> ## Documentation Index
> Fetch the complete documentation index at: https://docs.ollie.shop/llms.txt
> Use this file to discover all available pages before exploring further.

# Environment Variables

> Per-store secrets that are encrypted at rest and injected into your custom functions at runtime

Environment variables let you store secrets and configuration (API keys, tokens, endpoints, feature flags) at the store level, without baking them into your function code. Values are encrypted at rest and only decrypted when a function is invoked.

<Frame>
  <img src="https://mintcdn.com/ollie/QZ6-Acw2oRrH6Cuz/images/env-vars-tab.png?fit=max&auto=format&n=QZ6-Acw2oRrH6Cuz&q=85&s=a0877d3ee572262f188f54ac53d6a043" alt="Environment Variables Tab" width="2540" height="903" data-path="images/env-vars-tab.png" />
</Frame>

## Where to find it

In the Admin, open your store and switch to the **Environment Variables** tab. You will see the list of variables already defined for the store, with values masked by default.

<Frame>
  <img src="https://mintcdn.com/ollie/QZ6-Acw2oRrH6Cuz/images/env-vars-list.png?fit=max&auto=format&n=QZ6-Acw2oRrH6Cuz&q=85&s=3e95d69a59a0ccc62ed19270ae0bc134" alt="Environment Variables List" width="2541" height="887" data-path="images/env-vars-list.png" />
</Frame>

## How they are used

At runtime, every variable defined for a store is injected into the custom functions of that store and is available through `process.env`.

```ts theme={"system"}
export const handler = async (event) => {
  const apiKey = process.env.MY_API_KEY_FOO;
  // ...
};
```

You do not need to redeploy your functions when you add, edit or delete a variable — the next invocation already sees the new value.

<Info>
  Variables are scoped to a single store. Two stores can define the same key with different values without colliding.
</Info>

## Adding a variable

Click **Add Variable** to open the side drawer, then provide a **Key** and a **Value**.

<Frame>
  <img src="https://mintcdn.com/ollie/QZ6-Acw2oRrH6Cuz/images/env-vars-add.png?fit=max&auto=format&n=QZ6-Acw2oRrH6Cuz&q=85&s=9faf254a5962ff2a6011a87eb96de72b" alt="Add Environment Variable Drawer" width="2548" height="905" data-path="images/env-vars-add.png" />
</Frame>

<Frame>
  <img src="https://mintcdn.com/ollie/QZ6-Acw2oRrH6Cuz/images/env-vars-add-02.png?fit=max&auto=format&n=QZ6-Acw2oRrH6Cuz&q=85&s=bd9a9db75e4a7e5eae929effb9d002d8" alt="Add Environment Variable Drawer" width="2550" height="902" data-path="images/env-vars-add-02.png" />
</Frame>

### Key rules

* Must match the regex `^[A-Z_][A-Z0-9_]*$` — uppercase letters, digits and underscores, starting with a letter or underscore (e.g. `MY_API_KEY`, `_INTERNAL_TOKEN`).
* Must be unique within the store.
* Cannot use reserved keys or prefixes (see below).

### Reserved keys

The following keys are reserved by the runtime and will be rejected:

```
AWS_SECRET_KEY, AWS_EXECUTION_ENV, AWS_LAMBDA_LOG_GROUP_NAME,
AWS_LAMBDA_LOG_STREAM_NAME, AWS_LAMBDA_FUNCTION_NAME,
AWS_LAMBDA_FUNCTION_MEMORY_SIZE, AWS_LAMBDA_FUNCTION_VERSION,
LAMBDA_TASK_ROOT, LAMBDA_RUNTIME_DIR, _HANDLER, TZ, PATH,
HOME, NODE_ENV
```

Any key starting with `OLLIE_` is also reserved for internal use.

<Warning>
  A store can have at most **50** environment variables.
</Warning>

## Editing and deleting

Use the **Edit** button on a row to change the value (and optionally rename the key). Use the trash icon to delete — a confirmation dialog will ask you to confirm, since the action cannot be undone.

The eye icon next to a value reveals the plain-text content. Values are masked by default to avoid accidental exposure when sharing your screen.

## Permissions

Managing environment variables requires you to be an **owner** or **admin** of the store. Members with lower roles can read variables (when the UI displays them) but cannot create, update or delete.

## Security

* Values are stored encrypted at rest using **Supabase Vault** — they are never persisted as plain text in the database.
* Decryption happens only when a function is invoked, on the server side; values never reach the browser except in the Admin UI when you explicitly reveal them.
* Treat these variables as secrets: avoid logging them, and rotate them if you suspect exposure.
