.env File
Published Last updated
Key Takeaway
A .env file is a hidden configuration file that stores sensitive values such as API keys outside of code files, loaded securely at runtime and excluded from all version control repositories.
Learn These First
What Is .env File?
A .env file is a hidden configuration file that stores sensitive values such as API keys outside of code files, loaded securely at runtime and excluded from all version control repositories.
How .env File Works
Frequently Asked Questions
What is a .env file and why does a trading bot need one?
A .env file is a plain text configuration file that stores sensitive values — such as exchange API keys and secrets — outside of code files. A trading bot needs one because the API key required for exchange authentication must be available at runtime but must never appear inside any Python file, where it could be accidentally shared, committed to a repository, or displayed in error output. The python-dotenv library reads the .env file when the bot starts and makes the values available to the code without the credentials ever being written into the source files themselves.
How do I create and use a .env file for my trading bot?
Creating a .env file requires three steps. First, create a file named exactly `.env` in the project's root directory — the same folder as `main.py`. Second, add your credentials in `KEY=value` format on separate lines: `EXCHANGE_API_KEY=your_key_here` and `EXCHANGE_SECRET=your_secret_here`. Third, immediately add `.env` to `.gitignore` to prevent it from being committed to any repository. In the bot code, load the values using python-dotenv: `from dotenv import load_dotenv` at the top of your file, `load_dotenv()` to read the file, then `os.getenv('EXCHANGE_API_KEY')` to access each value throughout the bot's modules.
What happens if a .env file is accidentally committed to a GitHub repository?
If a .env file is accidentally committed to a public GitHub repository, automated credential scanning bots typically detect exposed API keys within minutes and the credentials are considered compromised immediately. The response is: first, go directly to the exchange and revoke the exposed API key before taking any other action. Second, check the exchange account for any unauthorised transactions. Third, remove the .env file from the repository — but note that simply deleting it does not remove it from git history, which requires additional steps. Fourth, create a new API key with correct minimum permissions. Prevention via `.gitignore` setup before the first commit is far simpler than remediation after exposure.
Common Misconceptions About .env File
Storing an API key in a private GitHub repository's config file is safe — only public repositories are a risk.
Private repositories reduce exposure risk but do not eliminate it. Private repositories can be made accidentally public through settings changes or organisation permission updates. Access can be granted to collaborators or third-party integrations that have their own security vulnerabilities. Repository permission settings change; credential files in version control history persist indefinitely regardless of later permission changes. The .env file pattern eliminates the repository risk entirely by keeping credentials outside of version control rather than relying on repository visibility settings to protect them.
Once the .env file is set up correctly, API key management requires no further attention.
Ongoing API key management includes several important maintenance actions. API keys should be rotated periodically — generating a new key and updating the .env file — as a proactive security measure. If the machine hosting the bot is compromised, updated, or decommissioned, the key should be revoked and regenerated. When moving the bot to a new environment — a cloud server or CryptoMantiq's hosting platform — the .env file must be manually transferred or the environment variables must be configured in the new environment's secrets management system. The .env file setup is the foundation, not the complete scope of credential management.
The .env file automatically encrypts API keys — the values inside it are stored securely.
A .env file is a plain text file — its contents are not encrypted and are readable by anyone who can access the file. Its security comes entirely from where it is stored and excluded, not from any encryption it provides. API keys inside a .env file are just as readable as keys in any other text file if the file is accessed directly. The security model relies on three controls: the file staying outside version control via .gitignore, the file residing in a protected directory not accessible to other system users, and access to the machine itself being properly secured with standard system authentication.