For the complete documentation index, see llms.txt. Prefer markdown by appending .md to documentation URLs or sending Accept: text/markdown.

Secrets & environment

EXPO_PUBLIC_ values ship in the app binary. Keep API keys and webhook secrets on the server, and configure EAS for production builds.

Anything in the mobile binary can be extracted. TurboStarter keeps privileged secrets on the web/API side and only exposes public configuration to Expo.

For the full file layout, see Environment variables. This page focuses on the security rules.

Public vs private

KindPrefix / locationUse for
Public (in the app)EXPO_PUBLIC_*Site URL, locale, theme, feature flags safe to expose
Build-timeEAS env / eas.json profilesSame public values for preview vs production builds
Private (never on mobile)Web / API host secretsDatabase URL, Better Auth secret, billing webhook secrets, provider secret keys
Safe ✅
# apps/mobile - public only
EXPO_PUBLIC_SITE_URL="https://app.example.com"
EXPO_PUBLIC_DEFAULT_LOCALE="en"
EXPO_PUBLIC_THEME_MODE="system"

# Optional public SDK keys that providers document as client-safe
EXPO_PUBLIC_REVENUECAT_APPLE_API_KEY="appl_..."
Unsafe - never do this ❌
EXPO_PUBLIC_DATABASE_URL="postgresql://..."
EXPO_PUBLIC_BETTER_AUTH_SECRET="..."
EXPO_PUBLIC_STRIPE_SECRET_KEY="sk_live_..."
EXPO_PUBLIC_REVENUECAT_WEBHOOK_SECRET="..."

Public means public

If a value has the EXPO_PUBLIC_ prefix, assume every user (and anyone who unpacks your IPA/APK) can read it. That includes “obscure” identifiers that still grant privileged access to a third-party API.

Where secrets live

EnvironmentStore secrets inOn the device?
Local developmentRoot / web .env.local for the APINo
Production APIHost secrets (Vercel, Railway, …)No
EAS buildsEAS secrets / eas.json for public app configOnly EXPO_PUBLIC_*

Mobile never needs DATABASE_URL, BETTER_AUTH_SECRET, or billing signing secrets. Those stay with the API the app calls.

What does this mean?

Add secret keys to the web app where the API is deployed. The Expo app should only talk to that API for sensitive operations.

See web environment variables for the server-side layout.

Production checklist for env

  1. Point EXPO_PUBLIC_SITE_URL at your real production API / web origin
  2. Confirm no secret keys use the EXPO_PUBLIC_ prefix
  3. Use separate EAS profiles (or EAS env) for preview vs production
  4. Keep billing webhook secrets on the server only
  5. Rotate any key that was ever committed or shipped in a public build

How is this guide?

Last updated on

On this page

Ship your startup everywhere. In minutes.Try TurboStarter