obfus.link

YAML to .env converts YAML configuration files into .env KEY=VALUE format with nested key flattening, secret pattern scanning, and platform-native output. Output formats include Vercel JSON, Fly.io fly.toml, Railway, and Docker Compose. The secret scanner flags TOKEN, SECRET, KEY, and PASSWORD patterns with severity ratings before they reach commits or logs.

Tier 2converters✓ TDD Verified

YAML to .env

Convert YAML config to .env format with secret scanning

How to use

  1. Paste YAMLDrop in your YAML mapping document. Root must be a key-value mapping, not a list.
  2. Set prefix (optional)Add a prefix like APP to namespace all keys — DATABASE__HOST becomes APP_DATABASE__HOST.
  3. Choose delimiter and quotingDefault __ produces DATABASE__HOST. Change to _ for DATABASE_HOST. Choose quoting for spaced values.
  4. Enable secret scanFlag keys containing TOKEN, SECRET, KEY, PASSWORD with high or medium severity.
  5. Pick target platformVercel for JSON array, Fly.io for fly.toml [env], Railway, Docker Compose, or generic .env.
  6. ConvertClick Convert or press Ctrl+Enter. Output is generated instantly.
Read technical article

MCP / API

Call yaml_to_env directly from any MCP-compatible agent:

// MCP TypeScript SDK
const result = await client.callTool({
  name: "yaml_to_env",
  arguments: {
    "yaml": "..."
  }
});

// curl
curl -X POST https://obfus.link/mcp \
  -H "Authorization: Bearer <SPT>" \
  -H "Content-Type: application/json" \
  -d '{"method":"tools/call","params":{"name":"yaml_to_env","arguments":{"yaml":"..."}}}'

Related tools

JSON to Zod
Generate Zod schemas with JSDoc and branded types from any JSON
JWT Hardener
Audit and harden JWT tokens with security scoring and diff output
LLM to JSON Cleaner
Repair malformed JSON from LLM responses with confidence scoring

FAQ

What YAML structures are supported?

Any YAML mapping (object) at the root level. Nested objects flatten using the delimiter. Arrays join as comma-separated strings with a warning. Root-level arrays return an error.

What does the secret scanner check?

Key names containing SECRET, PASSWORD, PRIVATE, or PASSPHRASE are flagged as high severity. Keys containing KEY, TOKEN, CERT, or API are flagged as medium severity. Only key names are scanned — values are not inspected, so the tool never logs sensitive data.

What format does Vercel output produce?

A JSON array of { key, value } objects — the format expected by the Vercel CLI --env flag and the Vercel dashboard environment variable import.

How does the prefix differ from the delimiter?

The delimiter separates YAML nesting levels (DATABASE__HOST). The prefix is an external namespace applied after flattening, always connected with a single underscore (APP prefix + DATABASE__HOST = APP_DATABASE__HOST). They are separate concepts.

Can I use this tool via the MCP API?

Yes. The tool is registered on the obfus.link MCP server at https://obfus.link/mcp. Call it from any MCP-compatible agent with a Shared Payment Token. The MCP tool name matches the snake_case slug shown in the integration snippet.