As I take it, environment variables prefixed with NEXT_PUBLIC_ will be substituted by their respective values in the resulting bundle.
Is it safe to supply things like API keys, OAuth secrets and the like using NEXT_PUBLIC_* variables or can an end user theoretically access these secret values? If this is the case, then what is the recommended approach to circumventing this potential security issue?
Thank you all for clarification.
NEXT_PUBLIC_ environment variable prefixes should only be used for values which are non-sensitive, and as you pointed out, which you're comfortable with being present in the final bundle. Prefixing any sensitive keys or secret environment variables with NEXT_PUBLIC_ is a security risk. Those values should only be accessible to next.js at build time or server-side.
Consider using Next.js API routes to isolate any service-oriented business logic to the server-side of things.
