[ [0x10] Deployment ] Environment Variables

Environment Variables

> Complete guide to configuring all environment variables for development and production.

Overview

[ [0x10] STATUS ]

All variables validated at startup with Zod. Client-side variables use NEXT_PUBLIC_ prefix. Different values for dev/preview/production.

Features

[ [0x01] ZOD_VALIDATI ]

STATUS: READY

DESC: Type-safe at startup.

[ [0x02] SECRETS ]

STATUS: READY

DESC: Never commit .env.local.

[ [0x03] ENV_SPECIFIC ]

STATUS: READY

DESC: Dev/preview/production.

[ [0x04] REQUIRED ]

STATUS: READY

DESC: Database, auth, Stripe.

Setup

[ [0x01] COPY EXAMPLE ]

DESC: Start with the example environment file

1$cp .env.example .env.local

[ [0x02] GENERATE SECRET ]

DESC: Create a secure NEXTAUTH_SECRET for encrypting authentication cookies

1$openssl rand -base64 32
2
3$# Expected output:
4$# dGhpc2lzYXJhbmRvbWJhc2U2NGVuY29kZWRzdHJpbmc=
5$#
6$# Copy this entire output and paste it as NEXTAUTH_SECRET in your .env.local
7$# This encrypts user session cookies - keep it secret and never commit it to git

[ [0x03] CONFIGURE DATABASE ]

DESC: Set your actual PostgreSQL connection string from your database provider

1$# Replace with YOUR actual connection string from your database provider
2
3$# Supabase (pooler recommended for serverless):
4$DATABASE_URL="postgresql://postgres.abcdefghij:[YOUR_PASSWORD]@aws-0-us-west-1.pooler.supabase.com:6543/postgres?pgbouncer=true"
5
6$# Neon (pooler with SSL):
7$DATABASE_URL="postgresql://user:password@ep-cool-name-123456-pooler.us-east-2.aws.neon.tech/dbname?sslmode=require"
8
9$# Railway (direct connection):
10$DATABASE_URL="postgresql://postgres:password@containers-us-west-123.railway.app:5432/railway"

[ [0x04] ADD SERVICES ]

DESC: Configure Stripe, email, and OAuth providers

Usage

[ [0xEA] REQUIRED VARIABLES ]

These must be set for the application to function

1$# .env.local
2
3$# Database - Replace with YOUR actual PostgreSQL connection string
4$# Get this from your database provider's dashboard (Supabase, Neon, or Railway)
5$DATABASE_URL="postgresql://postgres.abcdefghij:[YOUR_PASSWORD]@aws-0-us-west-1.pooler.supabase.com:6543/postgres?pgbouncer=true"
6
7$# NextAuth - Authentication
8$NEXTAUTH_URL="http://localhost:3000"  # Your app URL (use your production domain for prod)
9$NEXTAUTH_SECRET="your-32-character-secret-here"  # Generate with: openssl rand -base64 32
10
11$# App URL (used for links in emails, redirects, etc.)
12$NEXT_PUBLIC_APP_URL="http://localhost:3000"

[ [0x88] AUTHENTICATION ]

Configure OAuth providers

1$# Google OAuth (optional - enables Google login)
2$GOOGLE_CLIENT_ID="your-client-id.apps.googleusercontent.com"
3$GOOGLE_CLIENT_SECRET="your-client-secret"
4
5$# Setup:
6$# 1. Go to https://console.cloud.google.com/apis/credentials
7$# 2. Create OAuth 2.0 Client ID
8$# 3. Add redirect URI:
9$#    - Dev: http://localhost:3000/api/auth/callback/google
10$#    - Prod: https://your-domain.com/api/auth/callback/google

[ [0xB6] EMAIL (RESEND) ]

Configure email sending

1$# Resend API Key
2$RESEND_API_KEY="re_..."
3
4$# From address (must be from verified domain)
5$EMAIL_FROM="noreply@your-domain.com"
6
7$# Setup:
8$# 1. Sign up at https://resend.com
9$# 2. Verify your domain
10$# 3. Create API key
11$# 4. Add DNS records for domain verification

[ [0xA0] STRIPE PAYMENTS ]

Configure payment processing with Stripe

1$# Stripe API Keys (get from https://dashboard.stripe.com/test/apikeys)
2$STRIPE_SECRET_KEY="sk_test_..."           # Server-side only (never expose to browser)
3$NEXT_PUBLIC_STRIPE_PUBLISHABLE_KEY="pk_test_..."  # Client-side safe (can be in browser)
4
5$# Stripe Webhook Secret (get from stripe listen command or Stripe Dashboard)
6$STRIPE_WEBHOOK_SECRET="whsec_..."
7
8$# Product Lookup Key (NOT a price ID)
9$# Create in Stripe Dashboard: Products → Your Product → Pricing → Lookup key field
10$# Lookup keys let you change prices in Stripe without updating code
11$NEXT_PUBLIC_STRIPE_PRICE_FABRK="fabrk_purchase"  # This is a lookup key, not price_1234567890
12
13$# Optional: Promotion code for early adopters ($100 off)
14$STRIPE_COUPON_EARLY_ADOPTER="promo_1SVGK4P7kSSEYWlXBq1LtaNM"  # Promotion Code ID from Stripe Dashboard
15
16$# Development vs Production:
17$# Development (test mode):
18$#   - sk_test_... and pk_test_...
19$#   - Test with card 4242 4242 4242 4242
20$#
21$# Production (live mode):
22$#   - sk_live_... and pk_live_...
23$#   - Real credit cards, real money
24
25$# Test webhooks locally:
26$# Install Stripe CLI: brew install stripe/stripe-cli/stripe
27$# Then run: stripe listen --forward-to localhost:3000/api/webhooks/stripe

[ [0x9B] ANALYTICS (OPTIONAL) ]

Track user behavior and metrics

1$# PostHog Analytics
2$NEXT_PUBLIC_POSTHOG_KEY="phc_..."
3$NEXT_PUBLIC_POSTHOG_HOST="https://app.posthog.com"
4
5$# Setup:
6$# 1. Sign up at https://posthog.com
7$# 2. Create project
8$# 3. Copy API key from Project Settings
9
10$# Google Analytics (alternative)
11$NEXT_PUBLIC_GA_MEASUREMENT_ID="G-..."

[ [0x3A] ENVIRONMENT VALIDATION ]

All variables validated at startup in src/lib/env.ts

1// src/lib/env.ts
2import { z } from "zod";
3
4const serverSchema = z.object({
5  DATABASE_URL: z.string().url(),
6  NEXTAUTH_SECRET: z.string().min(32),
7  STRIPE_SECRET_KEY: z.string().startsWith("sk_").optional(),
8});
9
10const clientSchema = z.object({
11  NEXT_PUBLIC_APP_URL: z.string().url(),
12  NEXT_PUBLIC_STRIPE_PUBLISHABLE_KEY: z.string().startsWith("pk_").optional(),
13});
14
15// Validates at startup - fails loudly if invalid
16/* eslint-disable no-process-env -- This is showing users HOW to set up env.ts */
17export const env = {
18  server: serverSchema.parse(process.env),
19  client: clientSchema.parse({
20    NEXT_PUBLIC_APP_URL: process.env.NEXT_PUBLIC_APP_URL,
21    NEXT_PUBLIC_STRIPE_PUBLISHABLE_KEY:
22      process.env.NEXT_PUBLIC_STRIPE_PUBLISHABLE_KEY,
23  }),
24};
25/* eslint-enable no-process-env */
26
27// Usage in code:
28import { env } from "@/lib/env";
29
30const dbUrl = env.server.DATABASE_URL;  // Type-safe!
31const appUrl = env.client.NEXT_PUBLIC_APP_URL;

[ [0x7E] ENVIRONMENT-SPECIFIC CONFIGURATION ]

Use different values for different environments

1$# Development (.env.local)
2$NODE_ENV="development"
3$NEXTAUTH_URL="http://localhost:3000"
4$STRIPE_SECRET_KEY="sk_test_..."
5$DATABASE_URL="postgresql://localhost:5432/fabrk_dev"
6
7$# Preview (Vercel Preview Environment)
8$NODE_ENV="production"
9$NEXTAUTH_URL="https://preview.your-domain.vercel.app"
10$STRIPE_SECRET_KEY="sk_test_..."  # Still use test keys
11$DATABASE_URL="postgresql://...preview-db..."
12
13$# Production (Vercel Production Environment)
14$NODE_ENV="production"
15$NEXTAUTH_URL="https://your-domain.com"
16$STRIPE_SECRET_KEY="sk_live_..."  # Live keys!
17$DATABASE_URL="postgresql://...production-db..."

[ [0x9D] COMPLETE EXAMPLE ]

Full development environment setup

1$# .env.local - Complete Development Setup
2
3$# Core
4$NODE_ENV="development"
5$DATABASE_URL="postgresql://postgres:password@localhost:5432/fabrk"
6$NEXT_PUBLIC_APP_URL="http://localhost:3000"
7
8$# Auth
9$NEXTAUTH_URL="http://localhost:3000"
10$NEXTAUTH_SECRET="your-32-character-development-secret"
11$GOOGLE_CLIENT_ID="your-google-client-id"
12$GOOGLE_CLIENT_SECRET="your-google-client-secret"
13
14$# Email
15$RESEND_API_KEY="re_test_..."
16$EMAIL_FROM="dev@your-domain.com"
17
18$# Payments
19$STRIPE_SECRET_KEY="sk_test_..."
20$STRIPE_WEBHOOK_SECRET="whsec_test_..."
21$NEXT_PUBLIC_STRIPE_PUBLISHABLE_KEY="pk_test_..."
22$NEXT_PUBLIC_STRIPE_PRICE_STARTER="price_..."
23$NEXT_PUBLIC_STRIPE_PRICE_PROFESSIONAL="price_..."
24
25$# Analytics (optional)
26$NEXT_PUBLIC_POSTHOG_KEY="phc_..."
27$NEXT_PUBLIC_POSTHOG_HOST="https://app.posthog.com"

Key Points

[ [0x1C] KEY POINTS ]

├─ All variables are validated at startup with Zod

├─ Client-side variables must start with NEXT_PUBLIC_

├─ Never commit .env.local to version control

└─ Use different values for dev/preview/production

Security Best Practices

[ [0x40] SECURITY ]

├─ Never commit secrets - Add .env.local to .gitignore

├─ Rotate secrets regularly - Especially after team changes

├─ Use separate keys - Different keys for dev/staging/prod

├─ Limit access - Use least-privilege API keys when possible

└─ Monitor usage - Check Stripe/Resend dashboards for anomalies

Next Steps

[ [0x00] DATABASE SETUP ]

DESC: Set up production PostgreSQL

[ [0x00] DEPLOY TO VERCEL ]

DESC: Deploy your configured application

Setup

[ [0x01] COPY EXAMPLE ]

DESC: Start with the example environment file

1$cp .env.example .env.local

[ [0x02] GENERATE SECRET ]

DESC: Create a secure NEXTAUTH_SECRET for encrypting authentication cookies

1$openssl rand -base64 32
2
3$# Expected output:
4$# dGhpc2lzYXJhbmRvbWJhc2U2NGVuY29kZWRzdHJpbmc=
5$#
6$# Copy this entire output and paste it as NEXTAUTH_SECRET in your .env.local
7$# This encrypts user session cookies - keep it secret and never commit it to git

[ [0x03] CONFIGURE DATABASE ]

DESC: Set your actual PostgreSQL connection string from your database provider

1$# Replace with YOUR actual connection string from your database provider
2
3$# Supabase (pooler recommended for serverless):
4$DATABASE_URL="postgresql://postgres.abcdefghij:[YOUR_PASSWORD]@aws-0-us-west-1.pooler.supabase.com:6543/postgres?pgbouncer=true"
5
6$# Neon (pooler with SSL):
7$DATABASE_URL="postgresql://user:password@ep-cool-name-123456-pooler.us-east-2.aws.neon.tech/dbname?sslmode=require"
8
9$# Railway (direct connection):
10$DATABASE_URL="postgresql://postgres:password@containers-us-west-123.railway.app:5432/railway"

[ [0x04] ADD SERVICES ]

DESC: Configure Stripe, email, and OAuth providers

Usage

[ [0xEA] REQUIRED VARIABLES ]

These must be set for the application to function

1$# .env.local
2
3$# Database - Replace with YOUR actual PostgreSQL connection string
4$# Get this from your database provider's dashboard (Supabase, Neon, or Railway)
5$DATABASE_URL="postgresql://postgres.abcdefghij:[YOUR_PASSWORD]@aws-0-us-west-1.pooler.supabase.com:6543/postgres?pgbouncer=true"
6
7$# NextAuth - Authentication
8$NEXTAUTH_URL="http://localhost:3000"  # Your app URL (use your production domain for prod)
9$NEXTAUTH_SECRET="your-32-character-secret-here"  # Generate with: openssl rand -base64 32
10
11$# App URL (used for links in emails, redirects, etc.)
12$NEXT_PUBLIC_APP_URL="http://localhost:3000"

[ [0x88] AUTHENTICATION ]

Configure OAuth providers

1$# Google OAuth (optional - enables Google login)
2$GOOGLE_CLIENT_ID="your-client-id.apps.googleusercontent.com"
3$GOOGLE_CLIENT_SECRET="your-client-secret"
4
5$# Setup:
6$# 1. Go to https://console.cloud.google.com/apis/credentials
7$# 2. Create OAuth 2.0 Client ID
8$# 3. Add redirect URI:
9$#    - Dev: http://localhost:3000/api/auth/callback/google
10$#    - Prod: https://your-domain.com/api/auth/callback/google

[ [0xB6] EMAIL (RESEND) ]

Configure email sending

1$# Resend API Key
2$RESEND_API_KEY="re_..."
3
4$# From address (must be from verified domain)
5$EMAIL_FROM="noreply@your-domain.com"
6
7$# Setup:
8$# 1. Sign up at https://resend.com
9$# 2. Verify your domain
10$# 3. Create API key
11$# 4. Add DNS records for domain verification

[ [0xA0] STRIPE PAYMENTS ]

Configure payment processing with Stripe

1$# Stripe API Keys (get from https://dashboard.stripe.com/test/apikeys)
2$STRIPE_SECRET_KEY="sk_test_..."           # Server-side only (never expose to browser)
3$NEXT_PUBLIC_STRIPE_PUBLISHABLE_KEY="pk_test_..."  # Client-side safe (can be in browser)
4
5$# Stripe Webhook Secret (get from stripe listen command or Stripe Dashboard)
6$STRIPE_WEBHOOK_SECRET="whsec_..."
7
8$# Product Lookup Key (NOT a price ID)
9$# Create in Stripe Dashboard: Products → Your Product → Pricing → Lookup key field
10$# Lookup keys let you change prices in Stripe without updating code
11$NEXT_PUBLIC_STRIPE_PRICE_FABRK="fabrk_purchase"  # This is a lookup key, not price_1234567890
12
13$# Optional: Promotion code for early adopters ($100 off)
14$STRIPE_COUPON_EARLY_ADOPTER="promo_1SVGK4P7kSSEYWlXBq1LtaNM"  # Promotion Code ID from Stripe Dashboard
15
16$# Development vs Production:
17$# Development (test mode):
18$#   - sk_test_... and pk_test_...
19$#   - Test with card 4242 4242 4242 4242
20$#
21$# Production (live mode):
22$#   - sk_live_... and pk_live_...
23$#   - Real credit cards, real money
24
25$# Test webhooks locally:
26$# Install Stripe CLI: brew install stripe/stripe-cli/stripe
27$# Then run: stripe listen --forward-to localhost:3000/api/webhooks/stripe

[ [0x9B] ANALYTICS (OPTIONAL) ]

Track user behavior and metrics

1$# PostHog Analytics
2$NEXT_PUBLIC_POSTHOG_KEY="phc_..."
3$NEXT_PUBLIC_POSTHOG_HOST="https://app.posthog.com"
4
5$# Setup:
6$# 1. Sign up at https://posthog.com
7$# 2. Create project
8$# 3. Copy API key from Project Settings
9
10$# Google Analytics (alternative)
11$NEXT_PUBLIC_GA_MEASUREMENT_ID="G-..."

[ [0x3A] ENVIRONMENT VALIDATION ]

All variables validated at startup in src/lib/env.ts

1// src/lib/env.ts
2import { z } from "zod";
3
4const serverSchema = z.object({
5  DATABASE_URL: z.string().url(),
6  NEXTAUTH_SECRET: z.string().min(32),
7  STRIPE_SECRET_KEY: z.string().startsWith("sk_").optional(),
8});
9
10const clientSchema = z.object({
11  NEXT_PUBLIC_APP_URL: z.string().url(),
12  NEXT_PUBLIC_STRIPE_PUBLISHABLE_KEY: z.string().startsWith("pk_").optional(),
13});
14
15// Validates at startup - fails loudly if invalid
16/* eslint-disable no-process-env -- This is showing users HOW to set up env.ts */
17export const env = {
18  server: serverSchema.parse(process.env),
19  client: clientSchema.parse({
20    NEXT_PUBLIC_APP_URL: process.env.NEXT_PUBLIC_APP_URL,
21    NEXT_PUBLIC_STRIPE_PUBLISHABLE_KEY:
22      process.env.NEXT_PUBLIC_STRIPE_PUBLISHABLE_KEY,
23  }),
24};
25/* eslint-enable no-process-env */
26
27// Usage in code:
28import { env } from "@/lib/env";
29
30const dbUrl = env.server.DATABASE_URL;  // Type-safe!
31const appUrl = env.client.NEXT_PUBLIC_APP_URL;

[ [0x7E] ENVIRONMENT-SPECIFIC CONFIGURATION ]

Use different values for different environments

1$# Development (.env.local)
2$NODE_ENV="development"
3$NEXTAUTH_URL="http://localhost:3000"
4$STRIPE_SECRET_KEY="sk_test_..."
5$DATABASE_URL="postgresql://localhost:5432/fabrk_dev"
6
7$# Preview (Vercel Preview Environment)
8$NODE_ENV="production"
9$NEXTAUTH_URL="https://preview.your-domain.vercel.app"
10$STRIPE_SECRET_KEY="sk_test_..."  # Still use test keys
11$DATABASE_URL="postgresql://...preview-db..."
12
13$# Production (Vercel Production Environment)
14$NODE_ENV="production"
15$NEXTAUTH_URL="https://your-domain.com"
16$STRIPE_SECRET_KEY="sk_live_..."  # Live keys!
17$DATABASE_URL="postgresql://...production-db..."

[ [0x9D] COMPLETE EXAMPLE ]

Full development environment setup

1$# .env.local - Complete Development Setup
2
3$# Core
4$NODE_ENV="development"
5$DATABASE_URL="postgresql://postgres:password@localhost:5432/fabrk"
6$NEXT_PUBLIC_APP_URL="http://localhost:3000"
7
8$# Auth
9$NEXTAUTH_URL="http://localhost:3000"
10$NEXTAUTH_SECRET="your-32-character-development-secret"
11$GOOGLE_CLIENT_ID="your-google-client-id"
12$GOOGLE_CLIENT_SECRET="your-google-client-secret"
13
14$# Email
15$RESEND_API_KEY="re_test_..."
16$EMAIL_FROM="dev@your-domain.com"
17
18$# Payments
19$STRIPE_SECRET_KEY="sk_test_..."
20$STRIPE_WEBHOOK_SECRET="whsec_test_..."
21$NEXT_PUBLIC_STRIPE_PUBLISHABLE_KEY="pk_test_..."
22$NEXT_PUBLIC_STRIPE_PRICE_STARTER="price_..."
23$NEXT_PUBLIC_STRIPE_PRICE_PROFESSIONAL="price_..."
24
25$# Analytics (optional)
26$NEXT_PUBLIC_POSTHOG_KEY="phc_..."
27$NEXT_PUBLIC_POSTHOG_HOST="https://app.posthog.com"

Security Best Practices

[ [0x40] SECURITY ]

├─ Never commit secrets - Add .env.local to .gitignore

├─ Rotate secrets regularly - Especially after team changes

├─ Use separate keys - Different keys for dev/staging/prod

├─ Limit access - Use least-privilege API keys when possible

└─ Monitor usage - Check Stripe/Resend dashboards for anomalies