Configuration & Environment Setup
This page defines runtime configuration for local, staging, and production environments.
Environment Variable Catalog
Core Runtime
NODE_ENV=development
NEXTAUTH_URL=http://localhost:3000
NEXTAUTH_SECRET=<required>
Google OAuth
GOOGLE_CLIENT_ID=<required>
GOOGLE_CLIENT_SECRET=<required>
Database
DATABASE_URL=postgresql://<user>:<password>@<host>:5432/<db>
DATABASE_SSL=false
Media Storage
CLOUDINARY_CLOUD_NAME=<required>
CLOUDINARY_API_KEY=<required>
CLOUDINARY_API_SECRET=<required>
Payments
STRIPE_SECRET_KEY=<required>
NEXT_PUBLIC_STRIPE_PUBLISHABLE_KEY=<required>
STRIPE_WEBHOOK_SECRET=<required>
Admin Bootstrap
ADMIN_EMAILS=admin1@example.com,admin2@example.com
Auth Configuration Notes
NEXTAUTH_URLmust match deployed origin exactly.- Google OAuth redirect URI must match auth callback path.
- Rotate
NEXTAUTH_SECRETand OAuth secrets in production on schedule.
Database Connection And SSL
- Use least-privilege database credentials.
- Enable SSL in production unless private trusted network explicitly allows otherwise.
- Keep migration execution identity separate from read-only consumers.
Image And Media Configuration
- Restrict supported MIME types and upload size.
- Enforce transformation presets for predictable rendering.
- Validate remote URLs before persisting admin-managed assets.
Payment Provider Configuration
- Use Stripe test keys in non-production environments.
- Verify webhook signature with
STRIPE_WEBHOOK_SECRET. - Keep success/cancel URLs environment-specific.
Build And Runtime Flags
- Keep feature flags centralized in environment or admin settings.
- Document default values and rollout behavior for every flag.
Configuration Review Checklist
- All required variables are set.
- Secrets are not committed to source control.
- Stage-specific values are documented.
- Admin bootstrap addresses are current.