varsvars
CLI

Platform Integration

Export resolved values, rotate your key, and push/pull vars to deployment platforms.

export works. push and pull are coming.

export

npx dotvars export --env <env> --format <format>

Decrypts config.vars for a given environment and writes the resolved values in the requested format to stdout. Pipe it wherever.

stdout gets the data. stderr gets status messages. Pipes work fine.

Formats

FormatOutput
dotenvStandard .env key=value pairs
jsonJSON object of key/value pairs
k8s-secretKubernetes Secret manifest (base64-encoded values)

Examples

# Write a .env file for prod
npx dotvars export --env prod --format dotenv > .env.production

# Pipe straight into your deploy script
npx dotvars export --env staging --format dotenv | some-deploy-tool --env-file /dev/stdin

# Generate a Kubernetes secret manifest
npx dotvars export --env prod --format k8s-secret > secret.yaml

# Export as JSON for custom tooling
npx dotvars export --env prod --format json | jq '.DATABASE_URL'

Flags

FlagShortDescription
--env <name>Environment to export (required)
--format <fmt>Output format: dotenv, json, k8s-secret (required)
--file <path>-fUse a different vars file

key rotate

npx dotvars key rotate

Generates a new encryption key, re-encrypts all values in every *.vars file, and replaces .vars/key. The old key is overwritten.

Before rotating, export your current key as a backup:

npx dotvars key export > vars-key.bak
npx dotvars key rotate

Share the new key with teammates using vars key export.

CI/CD setup

In CI, there is no .vars/key file on disk. Set the VARS_KEY environment variable instead — vars reads it automatically.

# In your CI environment (GitHub Actions, etc.)
VARS_KEY=<paste output of `vars key export`>

Then run commands normally:

npx dotvars run --env prod -- node scripts/deploy.js
npx dotvars export --env prod --format dotenv > .env.production

vars gen and vars check on locked files do not require VARS_KEY.

GitHub Actions example

- name: Deploy
  env:
    VARS_KEY: ${{ secrets.VARS_KEY }}
  run: npx dotvars run --env prod -- npm run deploy

Platform targets in vars gen

When generating types for edge or serverless runtimes, use --platform to get the right accessor pattern:

npx dotvars gen config.vars --platform cloudflare   # Cloudflare Workers
npx dotvars gen config.vars --platform deno         # Deno Deploy
npx dotvars gen config.vars --platform static       # Static/CDN (import.meta.env)

See Running Apps for full gen documentation.

push coming soon

npx dotvars push --env prod --vercel

Decrypts your vault and pushes the values to your deployment platform. The scaffolding exists but platform adapters are not wired up yet.

pull coming soon

npx dotvars pull --vercel

Pulls environment variables from your platform, encrypts them, and merges them into config.vars. Existing values aren't overwritten by default. Scaffolded, not implemented.

What works right now

CommandStatus
export --format dotenvWorking
export --format jsonWorking
export --format k8s-secretWorking
key rotateWorking
push --vercelComing soon
push --netlifyComing soon
push --railwayComing soon
push --flyComing soon
pull --vercelComing soon
pull --netlifyComing soon

For CI, export covers most cases. Generate the .env, hand it to your deploy tool.

Running Apps

Inject secrets, generate typed accessors, and validate your env.

Framework Integration

vars works with any framework — wrap your scripts and go.

On this page

exportkey rotateCI/CD setupGitHub Actions examplePlatform targets in vars genpush coming soonpull coming soonWhat works right now