Dotenv Manager
Paste a .env file to validate it — flag duplicate and missing keys, lint naming, merge an overlay file, and mask secrets. Export a report, a normalized file, a .env.example, or JSON. Runs entirely in your browser; nothing is uploaded.
About this tool
Dotenv Manager parses, validates, merges and secret-masks .env files right in
your browser. Paste a .env file and it reads the same syntax your app's dotenv
loader does — KEY=VALUE lines, # comments, blank lines, single- and
double-quoted values, inline comments, and an optional export prefix — then
reports what's wrong before it bites you in production.
It catches the mistakes that silently break config:
- Duplicate keys — the same key set twice, with a note that the last value wins (the runtime dotenv semantics), so you know which value your app actually sees.
- Missing required keys — list the keys your app can't start without (e.g.
DATABASE_URL,API_KEY) and any that are absent are flagged. - Lint warnings — keys that aren't
UPPER_SNAKE_CASE, empty values, stray whitespace around=, unterminated quotes, and barewords with no value.
Set a second overlay file to merge two .envs the way layered environments
do — the overlay's keys override the base (last-file-wins), so you can preview
exactly what .env + .env.production resolve to.
Mask secrets is on by default: values of sensitive-looking keys (names
containing SECRET, TOKEN, PASSWORD, KEY, AUTH, and more) are shown as
ab****yz so you can share a report without leaking credentials.
Pick the output you need: a report (diagnostics plus values), a normalized
.env (deduped, last value wins), a .env.example with every value blanked
for committing to source control, or JSON of the merged pairs. Optionally sort
keys alphabetically. Everything runs locally — your .env is never uploaded.
FAQ
Is my .env file uploaded anywhere?
No. Parsing, validation, merging and masking all run locally in your browser via WebAssembly. Your file never leaves your machine, so it's safe to paste real secrets — though with Mask sensitive values on, secret-looking values are hidden in the output anyway.
Which key gets used when a key appears twice?
The last one. Real dotenv loaders keep the last assignment for a repeated key,
so the tool does the same — it flags the duplicate, lists every line the key
appears on, and the normalized and json outputs keep only the final value.
How does merging two .env files work?
Paste a second file into the overlay box. Its keys override matching keys in
the primary file (last-file-wins, exactly how layered .env + .env.production
files resolve at runtime), and any keys unique to the overlay are appended. Keys
only in the primary file are kept as-is. The report output counts how many keys
the overlay overrode.
How are secrets detected and masked?
Masking is based on the key name, not a fuzzy content scan, so it's
deterministic and predictable. Any key whose name contains a sensitive marker —
SECRET, TOKEN, PASSWORD, PASSWD, PWD, KEY, AUTH, CRED, PRIVATE,
CERT, SIGNATURE, ACCESS, SESSION, or DSN — has its value masked. Longer
values reveal the first and last two characters (ab****yz); short ones become
****. Turn masking off to see raw values.
What's the .env.example output for?
The example output emits every key with a blank value — a .env.example
template you can safely commit to git so teammates know which variables to set
without exposing any real values. Combine it with Sort keys for a tidy,
alphabetized template.
Can I export the parsed values as JSON?
Yes. Choose the json output to get a JSON object of the merged key/value pairs —
handy for feeding config into a script or comparing against another environment.
Secret values are masked in the JSON too unless you disable masking.
Developer & Automation Access
Run it from the terminal
Same engine as this page, headless — via the gizza CLI:
gizza tool dotenv-manager "# database
export DB_HOST=localhost
DB_PORT=5432
API_TOKEN=secret123456
DB_HOST=127.0.0.1"New to the CLI? Get gizza →
Open it by URL
Pre-fill and auto-run this tool with query parameters — the names match the API/CLI:
https://gizza.ai/tools/dotenv-manager/?env=%23%20database%0Aexport%20DB_HOST%3Dlocalhost%0ADB_PORT%3D5432%0AAPI_TOKEN%3Dsecret123456%0ADB_HOST%3D127.0.0.1&merge=DB_HOST%3Dprod.internal%0AAPI_TOKEN%3Dprod-token-9999&required_keys=DATABASE_URL%2CAPI_KEY&mask_secrets=true&sort_keys=true&output=reportMachine-readable descriptor: tool.json — title + parameters JSON Schema for agents.
