having a js file with a variable for thr api key in it?

i am first here and very impresed they way you teach , ke

If I were to deploy to vercel how can I retrieve the .env values?

Whats the difference between using dotenv and just throwing them in another javascript file that you export from and then adding that file to the gitignore?
I could watch the video and most likely get the answer to that question; but in the interest of being one of the earliest comments.... please understand.

Awesome, thanks

I suppose if you commit env file before .gitignore file(with line.env), you'll see your .env file in the repo anyway.
To delete it from the history, write this in console:
git rm -r --cached .env
git filter-branch --index-filter "git rm -rf --cached --ignore-unmatch .env" HEAD
git push --force

Super helpful video!

Thanks dad xx

his next coding challenge should be solving the heat equation based off of 3blue1brown's video on the same topic

console.log(process.env) doesn't include my .env variable

install:
npm install dotenv
import:
require('dotenv').config()
use:
process.env

Simply awesome

Thanks 👍

Thanks

You saved me, suscribed!

tell me how to find that api keys again on GitHub??

Sir Could you please make a video explaining the resources you use to learn or enhance your programming skills

Bigg thankkk sir

Whatt if someone catch api key from network tab

Hi, I followed your video to publish code on github using dotenv but it doesn't work

you don't need an access token for the logs js file? It seems the website of mapbox requires one

Why when you put the node_modules in the .gitignore file you put a / in front of it?

I had a question: Can the same effect be accomplished with a config.json and including that in the gitignore?

but this works just for development on github... if I go in production like a jam stack project? it is not hidden right?

it only work with node servers but if I try to do it with angular have some several problems

Great Great Great

But your API key is still visible in the sources og the project right ?

Does anyone know how to find your API key? The text folder I created I accidentally deleted and I had to re-generate new APY keys but I do not know where I may find this text file to update it. Any help will appreciate it!

@TheCodingTrain Hi there! I am facing problem in order to upload .env file in my github repo. Since the application doesn't fetching information. What to do???Please help me.

What if index.js and .env are in different folders?

how is this different from just making a json file and storing it there?

The dot means add everything of the current directory.
Otherwise "--all" is required.

Sir where I can Find import and export folder maker in android app resource?

for people who tried to find the GitHub project in the video, here is the link to the GitHub repository: github.com/CodingTrain/The-Weather-Here

are .env not rendered to the browser then or something? What is to stop someone from viewing the app in their browser and fetching your API key out of the rendered JS with inspect element?

can xhr requests be hidden from the console?

How to hide api key in vanila js?

i'm working with custom-env pretty similar, but I need to have two env files, for two environments, how should this be treated? How can i make it work?

Is this supported in Angular?

This will NOT work when a client is connected to your website to use it. As the request is Javascript made, he WILL see the key in the url with the developper tools, Network tab... Am i missing something? i'm not really following that serie..

Does not work with angular though :(

Hi, Great tutorial!. I am new to this. I need to hide api keys but I don´t know how to install the dotenv. I tried to run install command you showed in he video, but I am doing something wrong in the terminal of my mac. Any recommendation anyone? Thanks

always sounds to me like you're saying "I'm going to post this in the video's subscription," but I'm sure you're saying "video's description".

So I do all of this and the key is still visible in console in browser... brutal protection

what about for typescript, doesn't anyone use typescript???? :(

So in which video does he talk about deploying it to a web server?

when the last episode?

I use config module try it