redenv/Docs

Secret Expansion

Automatic variable reference resolution with ${VAR} syntax.

Edit this page

Redenv supports referencing other secrets using ${VAR_NAME} syntax. References are automatically resolved when secrets are loaded.

Info

For a deep dive into how expansion works, syntax rules, and use cases, see Secret Expansion.

Quick Example#

Secrets in Redenv
BASE_URL=https://api.example.com
AUTH_URL=${BASE_URL}/auth
CALLBACK_URL=${AUTH_URL}/callback
In your code
const secrets = await redenv.load();

secrets.AUTH_URL;     // https://api.example.com/auth
secrets.CALLBACK_URL; // https://api.example.com/auth/callback

Accessing Raw Values#

Use .raw to get unexpanded values (useful for debugging):

secrets.AUTH_URL;     // https://api.example.com/auth
secrets.raw.AUTH_URL; // ${BASE_URL}/auth

Common Patterns#

Database URLs#

DB_HOST=localhost
DB_PORT=5432
DB_USER=admin
DB_PASS=secret
DATABASE_URL=postgresql://${DB_USER}:${DB_PASS}@${DB_HOST}:${DB_PORT}/myapp

Environment-Specific URLs#

# Development
API_HOST=localhost:3000

# Production
API_HOST=api.myapp.com

# Both use
API_URL=https://${API_HOST}/v1

Escaping#

Use \${ for literal dollar-brace:

MESSAGE=Use \${VAR} syntax for variables
secrets.MESSAGE; // Use ${VAR} syntax for variables

Missing References#

Missing references are left unexpanded (no error thrown):

// If UNDEFINED_VAR doesn't exist:
secrets.SOME_URL; // ${UNDEFINED_VAR}/path

Tip

Use secrets.require() to validate base secrets exist before relying on expanded values.

Related#

  • Secret Expansion — Deep dive into expansion syntax, rules, and use cases
  • Validation — Validate required secrets with require()
  • Scoping — Group related secrets by prefix