Dotenv Manager

Paste a .env file to validate it — flag duplicate and missing keys, lint naming, merge an overlay file, and mask secrets. Export a report, a normalized file, a .env.example, or JSON. Runs entirely in your browser; nothing is uploaded.

Try:
Result

About this tool

Dotenv Manager parses, validates, merges and secret-masks .env files right in your browser. Paste a .env file and it reads the same syntax your app's dotenv loader does — KEY=VALUE lines, # comments, blank lines, single- and double-quoted values, inline comments, and an optional export prefix — then reports what's wrong before it bites you in production.

It catches the mistakes that silently break config:

Set a second overlay file to merge two .envs the way layered environments do — the overlay's keys override the base (last-file-wins), so you can preview exactly what .env + .env.production resolve to.

Mask secrets is on by default: values of sensitive-looking keys (names containing SECRET, TOKEN, PASSWORD, KEY, AUTH, and more) are shown as ab****yz so you can share a report without leaking credentials.

Pick the output you need: a report (diagnostics plus values), a normalized .env (deduped, last value wins), a .env.example with every value blanked for committing to source control, or JSON of the merged pairs. Optionally sort keys alphabetically. Everything runs locally — your .env is never uploaded.

FAQ

Is my .env file uploaded anywhere?

No. Parsing, validation, merging and masking all run locally in your browser via WebAssembly. Your file never leaves your machine, so it's safe to paste real secrets — though with Mask sensitive values on, secret-looking values are hidden in the output anyway.

Which key gets used when a key appears twice?

The last one. Real dotenv loaders keep the last assignment for a repeated key, so the tool does the same — it flags the duplicate, lists every line the key appears on, and the normalized and json outputs keep only the final value.

How does merging two .env files work?

Paste a second file into the overlay box. Its keys override matching keys in the primary file (last-file-wins, exactly how layered .env + .env.production files resolve at runtime), and any keys unique to the overlay are appended. Keys only in the primary file are kept as-is. The report output counts how many keys the overlay overrode.

How are secrets detected and masked?

Masking is based on the key name, not a fuzzy content scan, so it's deterministic and predictable. Any key whose name contains a sensitive marker — SECRET, TOKEN, PASSWORD, PASSWD, PWD, KEY, AUTH, CRED, PRIVATE, CERT, SIGNATURE, ACCESS, SESSION, or DSN — has its value masked. Longer values reveal the first and last two characters (ab****yz); short ones become ****. Turn masking off to see raw values.

What's the .env.example output for?

The example output emits every key with a blank value — a .env.example template you can safely commit to git so teammates know which variables to set without exposing any real values. Combine it with Sort keys for a tidy, alphabetized template.

Can I export the parsed values as JSON?

Yes. Choose the json output to get a JSON object of the merged key/value pairs — handy for feeding config into a script or comparing against another environment. Secret values are masked in the JSON too unless you disable masking.

Developer & Automation Access

Run it from the terminal

Same engine as this page, headless — via the gizza CLI:

gizza tool dotenv-manager "# database
export DB_HOST=localhost
DB_PORT=5432
API_TOKEN=secret123456
DB_HOST=127.0.0.1"

New to the CLI? Get gizza →

Open it by URL

Pre-fill and auto-run this tool with query parameters — the names match the API/CLI:

https://gizza.ai/tools/dotenv-manager/?env=%23%20database%0Aexport%20DB_HOST%3Dlocalhost%0ADB_PORT%3D5432%0AAPI_TOKEN%3Dsecret123456%0ADB_HOST%3D127.0.0.1&merge=DB_HOST%3Dprod.internal%0AAPI_TOKEN%3Dprod-token-9999&required_keys=DATABASE_URL%2CAPI_KEY&mask_secrets=true&sort_keys=true&output=report

Machine-readable descriptor: tool.json — title + parameters JSON Schema for agents.