Skip to main content

Environment Variables

All secrets and configuration values are managed through environment variables. In development, use a .env file. In production, configure them in Vercel project settings.

Required Variables

Supabase

VariableUsed ByDescription
VITE_SUPABASE_URLFrontendSupabase project URL
VITE_SUPABASE_ANON_KEYFrontendSupabase anonymous key (public)
SUPABASE_URLAPI functionsSupabase project URL (server-side)
SUPABASE_SERVICE_ROLE_KEYAPI functionsService role key (admin access, never exposed)
SUPABASE_ANON_KEYAPI functionsAnon key for user-authenticated RPC calls

Convex

VariableUsed ByDescription
VITE_CONVEX_URLFrontendConvex deployment URL (injected during build via convex deploy --cmd-url-env-var-name)
NEXT_PUBLIC_CONVEX_URLAPI functionsConvex deployment URL read by serverless functions (tracking, view-email, sends)
CONVEX_DEPLOY_KEYVercel buildAuthorizes convex deploy during the build

Anthropic (AI Generation)

VariableUsed ByDescription
CLAUDE_API_KEYAPI functionsAnthropic API key
ANTHROPIC_API_KEYAPI functionsFallback key name

OpenAI (Embeddings)

VariableUsed ByDescription
OPENAI_API_KEYAPI functionsOpenAI API key for embeddings
VariableUsed ByDescription
PINECONE_API_KEYAPI functionsPinecone API key
PINECONE_INDEX_NAME_V2API functionsPrimary RAG v2 index (text-embedding-3-large) — the only index queried by generation
PINECONE_INDEX_NAMEAPI functionsLegacy 1536-dim index (admin list/delete/stats routes)
PINECONE_INDEX_NAME_LARGEAPI functionsLegacy 3072-dim index (admin update/feedback routes)

Mailgun (Email Delivery — sole provider)

VariableUsed ByDescription
MAILGUN_APIAPI functionsMailgun API key
MAILGUN_WEBHOOK_SIGNING_KEYAPI functionsHMAC-SHA256 key for webhook signature verification
MAILGUN_DOMAINAPI functionsOptional override of the sending domain (defaults to kinetic.email)
MAILGUN_FROMAPI functionsOptional override of the from address (defaults to Kinetic Email <ai@kinetic.email>)

RESEND_API_KEY and EMAIL_FROM are dead — Resend is fully retired. Remove them from any environment that still has them.

Security & Privacy

VariableUsed ByDescription
IP_SALTAPI functionsSalt for hashing tracked IP addresses (min 16 chars); if missing, IPs are dropped from tracking events
UNSUB_TOKEN_SECRETAPI functionsHMAC secret for signed anonymous unsubscribe links
SIGNUP_WEBHOOK_SECRETAPI functionsShared secret authenticating the Supabase signup webhook (api/notify-signup.ts)

Optional Variables

Monitoring

VariableUsed ByDescription
VITE_SENTRY_DSNFrontendSentry error tracking DSN

Telegram Notifications

VariableUsed ByDescription
TELEGRAM_BOT_TOKENAPI functionsTelegram bot token for admin alerts (signups, errors)
TELEGRAM_CHAT_IDAPI functionsTelegram chat ID for alerts

Security Notes

  • Never commit .env files to version control
  • The SUPABASE_SERVICE_ROLE_KEY has full database access — only use server-side
  • VITE_ prefixed variables are exposed to the frontend bundle — never put secrets here
  • The SUPABASE_ANON_KEY is used in spendTokensServer() to create user-authenticated clients (not the service role key)