Skip to main content
Use vars for plain, non-sensitive configuration such as public API base URLs, feature flags, log levels, and OAuth client IDs. Use secrets for credentials, tokens, and signing keys.

Declare allowed keys

Runtime keys are typed in server/src/defs/runtime.ts:
server/src/defs/runtime.ts
export type VarKey =
  | "PUBLIC_API_BASE_URL"
  | "GOOGLE_CLIENT_ID";

export type SecretKey =
  | "GOOGLE_CLIENT_SECRET";
This keeps the keys your code can read explicit and discoverable.

Set vars from the CLI

edgespark var set PUBLIC_API_BASE_URL=https://api.example.com
edgespark var set GOOGLE_CLIENT_ID=your-google-client-id LOG_LEVEL=debug
Inspect or delete them later: 
edgespark var list
edgespark var delete LOG_LEVEL

Read vars at runtime

server/src/index.ts
import { vars } from "edgespark";
import { Hono } from "hono";

const app = new Hono().get("/api/public/config", (c) => {
  return c.json({
    apiBaseUrl: vars.get("PUBLIC_API_BASE_URL"),
  });
});

export default app;
vars.get(...) returns string | null, so handle missing values where appropriate.

Vars are environment-scoped

Vars are scoped to the current environment. For newly created projects today, that means the current default production environment.
Public staging support is coming soon. When it lands, staging and production will keep separate var sets under the same key names.
Vars are for plain configuration only. If a value would be harmful to expose in logs, prompts, or copy-pasted shell history, use edgespark secret set instead.
See platform limits for current var naming and quota constraints.

Common pattern with auth config

OAuth client IDs usually belong in vars, while OAuth client secrets belong in secrets:
configs/auth-config.yaml
providerGoogle:
  enabled: true
  config:
    clientIdVarRef: GOOGLE_CLIENT_ID
    clientSecretRef: GOOGLE_CLIENT_SECRET
That keeps the non-sensitive ID easy to manage while protecting the secret.

See also

vars reference

The runtime API for reading plain vars with vars.get(...).

Manage secrets

Use the secure browser-based secret flow for sensitive values.
Last modified on April 7, 2026