All secrets and configuration values are managed through environment variables. In development, use a .env file. In production, configure them in Vercel project settings.
Required Variables
Supabase
| Variable | Used By | Description |
|---|
VITE_SUPABASE_URL | Frontend | Supabase project URL |
VITE_SUPABASE_ANON_KEY | Frontend | Supabase anonymous key (public) |
SUPABASE_URL | API functions | Supabase project URL (server-side) |
SUPABASE_SERVICE_ROLE_KEY | API functions | Service role key (admin access, never exposed) |
SUPABASE_ANON_KEY | API functions | Anon key for user-authenticated RPC calls |
Convex
| Variable | Used By | Description |
|---|
VITE_CONVEX_URL | Frontend | Convex deployment URL (injected during build via convex deploy --cmd-url-env-var-name) |
NEXT_PUBLIC_CONVEX_URL | API functions | Convex deployment URL read by serverless functions (tracking, view-email, sends) |
CONVEX_DEPLOY_KEY | Vercel build | Authorizes convex deploy during the build |
Anthropic (AI Generation)
| Variable | Used By | Description |
|---|
CLAUDE_API_KEY | API functions | Anthropic API key |
ANTHROPIC_API_KEY | API functions | Fallback key name |
OpenAI (Embeddings)
| Variable | Used By | Description |
|---|
OPENAI_API_KEY | API functions | OpenAI API key for embeddings |
Pinecone (Vector Search)
| Variable | Used By | Description |
|---|
PINECONE_API_KEY | API functions | Pinecone API key |
PINECONE_INDEX_NAME_V2 | API functions | Primary RAG v2 index (text-embedding-3-large) — the only index queried by generation |
PINECONE_INDEX_NAME | API functions | Legacy 1536-dim index (admin list/delete/stats routes) |
PINECONE_INDEX_NAME_LARGE | API functions | Legacy 3072-dim index (admin update/feedback routes) |
Mailgun (Email Delivery — sole provider)
| Variable | Used By | Description |
|---|
MAILGUN_API | API functions | Mailgun API key |
MAILGUN_WEBHOOK_SIGNING_KEY | API functions | HMAC-SHA256 key for webhook signature verification |
MAILGUN_DOMAIN | API functions | Optional override of the sending domain (defaults to kinetic.email) |
MAILGUN_FROM | API functions | Optional override of the from address (defaults to Kinetic Email <ai@kinetic.email>) |
RESEND_API_KEY and EMAIL_FROM are dead — Resend is fully retired. Remove them from any environment that still has them.
Security & Privacy
| Variable | Used By | Description |
|---|
IP_SALT | API functions | Salt for hashing tracked IP addresses (min 16 chars); if missing, IPs are dropped from tracking events |
UNSUB_TOKEN_SECRET | API functions | HMAC secret for signed anonymous unsubscribe links |
SIGNUP_WEBHOOK_SECRET | API functions | Shared secret authenticating the Supabase signup webhook (api/notify-signup.ts) |
Optional Variables
Monitoring
| Variable | Used By | Description |
|---|
VITE_SENTRY_DSN | Frontend | Sentry error tracking DSN |
Telegram Notifications
| Variable | Used By | Description |
|---|
TELEGRAM_BOT_TOKEN | API functions | Telegram bot token for admin alerts (signups, errors) |
TELEGRAM_CHAT_ID | API functions | Telegram chat ID for alerts |
Security Notes
- Never commit
.env files to version control
- The
SUPABASE_SERVICE_ROLE_KEY has full database access — only use server-side
VITE_ prefixed variables are exposed to the frontend bundle — never put secrets here
- The
SUPABASE_ANON_KEY is used in spendTokensServer() to create user-authenticated clients (not the service role key)