diff --git a/.gitignore b/.gitignore
index 86a0c7a..1b69d17 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,2 +1,3 @@
+/.env
 /target/
 /config.json
diff --git a/Cargo.lock b/Cargo.lock
index 31e0df6..473bc11 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -498,6 +498,12 @@ dependencies = [
  "syn 2.0.102",
 ]
 
+[[package]]
+name = "dotenv"
+version = "0.15.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "77c90badedccf4105eca100756a0b1289e191f6fcbdadd3cee1d2f614f97da8f"
+
 [[package]]
 name = "dyn-clone"
 version = "1.0.19"
@@ -2559,8 +2565,7 @@ dependencies = [
 [[package]]
 name = "serde-env-field"
 version = "0.3.2"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "7474686d028d4a3d580ac88d7cbd54a7c5ca4f8ecb437caa8e67bb074e2fae42"
+source = "git+https://github.com/illicitonion/serde-env-field.git?rev=aa455e090a2de89c2bdc53b20e3ce010e6e79d02#aa455e090a2de89c2bdc53b20e3ce010e6e79d02"
 dependencies = [
  "serde",
  "serde-env-field-wrap",
@@ -3271,6 +3276,7 @@ dependencies = [
  "case_insensitive_string",
  "chrono",
  "chrono-tz",
+ "dotenv",
  "email_address 0.2.9 (git+https://github.com/illicitonion/rust-email_address.git?rev=12cd9762a166b79a227beaa90b2f60a768d7c55c)",
  "futures",
  "google-drive",
diff --git a/Cargo.toml b/Cargo.toml
index 1c4eff4..e50bda7 100644
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -11,6 +11,7 @@ axum = { version = "0.8.4", features = ["macros", "original-uri"] }
 case_insensitive_string = { version = "0.2.10", features = ["serde"] }
 chrono = "0.4.41"
 chrono-tz = "0.10.3"
+dotenv = "0.15.0"
 # Until https://github.com/johnstonskj/rust-email_address/pull/43 is merged and released.
 email_address = { git = "https://github.com/illicitonion/rust-email_address.git", rev = "12cd9762a166b79a227beaa90b2f60a768d7c55c" }
 futures = "0.3.31"
@@ -37,7 +38,8 @@ regex = "1.11.1"
 reqwest = { version = "0.12.20", default-features = false, features = ["json", "rustls-tls"] }
 secrecy = "0.10"
 serde = { version = "1", features = ["derive"] }
-serde-env-field = "0.3.2"
+# Until https://github.com/mrshiposha/serde-env-field/pull/2 is merged and released.
+serde-env-field = { git = "https://github.com/illicitonion/serde-env-field.git", rev = "aa455e090a2de89c2bdc53b20e3ce010e6e79d02" }
 serde_json = "1"
 serde_urlencoded = "0.7.1"
 sheets = "0.7.0"
diff --git a/config.prod.json b/config.prod.json
index b9133c4..e8aa5bf 100644
--- a/config.prod.json
+++ b/config.prod.json
@@ -1,11 +1,11 @@
 {
   "github_org": "CodeYourFuture",
-  "github_client_id": "Ov23liyZuouqyi9L3ZpM",
+  "github_client_id": "$CYF_TRAINEE_TRACKER_GITHUB_CLIENT_ID",
   "github_client_secret": "$CYF_TRAINEE_TRACKER_GITHUB_CLIENT_SECRET",
   "addr": "0.0.0.0",
   "port": 3000,
-  "public_base_url": "https://trainee-tracker.hosting.codeyourfuture.io",
-  "google_apis_client_id": "403459539948-q1psg497mlfk9u6cgf0eea5qum4gp92n.apps.googleusercontent.com",
+  "public_base_url": "$CYF_TRAINEE_TRACKER_PUBLIC_BASE_URL",
+  "google_apis_client_id": "$CYF_TRAINEE_TRACKER_GOOGLE_APIS_CLIENT_ID",
   "google_apis_client_secret": "$CYF_TRAINEE_TRACKER_GOOGLE_APIS_CLIENT_SECRET",
   "github_email_mapping_sheet_id": "1ahDEnO8odD9oLtO_EBcvcmEaF0qsX-I4iLCIY0XLjt0",
   "reviewer_staff_info_sheet_id": "1CKDrXtx5lkgfZ8E2mjvsDup2K8UyBsq99CIV0qOxrP0",
diff --git a/src/auth.rs b/src/auth.rs
index f7546dc..1373ca5 100644
--- a/src/auth.rs
+++ b/src/auth.rs
@@ -73,7 +73,7 @@ async fn exchange_github_oauth_code_for_access_token(
     let client = reqwest::Client::new();
 
     let response: GitHubOauthExchangeResponse = client
-        .get(format!("https://github.com/login/oauth/access_token?client_id={client_id}&client_secret={client_secret}&code={code}", client_id = config.github_client_id, client_secret = *config.github_client_secret, code = code))
+        .get(format!("https://github.com/login/oauth/access_token?client_id={client_id}&client_secret={client_secret}&code={code}", client_id = config.github_client_id, client_secret = config.github_client_secret, code = code))
         .header(reqwest::header::ACCEPT, "application/json")
         .send()
         .await?
diff --git a/src/bin/trainee-tracker.rs b/src/bin/trainee-tracker.rs
index acbe439..730a0f1 100644
--- a/src/bin/trainee-tracker.rs
+++ b/src/bin/trainee-tracker.rs
@@ -1,4 +1,5 @@
 use axum::routing::get;
+use dotenv::dotenv;
 use tower_sessions::{Expiry, MemoryStore, SessionManagerLayer};
 use tracing::info;
 use tracing_subscriber::prelude::*;
@@ -26,6 +27,12 @@ async fn main() {
         .try_init()
         .expect("Failed to configure logging");
 
+    if let Err(err) = dotenv() {
+        if !err.not_found() {
+            panic!("Error loading .env file: {}", err);
+        }
+    }
+
     let config_bytes = std::fs::read(&args[0]).expect("Failed to read config file");
     let config: Config =
         serde_json::from_slice(&config_bytes).expect("Failed to parse config file");
diff --git a/src/config.rs b/src/config.rs
index 24a339b..febdfba 100644
--- a/src/config.rs
+++ b/src/config.rs
@@ -13,11 +13,11 @@ use crate::{
 #[derive(Clone, Deserialize)]
 pub struct Config {
     pub github_org: String,
-    pub github_client_id: String,
+    pub github_client_id: EnvField<String>,
     pub github_client_secret: EnvField<String>,
     pub addr: Option<IpAddr>,
     pub port: u16,
-    pub public_base_url: String,
+    pub public_base_url: EnvField<String>,
     /// Courses being tracked. Keys are things like "itp" or "sdc".
     /// Ideally this would be less hard-coded.
     /// Possible sources of truth for this are:
@@ -31,7 +31,7 @@ pub struct Config {
     /// e.g. for itp, we'd expect itp-trainees/2025-05 and itp-mentors to exist.
     pub courses: IndexMap<String, CourseInfo>,
 
-    pub google_apis_client_id: String,
+    pub google_apis_client_id: EnvField<String>,
     pub google_apis_client_secret: EnvField<String>,
 
     pub slack_client_id: String,