Environment Variables & Production Configuration

This page lists the environment variables and configuration tips for production deployments.

Store all secrets in your provider's secret store (Vercel/Netlify/Cloudflare/Heroku) — never commit them to source control.

Required variables

• SUPABASE_URL — Your Supabase project URL (https://xxxxx.supabase.co)
• SUPABASE_ANON_KEY — Public anon key for client-side usage
• SUPABASE_SERVICE_ROLE_KEY — Server-only key for privileged operations (keep server-side only)
• NEXT_PUBLIC_VERCEL_URL or NEXT_PUBLIC_SITE_URL — Base site URL used for production links & canonical tags

Email / transactional provider

• SMTP_HOST
• SMTP_PORT
• SMTP_USER
• SMTP_PASS
• EMAIL_FROM — e.g. "Pwask no-reply@yourdomain.com"

Or use a transactional API (SendGrid, Postmark, Mailgun) and place API key in a secret variable.

Analytics & Monitoring (recommended)

• NEXT_PUBLIC_SENTRY_DSN
• NEXT_PUBLIC_GOOGLE_ANALYTICS_ID
• LOGFLARE_API_KEY (optional)

PWA & Push / Notifications

• VAPID_PUBLIC_KEY (for Web Push)
• VAPID_PRIVATE_KEY (server-only)
• ONE_SIGNAL_APP_ID (if using OneSignal)

Storage & CDN

• NEXT_PUBLIC_IMAGE_DOMAINS — allowed external image hostnames (if using next/image)
• CDN_BASE_URL — URL for your CDN in front of Supabase Storage (optional)

Runtime vs Build-time

• NEXT_PUBLIC_* variables are embedded in the client bundle and safe for public keys only.
• Non-NEXT_PUBLIC variables are server-only; ensure they are present for server functions like sending emails or signed uploads.

Example Vercel settings

In Vercel environment variables UI:

• Add production variables (same names).
• Enable Preview environments and set staging variables appropriately.
• Use Vercel's secret storage for service keys.

Secrets rotation & security

• Rotate service keys regularly and update the hosting environment.
• Revoke old keys immediately if leaked.
• Apply least-privilege on service-role keys: use them only in server code.

Local development

• Use .env.local with a safe SUPABASE_ANON_KEY for dev. Create a separate Supabase project for development to avoid accidental production data changes.

Where to go next

• Back to Architecture overview
• FAQ