Scopes and precedence
Environment variables are resolved from three levels. Higher-priority levels override lower ones when the same key appears at multiple levels.| Priority | Scope | Set by | Applies to |
|---|---|---|---|
| Highest | Workspace user overrides | Individual member | Tasks in this workspace only |
| Middle | User defaults | Individual member | All workspaces the member belongs to |
| Lowest | Workspace defaults | Workspace admin | All members in this workspace |
When the same variable key exists at multiple levels, the highest-priority level wins. For example, if a workspace default sets
DATABASE_URL and a member overrides it in their workspace user config, the member’s value is used for their tasks.Adding environment variables
Workspace-level variables
Workspace admins can set variables that apply to all members:- Open Workspace Settings > Configuration > Workspace Defaults tab
- Scroll to the Environment Variables section
- Add key-value pairs in the
.enveditor - Click Save
User-level variables
Members can set personal variables that apply across all their workspaces:- Open Settings > Configuration > User Defaults tab
- Scroll to the Environment Variables section
- Add your key-value pairs
- Click Save
Per-workspace user overrides
For workspace-specific personal overrides:- Open Settings > Configuration > My Workspace Overrides tab
- Scroll to the Environment Variables section
- Add or override variables for this workspace only
- Click Save
Multi-file support
Environment variables are organized into.env files. You can create multiple files following the .env / .env.<suffix> naming convention (e.g., .env.local, .env.production, .env.test).
Files are processed in order: .env first, then additional files alphabetically. If the same key appears in multiple files, the later file takes precedence.
Secret masking
Whim automatically detects likely secrets based on key names and masks their values in the UI. Variables with keys matching common patterns are treated as secrets:- Keys containing
secret,password, ortoken - Keys matching patterns like
API_KEY,ACCESS_KEY,PRIVATE_KEY
Disabling workspace variables
Members can disable specific workspace-level variables without removing them from the workspace. This is useful when a workspace variable conflicts with your personal setup. Disabled variables are filtered out before merging, so they won’t appear in your task containers even though they remain configured at the workspace level.How variables are injected into containers
When a task starts, Whim resolves environment variables from all three levels and injects them into the container in two ways:- As environment variables — merged directly into the container’s environment for immediate access via
process.envor equivalent. - As
.envfiles — written to the/appdirectory inside the container (e.g.,/app/.env,/app/.env.local), where application frameworks can discover them automatically.
System variables
Whim also injects system variables that provide task context. These cannot be overridden by user-defined variables:| Variable | Description |
|---|---|
WHIM_AI_PROVIDER | The configured AI provider (e.g., claude, codex) |
WHIM_AI_RUNTIME | The AI runtime in use |
WHIM_TASK_ID | The current task’s unique identifier |
WHIM_WORKSPACE_ID | The workspace identifier |
WHIM_TEAM_ID | The team identifier |
WHIM_GITHUB_TOKEN | GitHub access token for Git operations |
WHIM_CLONE_URL | The repository clone URL |
Common use cases
API keys
Store third-party API keys (OpenAI, Stripe, etc.) as workspace variables so every task can access external services.
Database URLs
Set
DATABASE_URL at the workspace level so all tasks connect to the right database without manual configuration.Build secrets
Store tokens like
NPM_TOKEN for use with workspace image builds via the buildSecrets configuration.Feature flags
Use per-user overrides to enable or disable features for individual members during development.