# Variables Variables are key/value pairs injected into your Destination code at runtime. Use them for anything you don't want hard-coded — API keys, pixel IDs, endpoint URLs, feature flags, environment-specific values. You manage variables from the **Variables** tab in the Playground UI. Each variable has a name, a value, and a flag that controls whether it's available in the browser. You have two types. **Variables** and **Secrets.** Use **Variables** when you need to store non-sensitive information, like URLs or pixel IDs. Use **Secrets** when you need to store sensitive information, such as access tokens or signing keys. ### Server-side access All variables are available in every edge file (`edge/init`, `edge/tag`, `edge/user`, `edge/scheduled`) and in your CDN and Server API handlers, under `params.secrets`: ```javascript const apiKey = params.secrets.API_KEY const endpoint = params.secrets.WEBHOOK_URL ``` Variable names are whatever you type in the UI — they aren't transformed. ### Exposing a variable to the browser By default, variables stay server-side. If you need a variable in browser code (for example, a public pixel ID), tick the **"also include on client"** checkbox when you create it. Client-side variables are available under a slightly different path depending on the browser file: * **`browser/init`** — `params.manifest.variables.PIXEL_ID` * **`browser/tag`** — `params.manifestVariables.PIXEL_ID` * **`browser/user`** — `params.manifestVariables.PIXEL_ID` ```javascript // browser/tag if (window.fbq) { window.fbq('init', params.manifestVariables.PIXEL_ID) window.fbq('track', params.eventName, { value: params.data.value }) } ``` {% hint style="warning" %} Anything you expose to the client is shipped to every visitor's browser and is effectively public. Only mark variables as client-side when they're safe to expose — public pixel IDs, feature flags, or public API keys. Never mark private API keys or signing secrets as client-side. {% endhint %} ### Redaction in Simulation When you run a simulation, Playground redacts sensitive values from the captured output. Any header or body key matching `authorization`, `token`, `api-key`, `api_key`, `secret`, `password`, or `cookie` is replaced with `[REDACTED]` before being shown. This keeps your logs clean even when your code legitimately forwards secrets to third-party APIs. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.edgetag.io/playground/destination/variables.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.