Prefix rules: Only variables starting with
VITE_ (web) or
EXPO_PUBLIC_ (mobile) are exposed to the front end. All other variables
remain server-only and are used by backend integrations such as Supabase.
See Integrations.Add a secret
Create a key/value
Add a clear key name and value. - Use
VITE_* for web variables visible
to the UI - Use EXPO_PUBLIC_* for mobile variables visible to the UI -
Omit these prefixes for server-only secretsVisibility & access
- Front-end visible: Keys starting with
VITE_orEXPO_PUBLIC_are readable by the UI (safe for public, non-sensitive values like URLs). - Server-only: Unprefixed keys stay private and are used by backend flows (e.g., payments, webhooks, or AI calls).
Rotating or removing secrets
Troubleshooting
A feature relying on a secret isn’t working
A feature relying on a secret isn’t working
- Confirm the secret exists in Settings → Secrets and is spelled correctly
- Verify whether it should be front-end visible (
VITE_/EXPO_PUBLIC_) or server-only - Republish/restart after changes
I accidentally exposed a private key
I accidentally exposed a private key
- Remove or rename it without public prefixes - Rotate the credential with the provider immediately - Republish your site/app
OAuth or callback errors
OAuth or callback errors
- Double-check provider redirect URLs and app settings
- Ensure required client IDs/secrets are saved in Secrets
- See Integrations for provider-specific steps