.env file validator — parse Bash-style .env, detect dups / missing required / unsafe values / leaked secret patterns; cross-compare prod / staging / dev envs.
- Runs locally
- Category Developer & DevOps
- Best for Checking file type, size, metadata, and obvious mismatch signals before sharing.
Syntax
0No issues — clean .env file.
Secret scan
0No secret-shaped values detected. Generic high-entropy values may still be your problem.
Schema check
0Paste a schema above to check required keys.
What this tool does
A real `.env` linter for the file you'll commit by accident if no one looks. Parses the same dialect Node `dotenv` + Bash do — `KEY=VALUE`, `export KEY=value`, double-quoted strings with `\n` `\t` escapes, single-quoted literal strings, full-line `#` comments and trailing `# comment` after a value, `${VAR}` interpolation. On top of the parser, it runs four checks: (1) duplicate keys, (2) invalid keys (spaces, leading digit, lowercase), (3) empty values, (4) mismatched quotes. Then a secret scanner: AWS access keys (`AKIA…`), GitHub tokens (`ghp_…`), OpenAI keys (`sk-…`), Stripe live / test keys (`sk_live_…`, `sk_test_…`), Slack tokens (`xoxb-` / `xoxp-`), JWTs (`eyJ…`), and a generic high-entropy fallback. Optional required-key schema (`KEY=required` or `KEY=optional:default`) catches missing prod variables before the container crashes at boot. And a side-by- side diff mode takes 2 or 3 `.env` files (prod / staging / dev) and shows which keys live where, plus which values disagree. 100 % browser-local — your `.env` never leaves the tab.
Tool details
- Input
- Text
- The page exposes text boxes, numeric controls, file pickers, or structured inputs depending on the tool.
- Output
- Live result + Copy
- The result area focuses on usable output, with copy, download, or preview actions when supported.
- Privacy
- Browser-side processing
- The main tool logic does not call an external API, so inputs normally stay in the current tab.
- Save / share
- Shareable URL state
- Key settings are encoded in the URL so another person can reopen the same setup.
- Performance budget
- Initial JS <= 22 KB
- No WASM budget is declared, keeping the tool quick to open on mobile.
- Best fit
- Developer & DevOps · Developer
- Category and role tags drive related tools, internal links, and quick fit checks.
How to use
-
1. Input
Paste or drop your content into the tool panel.
-
2. Process
Click the button. All processing is local in your browser.
-
3. Copy / Download
Copy the result or download to disk in one click.
How .env File Validator fits into your work
Use it before upload, handoff, archive, support review, or any moment where a file needs one local check before it leaves your machine.
File jobs
- Checking file type, size, metadata, and obvious mismatch signals before sharing.
- Preparing mixed folders for upload, archive, intake, or review.
- Keeping sensitive files in the browser instead of sending them to an account-based service.
File checks
- Do not treat the extension alone as proof of the real file type.
- Review metadata before a file goes to customers, vendors, or a public page.
- Keep the original file until the copied, converted, or exported result is verified.
Good next steps
These links move the current task into a more complete workflow.
- 1 JWT Decoder Decode JWT header / payload / signature — verify structure, check exp, copy claims — browser-only Open
- 2 .editorconfig Generator Visual .editorconfig builder — indent, charset, line endings, trailing whitespace, per-glob overrides — browser-only Open
- 3 JSON Formatter & Validator Format, validate, and minify JSON instantly — right in your browser. Open
Real-world use cases
Catch a duplicated key before it silently overrides in production
You added `STRIPE_KEY=sk_test_…` at the top of `.env`, then a week later added `STRIPE_KEY=sk_live_…` at the bottom while merging a PR. Node `dotenv` keeps the LAST one; your local tests pass with the test key but staging boots with live. Paste the file here, the "Duplicate keys" panel calls out STRIPE_KEY appearing on lines 4 and 41 with both values shown side-by-side. Delete one, ship.
Verify a new microservice has every required env before docker-compose up
You spun up a new Rust service that needs `DATABASE_URL`, `REDIS_URL`, `JWT_SECRET`, `SENTRY_DSN`. The README's "config" section lists them. Paste those four lines into the schema field as `KEY=required`, paste your `.env` on the left. The "Schema" tab shows green for each present non-empty key and red for whatever you forgot — usually `SENTRY_DSN`, every time. Saves the 30-second container boot + crash loop.
Spot a leaked AWS access key before pushing
Someone on the team left `AWS_ACCESS_KEY_ID=AKIAIOSFODNN7…` in `.env.example` because "it's just an example". The secret scanner highlights it as AWS-shaped, your CI gitleaks step would have caught it eventually but only after a 4-minute run. Catch it in 200ms here, rotate the key (it's already public — assume burned), update `.env.example` with `AWS_ACCESS_KEY_ID=AKIA_REPLACE_ME`.
Diff staging vs production env to confirm a single intentional change
You're rolling out a feature that needs a new env var `FEATURE_NEWPAY_ENABLED`. You think production differs from staging in only that variable + the obvious DB URL / region. Paste both files into the "Diff" tab, the table shows: 47 keys identical, 3 keys differ (DB_URL, AWS_REGION, FEATURE_NEWPAY_ENABLED), 0 keys only-in-one-file. Exactly what you expected — green-light the rollout.
Sanity-check a `.env` extracted from a docker-compose `environment:` block
You're porting a docker-compose service to k8s and need to turn the `environment:` YAML map into a `.env` ConfigMap. Paste your converted `.env` here, the syntax check flags two lines where you forgot quotes around values with `:` or spaces. Fix the two lines, copy back, apply.
Audit a `.env` someone shared via Slack before storing it in 1Password
A teammate sent you a `.env` for a service you're picking up. Before storing in your password manager you want to know: any keys missing the standard set? any obvious leaks? any duplicates? The all-checks view answers all three in one screen — and the "Mask secrets" toggle lets you screenshot the result safely for your handoff doc.
Common pitfalls
Pasting a real production `.env` to test the tool. The parser stays in your browser, but pasting prod secrets into ANY web form is a habit you don't want to build. Duplicate the file, blank the values, paste the blanked copy.
Expecting `${VAR}` to interpolate values from another file. Interpolation only resolves keys defined earlier in the SAME input — the same as Node `dotenv-expand`. Cross-file resolution belongs in your runtime, not in a static linter.
Quoting numbers and booleans. `.env` values are always strings — `PORT=3000` and `PORT="3000"` produce the same string. The double-quotes only matter if your value contains a newline, a `#`, or leading/trailing whitespace you want preserved.
Putting `export KEY=value` in a `.env` that gets loaded by Node `dotenv` and being surprised when `export ` ends up in the key. Node `dotenv` strips a leading `export ` per the convention; the tool follows the same rule. Bash-only or k8s ConfigMap consumers will NOT strip it — switch the file to plain `KEY=value` for portability.
Treating an empty value as 'absent' for required-key checks. `KEY=` (empty) fails a `required` schema check the same as a missing line — that matches what most config libraries do. If empty is genuinely intentional, mark the key `optional:` in the schema.
Hoping the secret scanner catches custom internal tokens. It catches the eight common patterns (AWS, GitHub, OpenAI, Stripe live/test, Slack, JWT, generic high-entropy). For an internal token shape your team uses, add it to your linter / gitleaks config — no client-side scanner can know your specific format ahead of time.
Privacy
Your `.env` content stays inside this browser tab. Parsing, syntax validation, secret scanning, schema check, and the diff view are all plain JavaScript — no network call, no analytics on textarea content, no localStorage write. The URL only carries option choices (tab, mask-secrets), so "Share settings" reproduces the workflow for a teammate without ever carrying your file. That said: a real production `.env` carries real production keys, and even pasting one into your own browser is one Ctrl-V away from a Slack window. Safer: duplicate the file, blank values you only care about structurally (key names, presence, quoting), paste the blanked copy. The "Mask secrets" toggle exists for the same reason — screenshot the validation result without leaking values.
FAQ
Tool combos
Folks in your role tend to reach for these alongside this tool.
- Add Line Numbers Number every line of pasted text — set start, step and separator, zero-pad to align, skip blanks, or strip numbers back off — browser-only
- AES Text Encryptor Encrypt & decrypt text with a password — AES-256-GCM + PBKDF2 via WebCrypto — 100% in your browser, nothing uploaded
- Age Difference Calculator The exact gap between two birthdays — years/months/days, percentage, and the date one person is twice the other's age — browser-only
- AI Model Comparison AI model comparison — 20+ models (GPT / Claude / Gemini / Llama / Qwen) across price, context, speed, capabilities (2026).