env.dev

.env Validator

Validate your .env file for syntax errors, deprecated variables, missing production requirements, naming conventions, and live secret leaks (AWS keys, GitHub PATs, Stripe live keys, Slack tokens, Google API keys, npm tokens, PEM private keys). Client-side — your file never leaves the browser.

Last updated:

Client-side only — your data never leaves the browser

Input

Results

Paste or drop a .env file to validate

How to Use .env Validator

  1. 1Paste the contents of your .env file into the input area, or drag and drop the file.
  2. 2Review the production-readiness score and the list of issues by severity.
  3. 3Address errors first (syntax problems and detected secrets), then warnings (deprecated variables, missing production-required keys).
  4. 4Rotate any secret flagged as leaked — the detector matches live AWS, GitHub, Stripe, Slack, Google, and npm tokens.
  5. 5Adjust naming conventions — the validator flags keys that do not follow UPPER_SNAKE_CASE.

Frequently Asked Questions

Does my .env file leave the browser?

No. Parsing, validation, and secret-leak scanning all happen entirely client-side. The validator is bundled with the page and runs in your browser — your file is never sent to any server.

Which secret types does the leak detector catch?

High-confidence patterns only: AWS access key IDs (AKIA…/ASIA… etc.), GitHub PATs (ghp_, github_pat_, gho_, ghs_, ghu_), Stripe live keys (sk_live_, rk_live_), Slack tokens (xoxb-/xoxp-/xoxa-…) and incoming webhook URLs, Google API keys (AIza…), npm tokens (npm_…), and PEM private key headers. Stripe test keys (sk_test_) and placeholders are intentionally not flagged.

Will it flag a secret I just rotated?

Yes — the detector matches the pattern, not the validity. After rotation, replace the old value with a placeholder (or remove the line) so the validator stops reporting it. Treating any pattern hit as a "rotate now" signal is safer than trusting the detector to know which keys are still active.

Which variables does it know about?

It cross-references your file against the env.dev environment-variable reference — AWS, Azure, Google Cloud, Docker, Node.js, databases, CI/CD, and general OS variables.

What does "required for production" mean?

Some variables in the reference are marked as required for production deployments (e.g., DATABASE_URL for typical web apps). The validator flags missing ones as warnings so you can fix them before deploying.

Related Tools

.env Builder

Generate ready-to-use .env files for Node.js, Docker, and AWS. Pick a template and an environment (development, staging, production), copy or download.

.env Converter

Paste a .env file, get the equivalent for Docker Compose, Kubernetes ConfigMap, Vercel CLI, AWS Parameter Store, GitHub Actions secrets, or shell exports. Client-side — your file never leaves the browser.