Configuration & Environment Variables
Configuration is via environment variables. Public values (prefixed NEXT_PUBLIC_) are safe for the browser; everything else is server-only. Values are never committed.
#Purpose
#Architecture
The Next.js app, the agent service, and Supabase each have their own environment. Public variables are exposed to the browser; secret variables (service-role key, AI keys, integration and encryption keys) are server-side only.
A licensing mode selects the billing model: one_time (default) uses marketing-site checkout with CEO activation by emailed link; subscription is a dormant rollback option.
#How it works
Set per environment
Public vs secret
Shared secrets match
Select behavior
#Reference
#Public (browser-safe)
| Variable | Purpose |
|---|---|
| NEXT_PUBLIC_SUPABASE_URL | Supabase project URL |
| NEXT_PUBLIC_SUPABASE_ANON_KEY | Anon key (RLS protects data) |
| NEXT_PUBLIC_APP_URL | Public app URL |
| NEXT_PUBLIC_STRIPE_PUBLISHABLE_KEY | Stripe publishable key |
#Server-only (names only — never expose values)
| Variable | Purpose |
|---|---|
| SUPABASE_SERVICE_ROLE_KEY | Bypasses RLS; trusted server use only |
| ANTHROPIC_API_KEY | AI provider access |
| AGENT_SERVICE_URL / AGENT_SERVICE_SECRET | Agent-service address & shared secret |
| WP_CRED_ENCRYPTION_KEY | Encrypts WordPress credentials (pgcrypto) |
| INTEGRATION_SECRET_KEY | Encrypts integration secrets |
| EMAIL_PROVIDER / EMAIL_FROM / RESEND_API_KEY | Email foundation |
| STRIPE_SECRET_KEY / STRIPE_WEBHOOK_SECRET | Stripe server + webhook verification |
| LICENSING_MODE | one_time (default) or subscription (rollback) |
#Implementation notes
- Encryption keys and the agent-service secret must be identical across the app and agent service.
- Generate strong secrets (for example with openssl rand -base64 32).
- The default email provider is none, so no email is sent until configured.
#Limitations
Known limitations
- SMTP transport is a stub; use Resend as the working provider.
- Subscription licensing is dormant; one_time is the default model.
#Security considerations
Security
- Never commit real values; environment files are gitignored.
- Keep the service-role key and encryption keys server-side only.
- Rotate secrets periodically and after exposure.
#Best practices
- Use a secrets manager per environment.
- Keep public and secret variables clearly separated.
- Document only names, never values.
#Related documentation
Still need help?
Can’t find what you’re looking for? The DevSphere OS team is happy to help.