Environment Variables aren't being loaded by my production environment


I deployed my site to https://candidate-ats.netlify.app/ but the login and db url doesn’t work because process.env.AUTH0_DOMAIN returns undefined

I’ve set up the environment variables i nthe Netlify UI (initially uploaded them via CLI). For example, the var AUTH0_DOMAIN is set to have the same value for all scopes and all deploy contexts in the UI.

When I run things locally using a local .env file netlify build && netlify dev the .env is loaded correctly and everything works. When I comment out the variables in my local .env and run netlify dev --context production then process.env.AUTH0_DOMAIN returns ‘undefined’.

I’ve read through the docs and it seems like I’m not doing anything incorrectly. Could someone please take a look and advise if this is a bug on Netlify?


After reading through this post: Missing environment variables using yarn 3?

I decided to try building and deploying locally from the CLI. When I built + deployed via CLI the environment variables were loaded correctly and my site is working now.

Seems like it’s an issue with the builds done through the UI and GitHub hooks?

Hi @jvorick,

Based on your usage, I’m not sure why you need an environment variable for this task. For context:

  1. You seem to be using the variable to link to a domain - so the value is anyways visible in the URL.
  2. It’s not hard to check the site’s JS bundle and get the variable from there.

In general, I don’t recommend trying extra to secure client-side variables, because they’re pretty easily exposed.

In any case, it appears you’re using Redwood JS and just like most other frameworks, they seem to have a special way to use the environment variables in the client-side code:

Are you sure you’re using it accordingly?

Thanks! You were correct that I didn’t have Redwood setup properly.

I want to use environment variables for this task because they will change in different environments. While the Auth0 Client ID, domain, and redirect URI don’t really need to be secure, I do want them to be different for testing vs. production.

It’s good to know that my API_SECRET or other secret env vars won’t be loaded by the client, though.