Environment variables

Environment variables are key/value settings that your runtime app can read at runtime — things like a feature flag, a log level, or a public base URL. In Comwit Cloud you manage them per app, and they are applied to the builds that run for that app.

Plain values only — not for real secrets

App environment values are plain text only. There is no secret backend enabled for app env today, so do not store passwords, API keys, signing keys, or other sensitive credentials here. See Keep real secrets out below before you put anything sensitive in an environment variable.

List environment variables

Read the current environment for an app.

API

GET /v1/projects/{projectId}/apps/{appId}/environment

You’ll need your project id (projectId) and the app id (appId) — see Deploy an app and Apps overview for where those come from.

Set or update a variable

Setting a variable uses the variable’s key as the last path segment, with the value in the request body.

API

PUT /v1/projects/{projectId}/apps/{appId}/environment/{key}

Request body

{ "value": "info", "secret": false }

The body has two fields:

• value — the string value to store for this key.
• secret — must be false. Sending true is rejected (see below).

PUT both creates a new key and updates an existing one — there is no separate “create” versus “update” call.

Remove a variable

API

DELETE /v1/projects/{projectId}/apps/{appId}/environment/{key}

This removes a single key from the app’s environment.

Why secret: true is rejected

The secret field exists in the request shape, but the live policy does not use a secret store for app environment values. If you send secret: true, the API responds with:

Response (400 problem-detail)

{
  "title": "Bad Request",
  "status": 400,
  "detail": "secret app env values are not enabled; store plain env values only"
}

In other words, every app environment value is stored and served as plain configuration. To set a value successfully, send "secret": false.

Keep real secrets out

Because there is no secret backend for app env, treat everything you put here as plain, readable configuration:

• Safe to store: log levels, feature flags, public URLs, non-sensitive build settings.
• Do not store: passwords, API keys, signing secrets, or anything you would not want exposed in plain form.

Database connection strings

A database connection URL or token is sensitive. Only place a database connection URL or token in app environment with this plain-storage caveat in mind — and ideally wait until a paid secret backend is intentionally enabled before doing so. See Connect to a database for how connection details are issued.

Related

• Deploy an app — push a build that picks up these variables.
• Apps overview — how apps, builds, and projects fit together.
• Authentication — the cwt_ token you use to call these routes.