Environment variables
Inject secrets into builds and runtime without checking them into git.
Halo exposes environment variables to your build container, your runtime, or both. Values are encrypted at rest and decrypted only at the edge.
Set a variable
halo env add DATABASE_URL postgres://...By default the variable is available to all environments (production, preview, development).
Scope it:
halo env add DATABASE_URL postgres://prod... --env production
halo env add DATABASE_URL postgres://stage... --env previewRead variables
In your code, just read process.env:
const url = process.env.DATABASE_URL;Edge functions get the same process.env shape regardless of runtime — Halo wires it up before your handler runs.
Encrypted from rest to runtime
| Stage | Encryption |
|---|---|
| Storage (Halo control plane) | AES-256-GCM, per-org KMS key |
| Transit (control → edge) | mTLS |
| Edge memory | decrypted just-in-time, never written to disk |
Reading variables programmatically
Request example
CLI
bashhalo env list --env production --jsonSDK
tsimport { Halo } from "@halo/sdk";
const halo = new Halo({ token: process.env.HALO_TOKEN });
const vars = await halo.env.list({ env: "production" });
Last updated
Edit this page