.env to JSON Converter

Convert .env files to JSON and back, with output for Docker, Kubernetes, and shell export scripts.

๐Ÿ“ Drag & drop .env file or click to select
Files are read in-browser ยท not uploaded ยท max 8MB
Result

๐Ÿ”’ .env files often contain sensitive keys. This tool does not store your input in the browser (no auto-save). All conversions are executed entirely within this page and are not sent to any server. Your data disappears when you close the tab.
โ˜ธ๏ธ When migrating to Kubernetes, the general rule is to put common settings like ports and modes into a ConfigMap, and sensitive data like API keys, passwords, and tokens into a Secret. The Secret output uses the stringData format, which doesn't require base64 encoding, so you can directly paste the values.
๐Ÿ“Œ Parsing rules: export prefix allowed ยท \n \t \r \\ \" inside double quotes are interpreted as actual characters ยท single quotes are literal ยท unquoted values are commented from # after whitespace ยท = inside values and multi-line values are supported ยท the last value wins for duplicate keys.

What is the .env to JSON Converter?

Environment variables often need to be copied between formats: from a local .env file to a docker-compose.yml, then to a Kubernetes ConfigMap, then a shell script for debugging. This manual process is prone to errors with quotes, newlines, and special characters. This converter automates the task by accurately parsing .env files and converting them to JSON, YAML for Docker/Kubernetes, or shell `export` commands. Because .env files can contain secrets, all processing happens entirely in your browser; your data is never uploaded.

How to use

  1. Paste your .env or JSON content into the `Input (.env or JSON)` box, or drag and drop a file.
  2. The input format is automatically detected, but you can force it by selecting `.env` or `JSON` above the input area.
  3. Choose an output format: `JSON`, `.env`, `docker-compose`, `ConfigMap`, `Secret`, or `shell export`.
  4. If needed, change the `Service/resource name` for Docker or Kubernetes YAML output.
  5. Click `Copy` to get the result, or `Save` to download it as a file.

.env to JSON Converter guide

How this tool is used in real work, and what to watch out for.

This tool handles sensitive keys

.env files usually contain database passwords, API keys, payment secrets, and JWT signing keys. That's why we built this tool differently from others โ€” we've intentionally left out input auto-saving (to localStorage). While other converters might save your work if you accidentally close a tab, here, your data disappears when the tab is closed.

All conversions happen entirely within this page, and nothing is sent to any server. However, there are still ways your data can be leaked outside the browser, so stick to the basics of security.

  • Don't use this tool while screen sharing or recording. There are many cases of security incidents caused by keys captured in screenshots.
  • Using the Copy button leaves the value in your clipboard. On systems with clipboard history enabled (like Win+V on Windows or various app launchers), these values can be retrieved later.
  • Never use this on a public PC or someone else's laptop.
  • If you suspect a key has been exposed, the only solution is to revoke and reissue it. Masking the key or deleting the file is not enough.

What happens when you commit .env

It's common knowledge to add .env to your .gitignore, but accidents usually happen with that "first commit." In the early stages of a project, it's easy to commit the .env file first and add .gitignore later. Once a file is tracked, adding it to .gitignore has no effect.

More importantly, even if you make a commit that deletes the file, the original content remains in the previous commit. Anyone can read it with `git log -p`. To completely remove it from history, you need to use a tool like `filter-repo` to rewrite history and force-push, but the old history might still exist in local copies of anyone who has already cloned the repository.

If it's a public repository, you don't have much time. There have been multiple reports of cloud keys from public GitHub repositories being discovered and exploited by automated scanners within minutes. That's why the number one priority when you discover a leak is to revoke and reissue the key, not clean up the history. Cleanup comes second.

bash
# To stop tracking an already-committed .env (it remains in history)
git rm --cached .env
echo ".env" >> .gitignore
git commit -m "chore: stop tracking .env"

# If a key is leaked, follow this order
# 1) Immediately revoke the key/password and issue a new one
# 2) Check access logs for signs of misuse
# 3) Then, clean the history (e.g., with git filter-repo)
Don't do this in reverse order. While you're busy cleaning up git history, the leaked key is still active.

The .env.example convention

You should commit .env.example to your repository, not .env itself. This is a file that contains the list of keys and their format, but with empty or dummy values. It helps new team members get started by copying this file, and it makes required environment variables visible during code reviews.

To create one with this tool, paste your .env content, set the output format to `.env`, and enable "Sort keys (Aโ†’Z)" to get an organized list. From there, just clear out the values and commit the file. You can use the "Keys" count in the stats to check for discrepancies between your .env and .env.example files, catching cases where someone added a new variable but forgot to update the example.

bash
# .env.example โ€” structure only, no values
DB_HOST=127.0.0.1
DB_PORT=3306
DB_PASSWORD=
JWT_SECRET=
SLACK_WEBHOOK_URL=
NODE_ENV=development

# Adding comments about where to get the keys speeds up onboarding
# STRIPE_SECRET_KEY=   # Get from the Stripe Developer Dashboard
Pay attention to the "Duplicate keys" and "Empty values" stats. For duplicate keys, the last value wins (same as in dotenv), which means an earlier value you set might have been silently ignored.

The 12-Factor App and Switching Formats

The 12-Factor App principle of separating configuration from code by storing it in environment variables has become widely adopted. This means the same set of values often needs to be moved between different formats: .env for local development, the `environment` block in docker-compose for containers, ConfigMaps/Secrets for Kubernetes, and `export` commands for checking on a server. Converting these by hand inevitably leads to errors with quotes and newlines.

Output FormatWhere to UseNotes
JSONConfig loaders, test fixturesIf "Infer JSON value types" is on, 3306 will become a number, not a string.
.envLocal development, draft for .env.exampleValues containing special characters will be automatically quoted.
docker-composeThe `environment` block in a compose fileChange the service name field to your actual service name.
ConfigMapKubernetes โ€” for non-secret configuratione.g., ports, modes, external URLs.
SecretKubernetes โ€” for keys, passwords, tokensOutputs in `stringData` format, no base64 encoding needed.
shell exportFor quick checks on a serverPasting this on the command line will leave it in your shell history.
Be careful with the "Infer JSON value types" option. While it seems convenient to have `PORT=3306` become a number and `DEBUG=false` a boolean, it can cause subtle bugs. Environment variables are natively strings, and your code might expect `process.env.PORT` to be a string. Numeric conversion can also cause issues with values like zip codes or any code with leading zeros, as the zeros will be stripped.

ConfigMap vs. Secret โ€” a Secret Is Not Encrypted

This is a common misconception. By default, a Kubernetes Secret is only base64 encoded, not encrypted. Anyone can reverse base64 with a one-line command. Encryption at rest (in etcd) is a separate setting that your cluster administrator must enable.

So why use Secrets? The main reasons are to enable separate access controls (RBAC), reduce exposure in logs and events, and follow operational best practice by clearly marking data as "secret." If you put an API key in a ConfigMap, anyone with permission to view ConfigMaps can see it.

  • This tool's Secret output uses the `stringData` format, which doesn't require base64 encoding, so you can paste the values directly.
  • The general rule is to put things like ports, modes, external URLs, and timeouts in a ConfigMap, and put API keys, database passwords, tokens, and signing keys in a Secret.
  • Multi-line values (like RSA private keys or service account JSON) are also supported. This tool outputs them as YAML block scalars for ConfigMap/Secret format and with escape notation for .env format. Check the "Multi-line values" count in the stats.
  • Committing a generated Secret YAML file to your repository is the same as committing your .env file. Use tools like Sealed Secrets or External Secrets, or inject the values from your CI/CD secrets store.

Frequently asked questions

Is it safe to paste secret keys here?

Yes. All parsing and conversion happens in your browser. Nothing is sent to our servers, and we intentionally disable auto-saving. Your data vanishes when you close the tab.

How does it handle multi-line values like private keys?

Multi-line values are fully supported. It correctly reads them from quoted .env variables and outputs them using YAML block scalars (`|`) for Kubernetes/Docker to preserve formatting.

How does it convert from JSON back to .env format?

Values containing spaces, `#`, quotes, or newlines are automatically wrapped in double quotes. Simple, safe values are left unquoted for better readability.

What happens if I have duplicate keys in my .env file?

Following standard `dotenv` behavior, the last value for a given key wins. The tool also flags duplicate keys in a status message so you can find and fix them.