.env.local _verified_ Jun 2026
git push
By placing .env.local of the precedence chain, the pattern ensures that any variable you set there will override the same variable from any other file. This is intentional: it allows you to test a different API endpoint or database without modifying the committed configuration.
AUTH_SECRET="your-development-secret-key" AUTH_GITHUB_ID="Ov23li..." AUTH_GITHUB_SECRET="your-github-oauth-secret"
The data inside a .env.local file is formatted as simple strings without complex data types:
This comprehensive guide covers everything you need to know about .env.local , how it works, how it differs from other environment files, and best practices for secure development. What is .env.local? .env.local
If you need to manage different settings for automated testing, we can explore how to set up a .
: Keeps secrets like API keys and database passwords out of version control.
Double-check your .gitignore to ensure .env.local is listed.
For production applications, validate your environment variables at startup to catch missing configuration early: git push
By placing
Imagine a team of five developers working on a project. The global .env file might point to a shared staging database. However, Developer A wants to test a destructive database migration on their own machine. By adding DATABASE_URL=postgresql://localhost:5432 to their .env.local file, Developer A overrides the shared staging URL without breaking the application for the other four developers. Why .env.local Must Be Ignored by Git
Check your framework’s prefix rule. For security reasons, frameworks deliberately block front-end JavaScript from accessing environment variables to prevent leaking keys to users. If you want a variable to be visible to the front end, you must explicitly prefix it (e.g., NEXT_PUBLIC_ for Next.js, VITE_ for Vite, or REACT_APP_ for Create React App). Summary Checklist Action Item Create .env.local in the project root For individual developer local overrides Add .env.local to .gitignore Prevents accidental security leaks to Git repositories Create a .env.example template file
export const env = envSchema.parse(process.env);
.env.local > .env.[mode] > .env
Every developer has a unique local setup. One person might run a database on port 5432, while another uses port 5433. If .env.local is tracked by Git, developers will constantly overwrite each other's local configurations every time they push or pull code. How to protect your file
The most important rule: to version control. It belongs in .gitignore , period. Better yet, keep both .env and .env.local out of Git by using a wildcard rule like *.local , except for a !.env.example file that contains only placeholder values. If you suspect the file might have been committed in the past, you can check the repository history with:
Never put sensitive secrets in NEXT_PUBLIC_ variables. These values become hardcoded strings in your JavaScript bundle and can be accessed by anyone who visits your site.