# Environment Variables in Next.js

## Introduction
Environment variables store configuration settings like API keys, database credentials, or emails separately from code. Next.js supports them natively through `.env*` files to avoid hardcoding sensitive data, prevent accidental commits to GitHub, and enable easy changes across development and production environments. They load into `process.env` for use in server-side code.

## Creating and Loading Environment Variables
Create a `.env` file in the project root with key-value pairs, such as `SECRET=harry123456` and `ID=harry`. Run `npm run dev` to start the app; Next.js automatically loads these into `process.env`. 

- Access in **server components**: Use `console.log(process.env.ID)` or display directly, as server-side rendering has full access.  
- Files are gitignored by default in `create-next-app` templates to protect secrets. 

**Key Term**: `.env` files support multiline values and variable referencing with `$VARIABLE`. 

## Server vs Client Components
Server components access all `process.env` variables securely, printing values like `ID=harry` and `SECRET=harry123456`. Client components (`"use client"`) cannot access non-public env vars due to browser security; attempts return `undefined`.

- **Server-side**: Safe for secrets like database passwords.
- **Client-side**: Env vars run in browser's `process.env`, excluding server-only data.

## Public Environment Variables for Client Access
Prefix with `NEXT_PUBLIC_` (e.g., `NEXT_PUBLIC_ID=harry`) to bundle into JavaScript for client-side use. Next.js inlines these at build time, replacing `process.env.NEXT_PUBLIC_ID` with the literal value.

```
# .env
NEXT_PUBLIC_ID=harry
```
Access works in both server and client components, but avoid for sensitive dataâ€”attackers can extract from bundles.  

**Warning**: Public vars freeze at `next build`; changes require rebuild. 

## Loading Priority and Order
Next.js loads env vars in strict order, using the first match:  

| Priority Order | File Example (NODE_ENV=development) | Notes |
|---------------|-------------------------------------|-------|
| 1. System    | `process.env`                      | OS-level vars   |
| 2. Environment-specific local | `.env.development.local` | Overrides for dev, gitignored |
| 3. Local     | `.env.local`                       | Local overrides (skipped in tests)   |
| 4. Environment-specific | `.env.development` | Dev defaults |
| 5. Default   | `.env`                             | Fallback for all   |

`.env.local` takes precedence over `.env` for local tweaks like different MongoDB URIs. For tests, use `.env.test`; `NODE_ENV=test` skips `.env.local`.  

## Best Practices and Advanced Usage
- Use `@next/env` `loadEnvConfig(process.cwd())` for non-Next.js contexts like ORMs. 
- Separate local/production vars with `.env.development` vs `.env.production`. 
- Never commit secrets; use platform env vars (e.g., Vercel dashboard) for deployment.
- Runtime vars: Available server-side during dynamic rendering; public ones are build-time only.

## Summary
Next.js env vars enhance security and flexibility: use `.env*` files with priority order, prefix `NEXT_PUBLIC_` for client access, and distinguish server/client behavior. Focus on `.env.local` and `.env` for 95% of cases, reserving public vars for non-sensitive data like analytics IDs.