These docs cover apps running on Galaxy Metal and Web Apps. If your app runs on Galaxy Legacy, visit the legacy docs.
Galaxy
Apps Menu

Variables

Store sensitive configuration and secrets securely in Galaxy without committing them to Git.

Ever commit an API key to Git by accident? Yeah, environment variables exist to prevent exactly that.

Galaxy keeps variables encrypted and secure. They're never exposed in logs or error messages. They're the right way to handle secrets.

Your Secrets Are Safe Here

Everything you store in Galaxy is encrypted at rest and in transit. No exposure in logs, no visibility to other team members unless you give access.

Why Environment Variables?

Never hardcode secrets in your code.

Never commit API keys to Git.

Never store passwords in your repository.

Environment variables exist specifically to solve this problem. Set them in Galaxy, and your app reads them at runtime. Your code stays clean, your secrets stay safe, and you can change configuration without touching code.

Environment vs. Code

Think of environment variables as configuration that changes between environments. What you need in production is different from what you need in staging. Variables let you manage both without changing code.

Meteor Apps: Settings Modes

Meteor apps get a specialized settings experience in the Variables tab. At the top of the page, you'll see a Settings Mode toggle with two options: Galaxy Mode and Repository Mode.

Choosing a Mode

Galaxy Mode is the recommended option for most teams. Your settings are encrypted and stored securely in Galaxy, completely outside your repository. Even if your repo ever becomes public by accident, your secrets stay protected.

Repository Mode trades that security guarantee for Git-based versioning. It works well for non-sensitive configuration, but any secrets in your settings file live in your repository. One accidental visibility change and they're exposed.

Not sure which one to pick? Here's a quick way to think about it.

Use Galaxy Mode if:

  • You want your secrets encrypted and stored outside your repository (recommended)
  • You manage settings directly in the dashboard
  • You deploy via the Meteor CLI (meteor deploy)
  • You don't have (or don't want) a Git integration set up

Use Repository Mode if:

  • You deploy via Push to Deploy (P2D) with a Git integration
  • Your settings file contains only non-sensitive configuration
  • Your CI/CD pipeline already manages the settings file

Repository Mode Requires Push to Deploy

Repository Mode is only available when your app has a Git integration configured via Push to Deploy. If your app doesn't have a Git integration set up, the option is disabled in the toggle. Head to your app's Settings tab to connect a Git repository and enable P2D first.

Galaxy Mode

In Galaxy Mode, Galaxy stores your settings and injects them into your app on every deployment. This is the default for all Meteor apps. Look for the GALAXY MODE badge at the top of the page.

You edit your complete settings.json in a dedicated JSON editor right in the dashboard. Galaxy validates your JSON as you type, catching syntax errors before you save.

The editor holds your entire settings structure:

{
  "galaxy.meteor.com": {
    "env": {
      "MONGO_URL": "mongodb://user:password@host/db",
      "MAIL_URL": "smtp://user:password@smtp.example.com:587"
    }
  },
  "packages": {
    "mongo": {
      "options": {
        "tlsAllowInvalidCertificates": true
      }
    }
  },
  "private": {
    "paymentApiKey": "your-payment-api-key",
    "apiSecret": "your-api-secret"
  },
  "public": {
    "appName": "My App",
    "apiUrl": "https://api.example.com"
  }
}

CLI and Dashboard Share the Same Settings

In Galaxy Mode, the dashboard and the Meteor CLI write to the same place. If you run meteor deploy --settings settings.json, Galaxy updates the stored settings with whatever file you pass. That means a CLI deploy will overwrite any edits you made in the dashboard, and vice versa. They're always in sync, but the last write wins.

Settings Size Limit

The Meteor Settings editor has a maximum size limit of 1 MB (1024 KB). If your settings approach this limit, you'll see a warning. Settings that exceed 1 MB cannot be saved. Consider moving large configuration data to external services or databases if you're hitting this limit.

Repository Mode

In Repository Mode, Galaxy reads your settings file directly from your Git repository snapshot captured during each Push to Deploy build. Look for the REPOSITORY MODE badge at the top of the page.

You'll see a Settings File Path field showing the path to your settings file relative to the repo root. Click the edit icon next to the path to change it.

Because settings come from your repository, there's no separate save step in the dashboard. Just update the file in your repo and push. Galaxy picks it up on the next deployment automatically.

Keep Secrets Out of Git

Repository Mode is great for non-sensitive configuration, but be careful with secrets. Any values in your settings file will be committed to your repository. For API keys and passwords, consider Galaxy Mode, or use environment variables outside the settings file.

CLI Deploys Don't Update Settings in Repository Mode

If you run meteor deploy --settings settings.json while Repository Mode is active, Galaxy ignores the file you pass. Settings always come from the repository snapshot, not from the CLI argument. If you need to update settings, update the file in your repo and trigger a P2D deployment.

Understanding the Settings Structure

Both modes use the same settings.json structure. Here's what each section does.

galaxy.meteor.com.env: Environment variables that Galaxy injects into your container. These become available via process.env in your server code. Common uses include MONGO_URL, MAIL_URL, ROOT_URL, and other service connection strings.

packages: Configuration for specific Meteor packages. The most common use is the MongoDB TLS setting for Galaxy's free shared cluster.

private: Server-only settings accessible via Meteor.settings in your server code. API keys, service credentials, and other secrets belong here. These never reach the client.

public: Client-accessible settings available via Meteor.settings.public in both server and client code. App names, feature flags, and public API endpoints go here.

Never Put Secrets in Public

Everything in the public section is sent to browsers and visible to anyone using your app. Keep secrets in private or galaxy.meteor.com.env only.

Editing Settings in Galaxy Mode

  1. Navigate to your app's Variables tab
  2. Make sure Galaxy Mode is selected
  3. Edit the value directly in the JSON editor
  4. Click Save to store your changes
  5. Click Deploy to apply them to your running app
  1. Navigate to your app's Variables tab
  2. Make sure Galaxy Mode is selected
  3. Add new keys to the appropriate section (env, private, or public)
  4. Make sure your JSON syntax is valid (Galaxy validates as you type)
  5. Click Save then Deploy
  1. Navigate to your app's Variables tab
  2. Make sure Galaxy Mode is selected
  3. Delete the key-value pair from the JSON
  4. Verify the remaining JSON is valid
  5. Click Save then Deploy

Accessing Settings in Your Code

On the server, access all settings via Meteor.settings:

// Server-side code
const paymentApiKey = Meteor.settings.private.paymentApiKey;
const mongoUrl = process.env.MONGO_URL;

On the client, only public values are available:

// Client-side code
const appName = Meteor.settings.public.appName;

Web Apps: Standard Variables

For Node.js, Python, and AdonisJS apps, the Variables tab shows a standard key-value interface. Each variable appears as a row you can edit individually.

Adding Variables

Add variables one at a time by clicking Add Variable. Type the key (the variable name) and value (what your app reads).

Key: The variable name your code looks for. Usually all uppercase with underscores, like DATABASE_URL, PAYMENT_API_KEY, or API_TOKEN.

Value: What your app gets when it reads this variable. The actual secret, URL, or configuration value.

Click Save to store the variable.

Editing Variables

Find the variable you want to change. Click it to edit. Update the value, click Save.

Done. Your change is saved but not yet applied.

Deleting Variables

Find the variable and click the delete icon (trash can). Confirm the deletion. The variable is removed.

No Automatic Restart

Deleting a variable doesn't restart your app. The old value stays in memory until you deploy or restart.

Save vs Deploy

This is important. Saving and deploying are separate actions.

Save: Click Save to store your variable changes. Your running app isn't affected.

Multiple edits: Make as many variable changes as you need, saving each one. Your live app keeps running.

Deploy: When ready, click Deploy to apply all saved changes. Galaxy performs a zero-downtime rolling restart, updating your app with new variables.

This separation prevents accidents. Prepare configuration changes carefully. Only when you click Deploy does anything change.

One Deployment is More Efficient

Changes only take effect after you deploy. Make all variable changes you need, then deploy once. This is more efficient than deploying after each variable change.

Common Variables by Platform

Meteor Apps

{
  "galaxy.meteor.com": {
    "env": {
      "MONGO_URL": "mongodb://...",
      "MAIL_URL": "smtp://...",
      "ROOT_URL": "https://myapp.meteorapp.com"
    }
  }
}

Node.js / AdonisJS

DATABASE_URL=postgresql://user:pass@host:5432/db
REDIS_URL=redis://user:pass@host:6379
NODE_ENV=production
LOG_LEVEL=info

Python

DATABASE_URL=postgresql://user:pass@host:5432/db
SECRET_KEY=your-django-secret-key
DEBUG=False

Best Practices

Keep them secure: Never share variable values with anyone who doesn't absolutely need them. Don't paste them in chat or email.

Use strong values: For API keys and tokens, use the strongest credentials your provider offers. For passwords, use long, random strings.

Rotate sensitive values: Periodically regenerate API keys, auth tokens, and passwords. Update Galaxy with new values and redeploy.

Don't duplicate: Don't create multiple variables with similar purposes. It's confusing and error-prone. One DATABASE_URL per environment, not five variants.

Document them: Keep notes somewhere (not in code!) about what each variable is for. Future you will thank current you.

Use staging for testing: Have separate variables for staging and production. Test configuration changes in staging before applying to production.

Never Commit .env Files

Add .env to your .gitignore to prevent accidental commits of local environment files.

Troubleshooting

What's Next?

Configure Your App Settings

Manage domains, Git settings, health checks, and deployment options

Deployments

The Deployments section shows every time your app has been deployed. Each deployment is a complete cycle: Galaxy takes your code, builds it, and gets it running on containers.

Versions

Every time you push code to your deploy branch, Galaxy creates a new version. This section shows all your code snapshots so you can see your deployment history and rollback to any past version if needed.

On this page

Why Environment Variables?Meteor Apps: Settings ModesChoosing a ModeGalaxy ModeRepository ModeUnderstanding the Settings StructureEditing Settings in Galaxy ModeAccessing Settings in Your CodeWeb Apps: Standard VariablesAdding VariablesEditing VariablesDeleting VariablesSave vs DeployCommon Variables by PlatformMeteor AppsNode.js / AdonisJSPythonBest PracticesTroubleshootingWhat's Next?