# Secrets and environment variables

Your code reads environment variables while Tokay controls where their values come from. This keeps credentials out of source and builds, lets related Services share configuration, and makes missing or conflicting values visible before deployment.

The application uses its normal language interface, such as `process.env.API_KEY` or `os.environ["DATABASE_URL"]`. No Tokay SDK is required.

## Values come from the person, infrastructure, or platform

A variable detected in the code can have one of three sources.

- **User supplied values** include third party API keys and credentials only you know.
- **Infrastructure values** include database URLs and passwords generated by Tokay.
- **Platform values** include ports, hostnames, and other runtime plumbing.

The Service's Environment tab shows each variable, its source, and whether it is ready. A required value with no source blocks deployment instead of producing a Service that fails at startup.

## Secrets stay out of code and build output

User supplied values are encrypted at rest and delivered to the Service as environment variables when it starts. Tokay does not write them into source, bake them into builds, or print them into logs.

When submitted source contains a likely credential, Tokay shows the exact line and proposes moving the value into secure storage while changing the code to read an environment variable. The change requires approval.

## Project values support the whole application

Secrets belong to a Project so related Services can use the same value. Store one `API_KEY`, for example, and the web app and scheduled job can both receive it.

Add a Service override when one Service needs a different value from its siblings. Ignored detections also appear on the Environment tab and can be restored later.

## Version history makes changes reversible

Each value update creates a version. Revert from the history when a new credential causes a problem. Running Services receive the current value without rebuilding the code.

Rolling back a deployment does not roll back secrets. Code can return to an older version while credentials stay current, which avoids reviving a revoked or expired key.

When new code stops reading a stored variable, Tokay marks the value as unused but does not delete it automatically.

See [Databases](databases.md) for infrastructure generated connections and [How Tokay sets up your app](how-tokay-sets-up-your-app.md) for detection and review.
