Environment Variables
All configuration is provided via environment variables. Set them in .env.local for local development, or as container environment variables for Docker/EC2 deployments.
Required
| Variable | Description |
|---|---|
NEXT_PUBLIC_SUPABASE_URL | Your Supabase project URL (e.g., https://xyz.supabase.co) |
NEXT_PUBLIC_SUPABASE_ANON_KEY | Supabase anon key (public, used in browser) |
SUPABASE_SERVICE_ROLE_KEY | Supabase service role key (secret, server-only) |
Optional — Application
| Variable | Description |
|---|---|
DEFAULT_ADMIN_EMAIL | Admin account email used by the setup script and on first startup. Defaults to admin@example.com if unset. |
DEFAULT_ADMIN_PASSWORD | Admin account password applied on startup only if the password has never been changed. Must be set to a strong secret in production. |
Optional — Runtime Env Whitelisting
These variables control which environment values are exposed to runtime automation code (extensions, cron jobs, custom services).
| Variable | Default | Description |
|---|---|---|
RUNTIME_ENV_WHITELIST_GLOBAL | (empty) | Comma-separated keys exposed to all runtime scopes |
RUNTIME_ENV_WHITELIST_EXTENSION | (empty) | Comma-separated keys exposed only to runtime extensions |
RUNTIME_ENV_WHITELIST_CRON | (empty) | Comma-separated keys exposed only to cron jobs |
RUNTIME_ENV_WHITELIST_CUSTOM_SERVICE | (empty) | Comma-separated keys exposed only to custom services |
Prefix-based exposure is also supported:
RUNTIME_PUBLIC_*(all scopes)EXTENSION_PUBLIC_*(extensions only)CRON_PUBLIC_*(cron only)CUSTOM_SERVICE_PUBLIC_*(custom services only)
For full examples and code usage, see Runtime Env Whitelisting.
Optional — CORS
| Variable | Default | Description |
|---|---|---|
CORS_ENABLED | true | Whether CORS headers are set |
CORS_ORIGINS | (empty — blocks all) | Comma-separated allowed origins |
CORS_METHODS | GET,HEAD,POST,PUT,PATCH,DELETE,OPTIONS | Allowed HTTP methods |
CORS_ALLOWED_HEADERS | Content-Type, Authorization, Origin, X-Requested-With, Accept, X-Resource-Uri | Allowed request headers |
CORS_EXPOSE_HEADERS | (empty) | Headers exposed to the client |
CORS_ALLOW_CREDENTIALS | false | Set Access-Control-Allow-Credentials |
CORS_MAX_AGE | 600 | Preflight cache duration in seconds |
See CORS for examples.
Optional — SMTP (Email)
SMTP can be configured via environment variables or via the Settings UI. Environment variables take precedence.
| Variable | Default | Description |
|---|---|---|
SMTP_ENABLED | false | Enable SMTP email sending |
SMTP_HOST | (empty) | SMTP server hostname |
SMTP_PORT | 587 | SMTP port |
SMTP_USER | (empty) | SMTP username |
SMTP_PASSWORD | (empty) | SMTP password |
SMTP_FROM_EMAIL | (empty) | Sender email address (SMTP_FROM accepted as alias) |
SMTP_FROM_NAME | (empty) | Sender display name |
SMTP_SECURE | false | true for SSL/TLS, false for STARTTLS |
SMTP_IGNORE_TLS | false | Skip TLS entirely (not recommended in production) |
Security Notes
- Never commit
.env.localto version control SUPABASE_SERVICE_ROLE_KEYgrants full database access — keep it secretNEXT_PUBLIC_*variables are embedded in the browser bundle — never put secrets in them
Last updated on