Skip to main content

Legend

ColumnDescription
ServiceWhich service(s) use this variable: migrator, seeder, app, portal
Phasebuild = Docker build arg, runtime = loaded from env file at startup
Requiredrequired-minimal = needed for basic deployment, conditional = needed for specific features, optional = safe to omit

Minimal Required Variables

These variables are required for a functional Docker deployment:
NameService(s)PhaseNotes
DATABASE_URLmigrator, seeder, app, portalruntimePostgreSQL connection string with ?sslmode=require
AUTH_SECRETappruntime32-byte base64 secret for auth. Generate: openssl rand -base64 32
SECRET_KEYappruntimeEncryption key for sensitive data. Generate: openssl rand -base64 32
BETTER_AUTH_URLapp, portalruntimeBase URL for Better Auth (app or portal’s public URL)
NEXT_PUBLIC_BETTER_AUTH_URLapp, portalbuildPublic auth URL (same as BETTER_AUTH_URL)
BETTER_AUTH_SECRETportalruntimePortal-specific auth secret. Generate: openssl rand -base64 32
RESEND_API_KEYapp, portalruntimeResend API key for email
TRIGGER_SECRET_KEYappruntimeTrigger.dev project secret key
REVALIDATION_SECRETappruntimeRandom string for revalidation. Generate: openssl rand -base64 16
NEXT_PUBLIC_PORTAL_URLappbuildPublic URL of the portal (e.g., https://portal.yourdomain.com)

All Variables by Category

Database

NameService(s)PhaseRequiredNotes
DATABASE_URLmigrator, seeder, app, portalruntimerequired-minimalFormat: postgresql://user:pass@host:5432/db?sslmode=require

Authentication

NameService(s)PhaseRequiredNotes
AUTH_SECRETappruntimerequired-minimalMain app auth secret
SECRET_KEYappruntimerequired-minimalEncryption key for sensitive data
BETTER_AUTH_URLapp, portalruntimerequired-minimalBase URL for auth
BETTER_AUTH_SECRETportalruntimerequired-minimalPortal auth secret
NEXT_PUBLIC_BETTER_AUTH_URLapp, portalbuildrequired-minimalPublic auth URL for client code
AUTH_GOOGLE_IDappruntimeconditionalGoogle OAuth client ID
AUTH_GOOGLE_SECRETappruntimeconditionalGoogle OAuth client secret
AUTH_GITHUB_IDappruntimeoptionalGitHub OAuth client ID
AUTH_GITHUB_SECRETappruntimeoptionalGitHub OAuth client secret

Email

NameService(s)PhaseRequiredNotes
RESEND_API_KEYapp, portalruntimerequired-minimalResend API key for transactional email
RESEND_DOMAINportalruntimeoptionalCustom domain for sending emails

Workflows (Trigger.dev)

NameService(s)PhaseRequiredNotes
TRIGGER_SECRET_KEYappruntimerequired-minimalTrigger.dev project secret
REVALIDATION_SECRETappruntimerequired-minimalServer-side revalidation secret

AWS S3 Storage

NameService(s)PhaseRequiredNotes
APP_AWS_ACCESS_KEY_IDapp, portalruntimeconditionalAWS access key
APP_AWS_SECRET_ACCESS_KEYapp, portalruntimeconditionalAWS secret key
APP_AWS_REGIONapp, portalruntimeconditionalAWS region (e.g., us-east-1)
APP_AWS_BUCKET_NAMEapp, portalruntimeconditionalGeneral file storage bucket
APP_AWS_ORG_ASSETS_BUCKETappruntimeconditionalOrganization logos, compliance certs
APP_AWS_QUESTIONNAIRE_UPLOAD_BUCKETappruntimeconditionalSecurity questionnaire uploads
APP_AWS_KNOWLEDGE_BASE_BUCKETappruntimeconditionalKnowledge base documents
AWS S3 variables are required for file upload features (attachments, logos, questionnaires). Without them, these features will fail.

AI Providers

NameService(s)PhaseRequiredNotes
OPENAI_API_KEYappruntimeconditionalOpenAI API key for AI features
ANTHROPIC_API_KEYappruntimeoptionalAnthropic API key (alternative models)
GROQ_API_KEYappruntimeoptionalGroq API key for dashboard chat
FIRECRAWL_API_KEYappruntimeconditionalFirecrawl for vendor research

Rate Limiting & Caching (Upstash)

NameService(s)PhaseRequiredNotes
UPSTASH_REDIS_REST_URLappruntimeoptionalUpstash Redis URL for rate limiting
UPSTASH_REDIS_REST_TOKENappruntimeoptionalUpstash Redis token
UPSTASH_VECTOR_REST_URLappruntimeoptionalUpstash Vector for embeddings
UPSTASH_VECTOR_REST_TOKENappruntimeoptionalUpstash Vector token

Analytics & Tracking

NameService(s)PhaseRequiredNotes
NEXT_PUBLIC_POSTHOG_KEYapp, portalbuildoptionalPostHog project key
NEXT_PUBLIC_POSTHOG_HOSTapp, portalbuildoptionalPostHog host (e.g., /ingest)
NEXT_PUBLIC_GTM_IDappbuildoptionalGoogle Tag Manager container ID
NEXT_PUBLIC_LINKEDIN_PARTNER_IDappbuildoptionalLinkedIn Insight Tag partner ID
NEXT_PUBLIC_LINKEDIN_CONVERSION_IDappbuildoptionalLinkedIn conversion ID
NEXT_PUBLIC_GOOGLE_ADS_CONVERSION_LABELappbuildoptionalGoogle Ads conversion label
GA4_API_SECRETappruntimeoptionalGA4 Measurement Protocol secret
GA4_MEASUREMENT_IDappruntimeoptionalGA4 Measurement ID

Vercel (Trust Portal Domains)

NameService(s)PhaseRequiredNotes
VERCEL_ACCESS_TOKENappruntimeconditionalVercel API token for portal domains
VERCEL_TEAM_IDappruntimeconditionalVercel team ID
VERCEL_PROJECT_IDappruntimeconditionalVercel project ID
NEXT_PUBLIC_VERCEL_URLappbuildoptionalVercel deployment URL

MDM (Fleet)

NameService(s)PhaseRequiredNotes
FLEET_URLappruntimeconditionalFleet MDM server URL
FLEET_TOKENappruntimeconditionalFleet API token

Miscellaneous

NameService(s)PhaseRequiredNotes
NEXT_PUBLIC_API_URLappbuildoptionalOverride API base URL
NEXT_OUTPUT_STANDALONEappruntimeoptionalSet true for AWS/Docker deployments
SLACK_SALES_WEBHOOKappruntimeoptionalSlack webhook for sales notifications
DUB_API_KEYappruntimeoptionalDub.co link shortener API key
DUB_REFER_URLappruntimeoptionalDub.co referral URL

Example Minimal Configuration

DATABASE_URL="postgresql://user:pass@host:5432/comp?sslmode=require"