Convert JSON secrets from AWS Secrets Manager, Vault, or any JSON source into a .env file. Handles nested objects, quoting, prefixes, and more.
Options
Prepended to every key
Used to flatten nested keys
How it works
database.host becomes DATABASE_HOST$ are quoted automaticallyA .env file stores environment variables as KEY=VALUE pairs, one per line, following the dotenv convention popularized by Ruby and Node.js. Tools like Docker Compose, Next.js, Vite, and Rails load it automatically at startup, which keeps secrets and per-environment configuration out of your source code. By convention keys are UPPER_SNAKE_CASE, lines starting with # are comments, and there must be no spaces around the = sign β KEY = value is a syntax error in most parsers.
Paste any JSON object β flat or nested β and the tool converts every key into an environment variable line. You can flatten nested objects with an underscore, double-underscore, or dot separator, prepend a prefix to every key, force upper or lower case, pick a quoting style, add an export prefix for shell sourcing, and copy or download the result as a ready-to-use .env file. Arrays become comma-separated strings.
Secrets Manager returns secrets as a JSON string. On the CLI you would run aws secretsmanager get-secret-value --secret-id myapp/prod --query SecretString --output text, then pipe it through jq to build KEY=VALUE lines. This tool replaces that jq gymnastics: paste the SecretString JSON and get a correctly quoted .env instantly. The same workflow applies to GCP Secret Manager payloads, HashiCorp Vault kv get -format=json output, and Doppler or Infisical exports.
Environment variables are flat, so nested objects must be flattened into compound keys: database.credentials.password becomes DATABASE_CREDENTIALS_PASSWORD. The separator matters per ecosystem β ASP.NET Core expects a double underscore (DATABASE__HOST), while most Node.js and Python apps use a single underscore. Alternatively, disable flattening here and each nested value is serialized as a JSON string you can JSON.parse at runtime, a common pattern for feature-flag blobs.
Quote a value when it contains spaces, #, =, $, backticks, quotes, or newlines β otherwise parsers truncate at the first special character. A password like p@ss word#1 silently becomes p@ss until you quote it, a classic source of mysterious auth failures. Note that double quotes allow $VAR interpolation in many loaders while single quotes are literal. The auto mode here quotes only values that need it, matching what dotenv parsers expect.
The usual suspects: spaces around the = sign, a key that starts with a digit, Windows CRLF line endings confusing a Unix parser, or the file simply not being read β plain docker run does not load .env unless you pass --env-file .env, and shells ignore it unless lines have an export prefix and you source the file. Frameworks also differ on precedence: an existing shell variable usually wins over the .env value.
Yes. The conversion runs entirely in your browser with JavaScript β your JSON is never uploaded, logged, or sent to any server, and there is no analytics on the input field. You can verify by loading the page and disconnecting from the network; conversion still works. That said, the output is still a plaintext secrets file: add .env to .gitignore and commit a sanitized .env.example instead, because secrets pushed to git history are compromised secrets.