---
name: Secrets in .env files
description: User stores credentials in .env files, never in code or git
type: feedback
---

User stores sensitive credentials (API keys, secrets) in `.env` files next to `docker-compose.yml`. Always create/suggest `.env` + `.gitignore` together.

**Why:** User explicitly set up Spotify credentials this way.
**How to apply:** When any new secret/credential is added, offer to write it to `.env` and ensure `.gitignore` covers it.