Skip to main content

Environment Variables

All secrets and configuration values are managed through environment variables. In development, use a .env file. In production, configure them in Vercel project settings.

Required Variables

Supabase

VariableUsed ByDescription
VITE_SUPABASE_URLFrontendSupabase project URL
VITE_SUPABASE_ANON_KEYFrontendSupabase anonymous key (public)
SUPABASE_URLAPI functionsSupabase project URL (server-side)
SUPABASE_SERVICE_ROLE_KEYAPI functionsService role key (admin access, never exposed)
SUPABASE_ANON_KEYAPI functionsAnon key for user-authenticated RPC calls

Convex

VariableUsed ByDescription
VITE_CONVEX_URLFrontend + APIConvex deployment URL

Anthropic (AI Generation)

VariableUsed ByDescription
CLAUDE_API_KEYAPI functionsAnthropic API key
ANTHROPIC_API_KEYAPI functionsFallback key name

OpenAI (Embeddings)

VariableUsed ByDescription
OPENAI_API_KEYAPI functionsOpenAI API key for embeddings
VariableUsed ByDescription
PINECONE_API_KEYAPI functionsPinecone API key
PINECONE_INDEXAPI functionsPrimary index name (1536-dim)
PINECONE_INDEX_LARGEAPI functionsLarge index name (3072-dim)

Resend (Email Delivery)

VariableUsed ByDescription
RESEND_API_KEYAPI functionsResend API key for email sending

Optional Variables

AWS SES (Fallback Email)

VariableUsed ByDescription
AWS_ACCESS_KEY_IDAPI functionsAWS credentials for SES
AWS_SECRET_ACCESS_KEYAPI functionsAWS secret key
AWS_REGIONAPI functionsAWS region (e.g., us-east-1)

Monitoring

VariableUsed ByDescription
SENTRY_DSNAPI functionsSentry error tracking DSN

Telegram Notifications

VariableUsed ByDescription
TELEGRAM_BOT_TOKENAPI functionsTelegram bot token for admin notifications
TELEGRAM_CHAT_IDAPI functionsTelegram chat ID for notifications

Security Notes

  • Never commit .env files to version control
  • The SUPABASE_SERVICE_ROLE_KEY has full database access — only use server-side
  • VITE_ prefixed variables are exposed to the frontend bundle — never put secrets here
  • The SUPABASE_ANON_KEY is used in spendTokensServer() to create user-authenticated clients (not the service role key)