Environment variables reference
Complete reference for .env variables. See .env.example in the repository for copy-paste templates.
Database
| Variable | Required | Description |
|---|---|---|
DATABASE_URL |
Yes | PostgreSQL connection string |
Site
| Variable | Required | Description |
|---|---|---|
NEXT_PUBLIC_SITE_URL |
Recommended | Canonical public URL |
Auth
| Variable | Required | Description |
|---|---|---|
AUTH_SECRET |
Yes | Session signing secret |
AUTH_TRUST_HOST |
Production | Set true on Vercel |
ADMIN_PASSWORD |
Seed | Initial admin password |
RESEARCHER_PASSWORD |
Seed | Researcher seed password |
| Variable | Description |
|---|---|
RESEND_API_KEY |
Resend API key |
EMAIL_FROM |
Default sender address |
reCAPTCHA v3
| Variable | Description |
|---|---|
NEXT_PUBLIC_RECAPTCHA_SITE_KEY |
Google reCAPTCHA v3 site key (public) |
RECAPTCHA_SECRET_KEY |
Google reCAPTCHA v3 secret key |
RECAPTCHA_MIN_SCORE |
Minimum score threshold (default 0.5) |
When keys are omitted, verification is skipped (local development). In production, set both keys to protect public forms.
Newsletter (Mailchimp)
| Variable | Description |
|---|---|
MAILCHIMP_API_KEY |
API key with datacenter suffix |
MAILCHIMP_AUDIENCE_ID |
Audience ID |
MAILCHIMP_DOUBLE_OPT_IN |
"true" when enabled |
Stripe
| Variable | Description |
|---|---|
STRIPE_SECRET_KEY |
Secret key |
NEXT_PUBLIC_STRIPE_PUBLISHABLE_KEY |
Publishable key |
STRIPE_WEBHOOK_SECRET |
Webhook signing secret |
Research & AI
| Variable | Description |
|---|---|
OPENAI_API_KEY |
OpenAI API key |
OPENAI_MODEL |
Model id (default gpt-4o-mini) |
RESEARCH_ADMIN_EMAIL |
Admin notification inbox |
CRON_SECRET |
Bearer token for cron routes |
EVENT_QUEUE_DISABLED |
"true" disables async queue |
Export storage (S3-compatible)
| Variable | Description |
|---|---|
EXPORT_S3_BUCKET |
Bucket name |
EXPORT_S3_THRESHOLD_BYTES |
Min size for S3 (default 512 KB) |
AWS_REGION |
Region |
AWS_ACCESS_KEY_ID |
Access key |
AWS_SECRET_ACCESS_KEY |
Secret key |
EXPORT_S3_ENDPOINT |
Custom endpoint (R2, MinIO) |
EXPORT_S3_FORCE_PATH_STYLE |
"true" for path-style URLs |
Maintenance
| Variable | Description |
|---|---|
MAINTENANCE_MODE |
"true" enables maintenance page |
MAINTENANCE_MESSAGE |
Custom user-facing message |
MAINTENANCE_BYPASS_SECRET |
Preview bypass query param secret |
Rotation checklist
When rotating secrets:
- Update value in hosting provider
- Redeploy if needed (Vercel picks up env changes on next deploy)
- For
AUTH_SECRET, all users will be signed out - For Stripe webhook secret, update Stripe dashboard and env together