DOTENV_KEY is used to decrypt an environment inside your .env.vault file.

If a DOTENV_KEY is set on your server and a .env.vault exists in your code, dotenvx run will attempt to decrypt your .env.vault file and inject its secrets just in time.

For example:

DOTENV_KEY=dotenv:// dotenv run -- yourcommand


A DOTENV_KEY uses the tried and true uri format. This trusted yet flexible format can grow as dotenvx grows.

$ node
new URL('dotenv://')
  href: 'dotenv://',
  origin: 'null',
  protocol: 'dotenv:',
  username: '',
  password: 'key_10283719af6a30ef49050048617f4fea10c23a38021fbebeb9fd858caa01852e',
  host: '',
  hostname: '',
  port: '',
  pathname: '/vault/.env.vault',
  search: '?environment=production',
  searchParams: URLSearchParams { 'environment' => 'production' },
  hash: ''


  • protocol: dotenv: (good practice to communicate this as a DOTENV_KEY)
  • password: key_10283719af6a30ef49050048617f4fea10c23a38021fbebeb9fd858caa01852e (last 64 bytes are used to decrypt DOTENV_VAULT_environment in your .env.vault file. this way we can support other generators in the future like your own yourowngenerator_64bytes..)
  • host: (can be anything at this time. is used to communicate that this key was generated with dotenvx)
  • params.environment: production (specifies which DOTENV_VAULT_environment to decrypt from your .env.vault file)


  • username: `` (not in use at this time)
  • pathname: /vault/.env.vault (can be anything at this time. in the future, might be used to combine multiple vaults)