Share .env Variables

Send environment variables and config secrets to your team without using Slack or Email.

Why secure share .env variables matters

.env files are the de-facto secret store for modern web applications. A typical file holds database connection strings, third-party API keys, JWT signing secrets, OAuth client secrets, SMTP credentials, and webhook signing keys — each one a distinct credential, often each with a different blast radius. The file represents the keys to the kingdom for the application it belongs to.

Dropping a .env file into Slack is the most common dev secret leak we see. The file's name itself triggers automated bot scanners (DATABASE_URL=, STRIPE_SECRET=), and Slack's file retention rules typically keep the upload accessible for years even after a manual delete. Many companies' incident retrospectives trace back to a single .env paste in a private channel that someone later compromised.

PasteOnce changes the handoff to a single round-trip: the sender pastes the file's contents (or the subset needed), the recipient reads the link once, and the ciphertext is gone. The encrypted blob never touches a chat tool's database, never appears in a workspace export, and is not searchable by anyone — including us.

What goes wrong when share .env variables is shared insecurely

Bot scanners watching for env keys. Both public-channel scrapers and private bot integrations watch for patterns like DATABASE_URL, NEXT_PUBLIC_, SUPABASE_KEY, and SENTRY_DSN. A paste in any monitored channel is harvested within seconds.
File-attachment retention even after deletion. Slack and Teams typically keep deleted attachments for 30+ days for compliance. Workspace exports retrieve them whether the user-visible message is deleted or not.
Laptop backups storing the original file. Time Machine, Windows File History, and iCloud Drive all back up your local .env file unless you explicitly exclude the project directory. A leaked backup yields the file in cleartext.
Committed-then-removed git history. Adding .env to .gitignore after it has been committed is a common mistake — the file lives forever in git history, accessible via 'git log --all -p' to anyone with repo access, including former contractors with cached clones.

Share .env Variables

Client-side encrypted. We can't see your data.

Press Ctrl/⌘ + Enter to send0 characters

Expires in:

End-to-End Encrypted

Your data is encrypted in your browser before it leaves your device.

Self-Destructing

Messages are automatically deleted after being read once.

Zero Knowledge

We never see your data. Only encrypted blobs pass through our servers.

One-Time View

Links work exactly once. Refresh the page and it's gone forever.

How does share .env variables work on PasteOnce?

Client-Side Encryption

Your sensitive data is encrypted in your browser using AES-256-GCM. The encryption key is generated randomly and never sent to our servers.

Secure Storage

Only the encrypted blob is stored in our database, with an automatic expiration time. We literally cannot read your data.

One-Time Read

When your recipient opens the link, the encrypted data is fetched and immediately deleted from our servers using an atomic Redis GETDEL. The key in the URL hash decrypts the message in their browser.

Best practices for share .env variables

Share only the variables the recipient needs

If a teammate is debugging the auth flow, they do not need the analytics keys. Trim the paste to the relevant lines — every secret left out is one less to rotate later.

Move to a secret manager for ongoing access

Doppler, Infisical, and Vault sync .env values to local development without ever materializing the full file. Use PasteOnce for the bootstrap; use a manager for steady state.

Rotate every secret in the file if it leaks

Do not try to triage which leaked vars matter. Treat a leaked .env as if every line is compromised, because in practice attackers will try every value against every plausible service.

Audit your git history for past commits

Run 'git log -p -- .env' and 'git rev-list --all | xargs git grep -l SECRET' to surface any past commits. Use BFG or git filter-repo to scrub them, then rotate everything found.

Related Secure Sharing Tools

Share API Key Securely Share SSH Private Key Share Database Credentials Share Software License Key Share Encryption Keys Share VPN Credentials Share Private Keys Securely Share Server Credentials

Real situations this is built for

New developer joining a project

A new hire needs the local .env to run the app. PasteOnce the file once on day one. They copy it into their local repo, the link expires, and you have avoided creating any persistent record of the file outside their machine.

Sharing only NEXT_PUBLIC vs server secrets

The frontend developer only needs the NEXT_PUBLIC_* vars (which end up in the bundle anyway). Send those plain — and PasteOnce only the server-side secrets to the backend developer who actually needs them.

Pair-debugging a production issue

While pair-debugging over a screen-share, you realize the staging .env does not match what is in production. PasteOnce the diff; recipient overwrites; debug continues without a permanent leak in the screen-share recording.

Frequently Asked Questions

Should I share the whole .env file or just the variables they need?

Just the variables they need. Every secret you do not share is one fewer to rotate if the link goes wrong, and one fewer audit-trail concern down the road.

Can the recipient share the link onward to a third person?

The link is one-time — once the first recipient opens it, the second person sees only an expired-link error. To share with multiple people, create one link per person. This is a feature, not a bug.

What about NEXT_PUBLIC_ variables — do those need PasteOnce?

No. Variables prefixed with NEXT_PUBLIC_ in Next.js (and similar in other frameworks) end up in the public client bundle and are visible in the user's browser. Sharing them in plain Slack is fine; reserve PasteOnce for actual secrets.

How big a .env can I paste?

The textarea limits plaintext to 500,000 characters and the encrypted blob is capped at 1,000,000 characters. A typical .env is a few hundred lines at most — well within bounds.

Why secure share .env variables matters

What goes wrong when share .env variables is shared insecurely

Bot scanners watching for env keys. Both public-channel scrapers and private bot integrations watch for patterns like DATABASE_URL, NEXT_PUBLIC_, SUPABASE_KEY, and SENTRY_DSN. A paste in any monitored channel is harvested within seconds.

File-attachment retention even after deletion. Slack and Teams typically keep deleted attachments for 30+ days for compliance. Workspace exports retrieve them whether the user-visible message is deleted or not.

Laptop backups storing the original file. Time Machine, Windows File History, and iCloud Drive all back up your local .env file unless you explicitly exclude the project directory. A leaked backup yields the file in cleartext.

Committed-then-removed git history. Adding .env to .gitignore after it has been committed is a common mistake — the file lives forever in git history, accessible via 'git log --all -p' to anyone with repo access, including former contractors with cached clones.

How does share .env variables work on PasteOnce?

Client-Side Encryption

Your sensitive data is encrypted in your browser using AES-256-GCM. The encryption key is generated randomly and never sent to our servers.

Secure Storage

Only the encrypted blob is stored in our database, with an automatic expiration time. We literally cannot read your data.

One-Time Read

When your recipient opens the link, the encrypted data is fetched and immediately deleted from our servers using an atomic Redis GETDEL. The key in the URL hash decrypts the message in their browser.

Best practices for share .env variables

Share only the variables the recipient needs

If a teammate is debugging the auth flow, they do not need the analytics keys. Trim the paste to the relevant lines — every secret left out is one less to rotate later.

Move to a secret manager for ongoing access

Doppler, Infisical, and Vault sync .env values to local development without ever materializing the full file. Use PasteOnce for the bootstrap; use a manager for steady state.

Rotate every secret in the file if it leaks

Do not try to triage which leaked vars matter. Treat a leaked .env as if every line is compromised, because in practice attackers will try every value against every plausible service.

Audit your git history for past commits

Run 'git log -p -- .env' and 'git rev-list --all | xargs git grep -l SECRET' to surface any past commits. Use BFG or git filter-repo to scrub them, then rotate everything found.

Real situations this is built for

New developer joining a project

Sharing only NEXT_PUBLIC vs server secrets

Pair-debugging a production issue

Frequently Asked Questions

Should I share the whole .env file or just the variables they need?

Just the variables they need. Every secret you do not share is one fewer to rotate if the link goes wrong, and one fewer audit-trail concern down the road.

Can the recipient share the link onward to a third person?

The link is one-time — once the first recipient opens it, the second person sees only an expired-link error. To share with multiple people, create one link per person. This is a feature, not a bug.

What about NEXT_PUBLIC_ variables — do those need PasteOnce?

How big a .env can I paste?

The textarea limits plaintext to 500,000 characters and the encrypted blob is capped at 1,000,000 characters. A typical .env is a few hundred lines at most — well within bounds.