Overview Quick Start Schema Sources & Layering Variable Expansion Polling & Webhooks CLI Monorepo Security & Production Defaults Troubleshooting FAQ

Integrations

Next.js Vite Expo

Providers

AWS Secrets Manager GCP Secret Manager Azure Key Vault Doppler 1Password Connect

FAQ

Answers to the most common questions.

Why not Zod/Valibot/etc.?

Confkit ships a tiny runtime focused on configuration use‑cases: URL/port/duration helpers, redaction metadata, client exposure, and sources/expansion built in. You can still transform or refine as needed.

How do I expose values to the client safely?

Mark them with .client(). Use loadConfig() or pickClient() to compute a clientEnv object, then inject via Next/Vite/Expo integrations.

How do I prevent accidental client exposure?

Set requireClientPrefix: true and choose clientPrefix(es) in defineConfig. This forces .client() keys to start with PUBLIC_ (or your chosen prefixes).

Can I compute defaults from other variables?

Yes, with expand: true and ${VAR:-fallback} patterns. Use json(...) to compute structured defaults.

Can I audit when secrets are read?

Pass an audit object to defineConfig. Reads via config.get(key) will emit events.

Does Confkit work on edge runtimes?

Yes, it avoids Node built‑ins on the hot path. Some features (like .env file loading) require Node and only run server‑side.

Troubleshooting

Common issues and quick fixes.

Next.js

Type-safe config for Next.js — inject safe client env, validate in dev, show errors in the overlay, and read config in Server Components and Route Handlers.

On this page

Why not Zod/Valibot/etc.?How do I expose values to the client safely?How do I prevent accidental client exposure?Can I compute defaults from other variables?Can I audit when secrets are read?Does Confkit work on edge runtimes?