varsRunning Apps
Inject secrets, generate typed accessors, and validate your env.
run, gen, check. The commands you'll use day to day.
run
vars run --env <env> [--param key=val] -- <command> [args...]Decrypts config.vars for the given env and injects the values into a child process. Nothing touches disk. Secrets exist only in that process and are gone when it exits.
# Start your dev server with dev secrets
vars run --env dev -- npm run dev
# Run a script with prod secrets
vars run --env prod -- node scripts/migrate.js
# Override a single value at runtime
vars run --env prod --param DATABASE_URL=postgres://localhost/mydb -- node scripts/migrate.jsvars also sets VARS_ENV in the child's environment so your app knows which env it's running under.
Flags
| Flag | Short | Description |
|---|---|---|
--env <name> | Which environment to decrypt (required) | |
--param key=val | -p | Override a specific variable at runtime |
--file <path> | -f | Use a different vars file |
The -- separator is required. Everything after it is the command vars runs.
gen
vars gen <file>Generates a typed TypeScript file with accessor functions for every variable in a config.vars file. No key needed — gen reads schemas without decrypting values. Import the generated file instead of reading process.env directly and you get autocomplete and type safety.
# Generate types for the default config.vars
vars gen config.vars
# Generate for all entry points at once
vars gen --all
# Write to a custom output path
vars gen config.vars --output src/lib/env.tsFlags
| Flag | Short | Description |
|---|---|---|
--all | Generate for all *.vars entry points | |
--output <path> | -o | Output file path |
--platform <target> | Platform target: node (default), cloudflare, deno, static |
hide reruns gen automatically if your schemas changed since the last run, so you won't call this often.
Platform Targets
By default, vars gen creates code that reads from process.env (Node.js). For other platforms, use the --platform flag.
check
vars check [file]Validates every env against your Zod schemas, runs any check blocks defined in the file, and reports expired or deprecated variables. Without --env, all envs are checked.
# Validate all envs in config.vars
vars check config.vars
# Validate staging only
vars check config.vars --env staging
# Validate all vars files in the project
vars check --allIt checks:
- Missing required values
- Schema conformance (shows expected vs. got on failure)
- Expired secrets (errors on past expiry, warns if expiring within 30 days)
- Deprecated variables still in use
checkblocks defined inline in the vars file@refinecross-variable validations
Exits 1 on errors. Encrypted values that can't be decrypted are skipped.
Flags
| Flag | Short | Description |
|---|---|---|
--env <name> | Validate a specific environment only | |
--all | Check all vars files in the project | |
--file <path> | -f | Use a different vars file |
export
Prefer vars run over export
vars run injects secrets in memory without writing anything to disk. export writes plaintext to stdout or a file — use it only when a tool strictly requires a .env file or manifest and can't be wrapped with vars run.
vars export --env <env> --format <format>Decrypts config.vars for a given environment and writes the values in the requested format to stdout.
Formats
| Format | Output |
|---|---|
dotenv | Standard .env key=value pairs |
json | JSON object of key/value pairs |
k8s-secret | Kubernetes Secret manifest (base64-encoded values) |
Examples
# Only when a tool requires a .env file on disk
vars export --env prod --format dotenv > .env.production
# Generate a Kubernetes secret manifest
vars export --env prod --format k8s-secret > secret.yamlFlags
| Flag | Short | Description |
|---|---|---|
--env <name> | Environment to export (required) | |
--format <fmt> | Output format: dotenv, json, k8s-secret (required) | |
--file <path> | -f | Use a different vars file |