Skip to Content
CLI ReferenceEnvironment Variables

Environment Variables

Norrix allows you to securely store environment variables and files that are injected at build time. This is useful for API keys, configuration files, and other sensitive data.

Note: Environment variable management requires a Pro or Enterprise subscription.

norrix env set

Set an environment variable.

Synopsis

norrix env set <name> <value> [options]

Arguments

ArgumentDescription
nameEnvironment variable name (e.g., API_KEY)
valueEnvironment variable value

Options

FlagDescription
-p, --project <name>Project name to scope this variable to
-c, --config <config>Configuration to scope this variable to (e.g., prod, stg)
-v, --visibility <type>Visibility: plaintext or secret (default: secret)

Variable Naming

Variable names must:

  • Start with a letter or underscore
  • Contain only letters, numbers, and underscores
  • Be case-insensitive (stored as provided)

Examples

# Set a secret (default)
norrix env set API_KEY sk_live_xxx
 
# Set plaintext variable
norrix env set PUBLIC_URL https://example.com -v plaintext
 
# Scope to specific project
norrix env set DATABASE_URL postgres://... --project my-app
 
# Scope to specific configuration (e.g., production only)
norrix env set API_KEY sk_live_xxx --config prod
 
# Scope to both project and configuration
norrix env set DATABASE_URL postgres://... --project my-app --config prod

norrix env set-file

Upload an environment file for build-time injection.

Synopsis

norrix env set-file <name> <path> [options]

Arguments

ArgumentDescription
nameFile identifier (e.g., .env.production)
pathPath to the local file to upload

Options

FlagDescription
-p, --project <name>Project name to scope this file to
-c, --config <config>Configuration to scope this file to (e.g., prod, stg)
-d, --dest-path <path>Destination path in CI (defaults to name)
-v, --visibility <type>Visibility: plaintext or secret (default: secret)

Examples

# Upload an env file
norrix env set-file .env.production ./.env.prod
 
# Upload with custom destination path
norrix env set-file firebase.json ./config/firebase.json --dest-path config/firebase.json
 
# Scope to specific project
norrix env set-file google-services.json ./android/google-services.json --project my-app
 
# Scope to specific configuration
norrix env set-file .env.production ./.env.prod --config prod

norrix env list

List all environment variables for an organization or project.

Synopsis

norrix env list [options]

Options

FlagDescription
-p, --project <name>Filter by project name
-c, --config <config>Filter by configuration

Output

Lists variables and files with:

  • Name
  • Type (variable or file)
  • Project scope (if any)
  • Configuration scope (if any)
  • Visibility (plaintext or secret)
  • Created by
  • Last updated

Examples

# List all env vars for organization
norrix env list
 
# List env vars for specific project
norrix env list --project my-app
 
# List env vars for specific configuration
norrix env list --config prod
 
# List env vars for both project and configuration
norrix env list --project my-app --config prod

Note: Secret values are never displayed in the list output.

norrix env delete

Delete an environment variable.

Synopsis

norrix env delete <name> [options]

Arguments

ArgumentDescription
nameEnvironment variable name to delete

Options

FlagDescription
-p, --project <name>Project name scope
-c, --config <config>Configuration scope

Example

norrix env delete API_KEY
norrix env delete DATABASE_URL --project my-app
norrix env delete API_KEY --config prod

norrix env delete-file

Delete an environment file.

Synopsis

norrix env delete-file <name> [options]

Arguments

ArgumentDescription
nameFile identifier to delete

Options

FlagDescription
-p, --project <name>Project name scope
-c, --config <config>Configuration scope

Example

norrix env delete-file .env.production
norrix env delete-file firebase.json --project my-app
norrix env delete-file .env.production --config prod

Configuration File Integration

You can declare which env vars and files should be injected in your norrix.config.ts:

import { defineConfig } from '@norrix/cli';
 
export default defineConfig({
  env: {
    variables: ['API_KEY', 'DATABASE_URL'],
    files: ['.env.production', 'config/firebase.json'],
  },
});

This documents which variables are expected without storing the actual values in version control.

Security

Secret Encryption

Variables with visibility: secret are:

  • Encrypted using AES-256-GCM
  • Stored with per-value initialization vectors
  • Decrypted only during build execution

Plaintext Storage

Variables with visibility: plaintext are:

  • Stored as-is in the database
  • Suitable for non-sensitive configuration
  • Faster to retrieve

Best Practices

  1. Use secret (default) for sensitive data
  2. Use plaintext for public URLs and non-sensitive config
  3. Scope variables to projects when possible
  4. Scope variables to configurations for environment-specific secrets (e.g., production API keys)
  5. Use .env files for grouped configuration

Scoping Hierarchy

Environment variables follow a hierarchical scoping model:

Organization (global)
├── Project: my-app
│   ├── Configuration: prod
│   │   └── API_KEY (production key)
│   ├── Configuration: stg
│   │   └── API_KEY (staging key)
│   └── (no config) - applies to all configurations
└── (no project) - applies to all projects

During builds, variables are resolved in this priority order:

  1. Project + Configuration scoped (most specific)
  2. Project scoped (applies to all configurations for that project)
  3. Configuration scoped (applies to all projects for that configuration)
  4. Organization-wide (applies to all projects and configurations)
Organization CommandsFingerprinting