For the complete documentation index, see llms.txt. Prefer markdown by appending.mdto documentation URLs or sendingAccept: text/markdown.
Secrets & environment
EXPO_PUBLIC_ values ship in the app binary. Keep API keys and webhook secrets on the server, and configure EAS for production builds.
Anything in the mobile binary can be extracted. TurboStarter keeps privileged secrets on the web/API side and only exposes public configuration to Expo.
For the full file layout, see Environment variables. This page focuses on the security rules.
Public vs private
| Kind | Prefix / location | Use for |
|---|---|---|
| Public (in the app) | EXPO_PUBLIC_* | Site URL, locale, theme, feature flags safe to expose |
| Build-time | EAS env / eas.json profiles | Same public values for preview vs production builds |
| Private (never on mobile) | Web / API host secrets | Database URL, Better Auth secret, billing webhook secrets, provider secret keys |
# apps/mobile - public only
EXPO_PUBLIC_SITE_URL="https://app.example.com"
EXPO_PUBLIC_DEFAULT_LOCALE="en"
EXPO_PUBLIC_THEME_MODE="system"
# Optional public SDK keys that providers document as client-safe
EXPO_PUBLIC_REVENUECAT_APPLE_API_KEY="appl_..."EXPO_PUBLIC_DATABASE_URL="postgresql://..."
EXPO_PUBLIC_BETTER_AUTH_SECRET="..."
EXPO_PUBLIC_STRIPE_SECRET_KEY="sk_live_..."
EXPO_PUBLIC_REVENUECAT_WEBHOOK_SECRET="..."Public means public
If a value has the EXPO_PUBLIC_ prefix, assume every user (and anyone who unpacks your IPA/APK) can read it. That includes “obscure” identifiers that still grant privileged access to a third-party API.
Where secrets live
| Environment | Store secrets in | On the device? |
|---|---|---|
| Local development | Root / web .env.local for the API | No |
| Production API | Host secrets (Vercel, Railway, …) | No |
| EAS builds | EAS secrets / eas.json for public app config | Only EXPO_PUBLIC_* |
Mobile never needs DATABASE_URL, BETTER_AUTH_SECRET, or billing signing secrets. Those stay with the API the app calls.
What does this mean?
Add secret keys to the web app where the API is deployed. The Expo app should only talk to that API for sensitive operations.
See web environment variables for the server-side layout.
Production checklist for env
- Point
EXPO_PUBLIC_SITE_URLat your real production API / web origin - Confirm no secret keys use the
EXPO_PUBLIC_prefix - Use separate EAS profiles (or EAS env) for preview vs production
- Keep billing webhook secrets on the server only
- Rotate any key that was ever committed or shipped in a public build
How is this guide?
Last updated on