Skip to Content
Self-HostingEnvironment Variables

Environment Variables

All configuration is provided via environment variables. Set them in .env.local for local development, or as container environment variables for Docker/EC2 deployments.

Required

VariableDescription
NEXT_PUBLIC_SUPABASE_URLYour Supabase project URL (e.g., https://xyz.supabase.co)
NEXT_PUBLIC_SUPABASE_ANON_KEYSupabase anon key (public, used in browser)
SUPABASE_SERVICE_ROLE_KEYSupabase service role key (secret, server-only)

Optional — Application

VariableDescription
DEFAULT_ADMIN_EMAILAdmin account email used by the setup script and on first startup. Defaults to admin@example.com if unset.
DEFAULT_ADMIN_PASSWORDAdmin account password applied on startup only if the password has never been changed. Must be set to a strong secret in production.

Optional — Runtime Env Whitelisting

These variables control which environment values are exposed to runtime automation code (extensions, cron jobs, custom services).

VariableDefaultDescription
RUNTIME_ENV_WHITELIST_GLOBAL(empty)Comma-separated keys exposed to all runtime scopes
RUNTIME_ENV_WHITELIST_EXTENSION(empty)Comma-separated keys exposed only to runtime extensions
RUNTIME_ENV_WHITELIST_CRON(empty)Comma-separated keys exposed only to cron jobs
RUNTIME_ENV_WHITELIST_CUSTOM_SERVICE(empty)Comma-separated keys exposed only to custom services

Prefix-based exposure is also supported:

  • RUNTIME_PUBLIC_* (all scopes)
  • EXTENSION_PUBLIC_* (extensions only)
  • CRON_PUBLIC_* (cron only)
  • CUSTOM_SERVICE_PUBLIC_* (custom services only)

For full examples and code usage, see Runtime Env Whitelisting.

Optional — CORS

VariableDefaultDescription
CORS_ENABLEDtrueWhether CORS headers are set
CORS_ORIGINS(empty — blocks all)Comma-separated allowed origins
CORS_METHODSGET,HEAD,POST,PUT,PATCH,DELETE,OPTIONSAllowed HTTP methods
CORS_ALLOWED_HEADERSContent-Type, Authorization, Origin, X-Requested-With, Accept, X-Resource-UriAllowed request headers
CORS_EXPOSE_HEADERS(empty)Headers exposed to the client
CORS_ALLOW_CREDENTIALSfalseSet Access-Control-Allow-Credentials
CORS_MAX_AGE600Preflight cache duration in seconds

See CORS for examples.

Optional — SMTP (Email)

SMTP can be configured via environment variables or via the Settings UI. Environment variables take precedence.

VariableDefaultDescription
SMTP_ENABLEDfalseEnable SMTP email sending
SMTP_HOST(empty)SMTP server hostname
SMTP_PORT587SMTP port
SMTP_USER(empty)SMTP username
SMTP_PASSWORD(empty)SMTP password
SMTP_FROM_EMAIL(empty)Sender email address (SMTP_FROM accepted as alias)
SMTP_FROM_NAME(empty)Sender display name
SMTP_SECUREfalsetrue for SSL/TLS, false for STARTTLS
SMTP_IGNORE_TLSfalseSkip TLS entirely (not recommended in production)

Security Notes

  • Never commit .env.local to version control
  • SUPABASE_SERVICE_ROLE_KEY grants full database access — keep it secret
  • NEXT_PUBLIC_* variables are embedded in the browser bundle — never put secrets in them
Last updated on