Nuxt

How do you securely manage private/public config variables in Nuxt 4, and what's the difference between runtimeConfig vs app.config?

December 4, 2025

download ready
Thank You
Your submission has been received.
We will be in touch and contact you soon!

Nuxt 4 separates runtimeConfig for secure environment variables from app.config for reactive theme/UI settings. runtimeConfig supports private server-only keys (NUXT_SECRET_ prefix) and public client-safe values (NUXT_PUBLIC_), while app.config handles static theme objects with HMR but no env var access. Private configs never reach client; public configs hydrate safely.​

runtimeConfig supports environment variables (private/public), exposes only public subset to client, keeps private keys server-side, but requires restart for changes. app.config is static-only (no env vars), exposes full object to client, SSR-safe for all data, and supports hot reload.

Complete Implementation:-

Step 1: nuxt.config.ts

Code

export default defineNuxtConfig({
  runtimeConfig: {
    apiSecret: 'fallback',      // Server-only (NUXT_API_SECRET)
    public: {
      apiUrl: '/api',           // Client-safe (NUXT_PUBLIC_API_URL)
      version: '1.0.0'
    }
  }
})

Step 2: Environment (.env)

Code

NUXT_API_SECRET=supersecret
NUXT_PUBLIC_API_URL=https://api.com

Step 3: Usage Patterns

Code

<script setup>
// Runtime config (env-driven)
const { public: { apiUrl } } = useRuntimeConfig()
// apiUrl: Client-safe only

// App config (theming)
const { theme } = useAppConfig()
// theme: Full object, HMR-enabled
</script>

Step 4: Server Access

Code

// server/api/data.get.ts
export default defineEventHandler(async () => {
  const config = useRuntimeConfig()
  // Full access: config.apiSecret + config.public.apiUrl
})
Arrow icon

Previous

Next

Arrow icon
Hire Now!

Need Help with Nuxt Development ?

Work with our skilled nuxt developers to accelerate your project and boost its performance.
**Hire now**Hire Now**Hire Now**Hire now**Hire now

Related Q&A

blog-banner-img
calender
March 19, 2026

How do you create runtime-only composable plugins in Nuxt 4 using app/extensions?

Nuxt
All
blog-banner-img
calender
March 19, 2026

What breaking changes in Nuxt 4 require migration attention?

Nuxt
All
blog-banner-img
calender
March 19, 2026

What's Nuxt 4's MCP server for AI-assisted coding?

Nuxt
All
Ready to Build
Something Amazing?
Got an Idea?
We got you.
Need a Tech Partner
You Can Trust?
Got Challenges?
We’ve Got Solutions.
Your Vision,
Our Mission.
Let’s talk.
Project Inquiry
Email iconhello@zignuts.com
Call icon+49 3056837888
Call icon+1 4088728242
Career Inquiry
Email icontalent@zignuts.com
Call icon+91 9427726620
India
A-409, Siddhraj Zori, Gandhinagar, 382421, Gujarat, India
Germany
Rheinsberger Str. 76,10115 Berlin, Germany
USA
611 Gateway Blvd, South San francisco, CA 94080, USA
Company Deck

Company Deck

PDF, 3MB

© 2026 Zignuts Technolab. All Rights Reserved.

Facebook iconTwitter iconInstagram iconYoutube iconLinkedIn iconSocial icon

How do you securely manage private/public config variables in Nuxt 4, and what's the difference between runtimeConfig vs app.config?

Nuxt 4 separates runtimeConfig for secure environment variables from app.config for reactive theme/UI settings. runtimeConfig supports private server-only keys (NUXT_SECRET_ prefix) and public client-safe values (NUXT_PUBLIC_), while app.config handles static theme objects with HMR but no env var access. Private configs never reach client; public configs hydrate safely.​

runtimeConfig supports environment variables (private/public), exposes only public subset to client, keeps private keys server-side, but requires restart for changes. app.config is static-only (no env vars), exposes full object to client, SSR-safe for all data, and supports hot reload.

Complete Implementation:-

Step 1: nuxt.config.ts

Code

export default defineNuxtConfig({
  runtimeConfig: {
    apiSecret: 'fallback',      // Server-only (NUXT_API_SECRET)
    public: {
      apiUrl: '/api',           // Client-safe (NUXT_PUBLIC_API_URL)
      version: '1.0.0'
    }
  }
})

Step 2: Environment (.env)

Code

NUXT_API_SECRET=supersecret
NUXT_PUBLIC_API_URL=https://api.com

Step 3: Usage Patterns

Code

<script setup>
// Runtime config (env-driven)
const { public: { apiUrl } } = useRuntimeConfig()
// apiUrl: Client-safe only

// App config (theming)
const { theme } = useAppConfig()
// theme: Full object, HMR-enabled
</script>

Step 4: Server Access

Code

// server/api/data.get.ts
export default defineEventHandler(async () => {
  const config = useRuntimeConfig()
  // Full access: config.apiSecret + config.public.apiUrl
})