Dotenv Provider
The Dotenv provider stores secrets in local .env files for development setups and compatibility with existing tools.
File Format
Section titled “File Format”Standard dotenv format with KEY=VALUE pairs:
DATABASE_URL=postgresql://localhost/mydbAPI_KEY=sk-1234567890DEBUG=true # Comments supported
# Multi-line values must be quotedPRIVATE_KEY="-----BEGIN RSA PRIVATE KEY-----MIIEpAIBAAKCAQEA...-----END RSA PRIVATE KEY-----"Configuration
Section titled “Configuration”URI Syntax
Section titled “URI Syntax”# Default (.env in current directory)dotenv
# Custom pathsdotenv:.env.localdotenv:config/.envdotenv:/absolute/path/.envEnvironment Variable
Section titled “Environment Variable”export SECRETSPEC_PROVIDER=dotenv:.env.localSecret References
Section titled “Secret References”By default each secret reads the key named after it. A secret’s
ref field reads a key stored
under a different name: item is the .env key (field is not supported).
Reads and writes target that key in place; the secret’s own name is ignored.
[profiles.default]DATABASE_URL = { description = "DB", ref = { item = "POSTGRES_URL" }, providers = ["dotenv://.env.shared"] }# Initialize from existing .env$ secretspec init --from .env
# Set a secret$ secretspec set DATABASE_URL --provider dotenvEnter value for DATABASE_URL: postgresql://localhost/mydb
# Run with secrets$ secretspec run --provider dotenv -- npm start
# Use different files for different environments$ secretspec run --provider dotenv:.env.production -- node server.jsSecurity
Section titled “Security”⚠️ Warning: Secrets are stored in plain text. Use only for development and always add .env files to .gitignore.