If multiple people deploy your app or utilize a CI service, it's a better idea to use now.json to expose environment variables.
However, adding that file to Git could cause potential issues. Secrets like API tokens and DB information are visible to anyone who has access to the source code. That's bad.

Now Secrets

That's where now Secrets can help you. It's a configuration store that works across your account. Let's see how to use it:
First, add some secrets:
now secrets add my-app-mongo-url ""now secrets add my-app-my-api-token "XXXXX"
Then, you can get these values inside environment variables.
Here's how to do that with now.json:
  "env": {
    "MONGO_URL": "@my-app-mongo-url",
    "MY_API_TOKEN": "@my-app-my-api-token"
That's it.
This now.json file no longer contains secret information and it's safe to add that to Git and share with anyone. Only the people who can deploy the app has access to these secrets.


You can perform a few sets of operations with now Secrets, including adding, renaming and removing secrets. But you can't read secrets from the terminal.
Anyone who can deploy to now has access to these secrets. Disabling the ability to read secrets in the terminal is simply a barrier.
A user can still deploy a simple app to dump these secrets.
You can get more information about now Secrets by running the following Help command:
now secrets --help

Help output of `now secrets`

Secrets with New Lines

Sometimes, you need to add secrets which has new lines (or any other special characters) in them (eg: certificates). But you won't be able to add them by simply using now secrets add.
Instead, you can encode the secret into Base64 before adding it. Here's how you could do that on Mac/Linux with a single command:
now secrets add my-cert $(cat /path/to/cert | base64)
Before you use the secret inside your app, you need to decode it. Here's how you could do it in a Node.js app.
const cert = Buffer.from(certFromtheSecret, 'base64').toString()
Base64 is a simple encoding algorithm which is available everywhere.
That's why we've used it. But it's okay to choose any text based encoding algorithm.