Environment Variables
Create a .env file in the root of the project. The variables marked Required must be set before the app will start. All others are optional depending on which features you enable.
| Variable | Required | Description |
|---|---|---|
| DATABASE_URL | Required | PostgreSQL connection string. e.g. postgresql://user:password@localhost:5432/mydb |
| NEXTAUTH_URL | Required | Canonical URL of your deployment. Must match the domain exactly. e.g. https://yourstore.com |
| NEXTAUTH_SECRET | Required | A random secret string used to sign session tokens. Generate one with: openssl rand -base64 32 e.g. your-random-secret |
| FORMBOLD_FORM_ID | Optional | Formbold form ID for the contact and demo request forms. Get one at formbold.com. |
| SENDGRID_API_KEY | Optional | SendGrid API key for transactional emails (order confirmations, password resets, welcome emails). |
| SENDGRID_FROM_EMAIL | Optional | The verified sender email address in your SendGrid account. e.g. [email protected] |
| STRIPE_PUBLISHABLE_KEY | Optional | Stripe publishable key (pk_live_... or pk_test_...). Only needed if using Stripe. |
| STRIPE_SECRET_KEY | Optional | Stripe secret key. Never expose this on the client. |
| STRIPE_WEBHOOK_SECRET | Optional | Stripe webhook signing secret (whsec_...). Required to verify incoming webhook events. |
| DO_SPACES_ENDPOINT | Optional | DigitalOcean Spaces endpoint URL. e.g. https://sfo3.digitaloceanspaces.com |
| DO_SPACES_CDN_ENDPOINT | Optional | CDN endpoint for serving media files. e.g. https://your-bucket.sfo3.cdn.digitaloceanspaces.com |
| DO_SPACES_REGION | Optional | DigitalOcean Spaces region. e.g. sfo3 |
| DO_SPACES_BUCKET | Optional | Name of your Spaces bucket. |
| DO_SPACES_FOLDER | Optional | Root folder within the bucket for this app's files. |
| DO_SPACES_KEY | Optional | Spaces access key ID. Generate under API → Spaces Keys in your DO account. |
| DO_SPACES_SECRET | Optional | Spaces secret access key. Shown only once at creation time. |
| NEXT_PUBLIC_SITE_URL | Optional | Public-facing site URL, used for canonical links and sitemap generation. e.g. https://yourstore.com |
Security Notes
- Never commit your
.envfile to version control. Ensure.envis in.gitignore. - Admin API keys (Stripe secret, SendGrid) must only be used server-side. They are never accessed from client components.
- Rotate
NEXTAUTH_SECRETimmediately if it is ever exposed. Rotating it will invalidate all active sessions.