The death of the .Env file - Infisical CLI as a replacement

This is a .env file. There's at least 10 of them on your machine right now. Plain text, non-encrypted, just sitting there with your API keys and your database credentials. And now anyone or anything with access to your computer, including your AI coding agent, can read it. The .env file is outdated. In this video, I'm going to show you a significantly better way to handle environment variables. Fetch them at runtime so that they never see disk. And once you see how it works, I promise you will never go back.

Here's what happens with .env files. You've got a copy on your machine. Your teammate has a copy on theirs. Someone pasted a few values into Slack. There's a different version in CI and none of it is in sync. Somebody's missing a value and their app breaks locally and they have no idea why. Somebody else's copy ends up leaked in source control. It's plain text scattered everywhere. No access control, no single source of truth, and no audit trail at all.

The fix is relatively simple. Stop storing secrets in files altogether. Fetch them at runtime from one centralized place. Let me show you how.

Okay, so I have a simple project. I've got a Node app here, but it could just as well be a Django project, a FastAPI service, or a Go API. Whatever you're working with, the workflow is the same. Right now, it's using a .env file just how everyone does. This works, but this file is the problem.

So, instead of loading secrets from a file, I'm going to fetch them from a centralized secrets manager — Infisical — at runtime. They get injected directly into runtime as environment variables the same as before, but nothing ever lives on disk. Infisical has a CLI that makes this dead simple. Let me show you.

First, I'll head to infisical.com and create an account. We'll click get started. Now, I already have many projects. You're not going to have any. So, we'll create a new project and we'll call it "my secrets." And once I've got this project created, I add my secrets right here in this dashboard. The same key-value pairs that I had in my .env, but now they're in one place — encrypted, versioned, and access controlled. So I'm going to add my secret.

Now back in the terminal, we'll install the Infisical CLI and get logged in. And this is what we'll use to fetch back and automatically inject our secrets into local development. I can run brew install infisical/get-cli/infisical. Once that's completed, I'll run infisical login. Now, this will give us the option of US, EU, or self-hosted. We do not have a self-hosted instance right now, and I am in the US, so I'm going to choose that. And here, it'll take me to the browser. So, I'm going to choose my organization, and it says head back to the terminal. As you can see, we were successful.

Now, we link this project to our Infisical project. So, I'm going to run infisical init. Now, I already had a workspace config file set up, but I'm going to go ahead and override it. Here, it'll have me choose my organization. And what this is going to do is it creates a small infisical.json file. This file is safe to commit to git. It's just going to be a project ID reference with no secrets. So I will choose my org and I'll choose my project. That's the "my secrets" project that we just created.

And now before I even run the app, I actually don't need this .env file anymore since we're going to use Infisical to inject our environment variables. So I'll go ahead and delete that.

Now that that file is gone, I can just run the app using infisical run -- node index.js and we can see our new secret was injected from Infisical — "secret from Infisical."

Infisical fetches the secrets, injects them as environment variables at runtime, and my app runs exactly the same. The difference is that I'm not saving a file on disk with these secrets. And this isn't just for Node. It works with Python, Go, Rust, whatever language you please. If it reads environment variables, infisical run works with it.

So what about your team? When a new developer clones this repo, there's no .env file to track down. You define access controls in Infisical and any teammate with access just runs the same command that I did. infisical login and then infisical run whatever the run command is. They get secrets they're authorized to, injected at runtime, and they don't have to track down that file.

And if typing out infisical run seems like a lot every time, you can actually alias it. You can use a Makefile, or if you're using Node you can update your package.json script so that npm run dev runs infisical run in front of it every time.

So we've seen the fix, but I think it's important to understand why this is actually urgent. Every AI coding agent right now — OpenClaw, Claude Code, Hermes, Cursor, Copilot, Windsurf — they are all reading the files on your disk. That's how they understand your codebase. And if there's a .env file, they are reading that one too.

But the part that a lot of people don't think about is that these agents don't just read your files silently. They print the contents of these files in their internal chain of thought as they're working. Your secrets are getting written into context windows and logs that you don't control and you can't see. Your .gitignore doesn't help because your agent isn't using git. It's just reading files off disk. So your API keys, your database credentials, they're riding along in the agent's thinking process, getting sent off to third-party infrastructure. If your secrets aren't in a file, this problem disappears. There's nothing for the agent to read.

And the truth is, every copy of that .env file sitting on your device, your colleague's device, in Slack, in a CI pipeline — it's just another attack vector. It's another exposure. Centralizing all of your secrets and fetching and injecting them at runtime collapses all of that into zero plain text on disk.

The .env file had a good run, but your secrets are too important to live in plain text on disk, especially in the agentic age of coding. Head to infisical.com to try it out. There's a free version that you can try out in 5 minutes. The link is in the description.