Two completely different things on Falix are both called "variables", and telling them apart saves a lot of confusion. One lives in the panel; the other lives in your code. Here's each, and then the part that really matters: where to keep secrets like a bot token.
| Kind of variable | Where it lives | What it controls |
|---|---|---|
| Application variables | The Settings page | How the runtime starts — Main file, Requirements file, version |
| Environment variables | Your code, from a .env file |
SERVER_PORT, plus your own secrets (tokens, keys, passwords) |
Variable #1: the application's variables (in Settings)
Every application has a small, fixed set of variables on the Settings page. They control how the runtime starts — things like the Main file for Node.js (which file to run), the Requirements file for Python, or the runtime version. You can edit them on every plan, free or premium.
These are not a place to put your own secrets. They're a short list of knobs the application defines, and that's all. If you're changing which file runs or which Python version you're on, that's Settings.
There's one exception worth knowing: a few applications generate their own secret and show it here. A database application (Redis, PostgreSQL, MongoDB) creates a password at install, Code-Server generates a login password, and some game servers expect an auth key — all of these live in Settings variables. The rule of thumb: secrets the platform creates for you are read from Settings; secrets your code needs go in a .env file, below.
Variable #2: your app's own environment
The other kind of variable is the one your code reads — an environment variable. Falix already gives you one automatically: SERVER_PORT, the public port a web app should listen on. You read it in code like any environment variable:
const port = process.env.SERVER_PORT; // Node
import os
port = os.environ["SERVER_PORT"] # Python
Your app's secrets — a Discord bot token, a database password, an API key — are environment variables too, but ones you provide. The safe home for them is a file called .env in your server folder, read by your code at startup. Never paste them straight into your code.
Putting secrets in a .env file
A .env file is just names and values, one per line:
DISCORD_TOKEN=paste-your-token-here
⚠️ Heads up:
.envvalues are taken literally. Don't wrap them in quotes and don't put spaces around the=— writeDISCORD_TOKEN=abc, notDISCORD_TOKEN = "abc". The quotes and the stray space become part of the value, and your login fails with an "invalid token" error that looks like a bad token when it's really a bad line. OneNAME=valueper line, nothing else. This is a common cause of a bot that shows offline.
Your code loads it with a small library called dotenv. Add the library from the Packages page (dotenv for Node, python-dotenv for Python), then read your secret from the environment:
require('dotenv').config();
const token = process.env.DISCORD_TOKEN;
import os
from dotenv import load_dotenv
load_dotenv()
token = os.environ["DISCORD_TOKEN"]
💡 Tip: The Discord bot starter templates already come wired up this way — deploy one and you'll find a
.envwaiting for your token.
Keep secrets out of Git
⚠️ Heads up: A secret in your code is a secret in your Git history — once it's pushed to a public repo, treat it as leaked forever.
Keep .env out of your repository by listing it in .gitignore. Git deploys on Falix never delete files that aren't in your repo, so a .env that lives only on your server survives every deploy — your token stays put while your code updates around it. The full walkthrough is Keep secrets out of Git.
If a token leaks, reset it
If a token ever ends up somewhere public, rotate it — don't just delete the message, because anyone who saw it still has it. For a Discord bot: open the Discord Developer Portal, pick your application, go to the Bot page, and press Reset Token. The old token stops working immediately, and you're shown a new one once — copy it. Put the new value in your .env, restart the server, and the leaked token is worthless. The same idea applies to any API key: whoever issued it can revoke and reissue it.
Next steps
- Your first Discord bot
- Keep secrets out of Git
- My bot shows offline — often a token problem