> ## Documentation Index
> Fetch the complete documentation index at: https://www.dynamic.xyz/docs/llms.txt
> Use this file to discover all available pages before exploring further.

# Config as code

> Snapshot a Dynamic environment to YAML with dyn export and reconcile changes with dyn apply, guarded by opt-in safety gates.

`dyn export` and `dyn apply` are the config-as-code pair. Together they let you treat an environment's configuration as a file you can review, diff, version in git, and apply repeatably.

<Note>
  **What you need:** The CLI installed and authenticated, with an environment selected. See [Getting started](/cli/getting-started). Both commands act on the **active environment** — confirm it with `dyn status` first.
</Note>

## Export an environment

```sh theme={"system"}
dyn export --output-file env.yaml      # snapshot the active environment to YAML
dyn export --output-file env.json --format json
```

Export captures providers, settings, webhooks, chains, custom fields, gates, and more — everything that defines how the environment behaves.

## Apply a file

`dyn apply` diffs a file against the current environment and brings the environment into line with the file.

```sh theme={"system"}
dyn apply -f env.yaml --dry-run        # preview the plan, change nothing
dyn apply -f env.yaml                  # apply the changes
```

<Warning>
  Always preview with `--dry-run` first. The dry-run prints exactly what would be added, updated, or deleted without touching the environment.
</Warning>

## Safety gates

On the real (non-dry-run) path, `dyn apply` refuses risky changes unless you opt in with an explicit flag. This prevents a stale or hostile YAML file from silently weakening auth or deleting resources.

| Flag                          | Required when the plan…                                                                             |
| ----------------------------- | --------------------------------------------------------------------------------------------------- |
| `--allow-critical-changes`    | …mutates auth-critical resources (providers, JWT keys, MFA, etc.).                                  |
| `--allow-security-downgrades` | …weakens a security setting (e.g. turns MFA off, removes an allowlist entry).                       |
| `--allow-new-domains`         | …introduces a URL whose host is not already trusted. In a TTY, you're prompted to confirm the host. |
| `--allow-delete`              | …deletes any resource. Off by default so a YAML missing entries can't silently remove them.         |
| `--skip-deletions`            | Apply adds and updates but skips every delete. A safe default for partial-YAML workflows.           |

Other useful flags: `--concurrency <n>` to parallelize mutations, and `--yes` to skip the final confirmation prompt (required in non-interactive contexts).

## Common patterns

**Clone live into sandbox.** Export production, then apply it to a safe playground:

```sh theme={"system"}
dyn environments switch <live-env-id>
dyn export --output-file live.yaml

dyn environments switch <sandbox-env-id>
dyn apply -f live.yaml --dry-run
dyn apply -f live.yaml --allow-critical-changes
```

**Review config changes in git.** Track `envs/sandbox.yaml` in your repo, edit it in a pull request, and apply after review:

```sh theme={"system"}
dyn apply -f envs/sandbox.yaml --dry-run
```

**Drift detection in CI.** Run a dry-run on every pull request to surface configuration drift between your file and the live environment:

```sh theme={"system"}
dyn apply -f envs/live.yaml --dry-run
```

## Related

* [Project settings](/cli/guides/project-settings) — change individual settings without a full apply.
* [Authentication & CI](/cli/guides/authentication) — run `dyn apply` non-interactively in pipelines.
