why exported variable in *.server.js exposed to client? #14094

tsulatsitamim · 2025-07-29T00:16:54Z

tsulatsitamim
Jul 29, 2025

based on docs

auth.server.js
// This would expose secrets on the client
export const JWT_SECRET = process.env.JWT_SECRET;

brookslybrand · 2025-07-29T14:04:41Z

brookslybrand
Jul 29, 2025
Maintainer

It's just an example

Exporting it from a *.server.* file mean that that secret can never be read from the client.

If you weren't using a *.server.* module, and exporting a secret like that, it would be unsafe as it would be exposed on the client

0 replies

tsulatsitamim · 2025-07-29T15:35:53Z

tsulatsitamim
Jul 29, 2025
Author

why the docs say: This would expose secrets on the client when exported from auth.server.js

1 reply

brookslybrand Jul 30, 2025
Maintainer

It's saying "this would expose secrets on the client if it were exported from a non-.server module`". I can update the language in the doc

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Uh oh!

why exported variable in *.server.js exposed to client? #14094

Uh oh!

{{title}}

Uh oh!

Replies: 2 comments 1 reply

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Select a reply

Uh oh!

Uh oh!

why exported variable in *.server.js exposed to client? #14094

Uh oh!

tsulatsitamim Jul 29, 2025

Replies: 2 comments · 1 reply

Uh oh!

brookslybrand Jul 29, 2025 Maintainer

Uh oh!

tsulatsitamim Jul 29, 2025 Author

Uh oh!

brookslybrand Jul 30, 2025 Maintainer

tsulatsitamim
Jul 29, 2025

Replies: 2 comments 1 reply

brookslybrand
Jul 29, 2025
Maintainer

tsulatsitamim
Jul 29, 2025
Author

brookslybrand Jul 30, 2025
Maintainer