All systems operational

Configuration & Environment Variables

Configuration is via environment variables. Public values (prefixed NEXT_PUBLIC_) are safe for the browser; everything else is server-only. Values are never committed.

#Purpose

Give developers the public-safe list of configuration variables and their purpose (names only, never values).

#Architecture

The Next.js app, the agent service, and Supabase each have their own environment. Public variables are exposed to the browser; secret variables (service-role key, AI keys, integration and encryption keys) are server-side only.

A licensing mode selects the billing model: one_time (default) uses marketing-site checkout with CEO activation by emailed link; subscription is a dormant rollback option.

#How it works

1

Set per environment

Each service reads its own environment variables.
2

Public vs secret

Only NEXT_PUBLIC_ values reach the browser.
3

Shared secrets match

The agent-service secret and encryption keys must match across services.
4

Select behavior

LICENSING_MODE and EMAIL_PROVIDER switch key behaviors.

#Reference

#Public (browser-safe)

VariablePurpose
NEXT_PUBLIC_SUPABASE_URLSupabase project URL
NEXT_PUBLIC_SUPABASE_ANON_KEYAnon key (RLS protects data)
NEXT_PUBLIC_APP_URLPublic app URL
NEXT_PUBLIC_STRIPE_PUBLISHABLE_KEYStripe publishable key

#Server-only (names only — never expose values)

VariablePurpose
SUPABASE_SERVICE_ROLE_KEYBypasses RLS; trusted server use only
ANTHROPIC_API_KEYAI provider access
AGENT_SERVICE_URL / AGENT_SERVICE_SECRETAgent-service address & shared secret
WP_CRED_ENCRYPTION_KEYEncrypts WordPress credentials (pgcrypto)
INTEGRATION_SECRET_KEYEncrypts integration secrets
EMAIL_PROVIDER / EMAIL_FROM / RESEND_API_KEYEmail foundation
STRIPE_SECRET_KEY / STRIPE_WEBHOOK_SECRETStripe server + webhook verification
LICENSING_MODEone_time (default) or subscription (rollback)

#Implementation notes

  • Encryption keys and the agent-service secret must be identical across the app and agent service.
  • Generate strong secrets (for example with openssl rand -base64 32).
  • The default email provider is none, so no email is sent until configured.

#Limitations

Known limitations

  • SMTP transport is a stub; use Resend as the working provider.
  • Subscription licensing is dormant; one_time is the default model.

#Security considerations

Security

  • Never commit real values; environment files are gitignored.
  • Keep the service-role key and encryption keys server-side only.
  • Rotate secrets periodically and after exposure.

#Best practices

  • Use a secrets manager per environment.
  • Keep public and secret variables clearly separated.
  • Document only names, never values.

Still need help?

Can’t find what you’re looking for? The DevSphere OS team is happy to help.