Support Forums

Auth Bearer Token Stored in Netlify Environment Variables is Exposed

I’ve stored API keys in the .env file for my create-react-app and ensured the .env file is included in gitignore so as not to expose them on GitHub. I then added the environment variables to the Build & Deploy settings for my site on Netlify. However, it appears the bearer token of the GET request from my react app is still exposed in Chrome Dev Tools even though the jsx file uses the proper process.env.REACT_APP format.

I’m fairly new to Netlify and React in general. What am I missing?

Hey there, @ives99 :wave:

Welcome to the Netlify Forums and thanks for reaching out!

I believe that that REACT_APP_* are intentionally made visible in the client-side code. You can read about this further in the React Docs, which I will link below:

Let us know if this helps!