Configuration
Environment Variables
Configuring the Envault server
Server Configuration
These environment variables are required to run the Envault server (Next.js app).
Required Variables
| Variable | Description | Example |
|---|---|---|
NEXT_PUBLIC_SUPABASE_URL | The URL of your Supabase project. | https://xyz.supabase.co |
NEXT_PUBLIC_SUPABASE_ANON_KEY | The anonymous public key for Supabase. | eyJhbGcis... |
SUPABASE_SERVICE_ROLE_KEY | The secret service role key. Critical Security. | eyJhbGcis... |
ENCRYPTION_KEY | 32-byte hex string used as the Master Key. | a1b2c3d4... |
NEXT_PUBLIC_APP_URL | Public app URL used in links/callbacks/emails. | https://envault.tech |
Recommended Variables
| Variable | Description | Example |
|---|---|---|
UPSTASH_REDIS_REST_URL | Upstash Redis REST URL for cache-backed permission and metadata lookups. | https://...upstash.io |
UPSTASH_REDIS_REST_TOKEN | Upstash Redis REST token paired with the URL above. | AXXXXXXXXX |
NEXT_PUBLIC_API_SIGNATURE_SALT | HMAC secret used to verify mutation request signatures (x-signature, x-timestamp). | change-this-in-production |
ENVAULT_AGENT_SECRET | JWT signing secret for delegated agent tokens (envault_agt_...). | super-random-agent-jwt-secret |
ENVAULT_SESSION_KEY_SECRET | Backend verifier key for approval signature checks. | super-random-session-signing-secret |
ENVAULT_SDK_MIN_SUPPORTED_VERSION | Minimum SDK version accepted by server compatibility checks. | 1.0.0 |
GOOGLE_GENERATIVE_AI_API_KEY | API key for /api/agent/chat model orchestration. | AIza... |
ENVAULT_AGENT_MODEL | AI model name used by /api/agent/chat. | gemini-1.5-flash |
CRON_SECRET | Bearer token expected by /api/cron/digest for authenticated digest email jobs. | super-long-random-secret |
Optional Variables
| Variable | Description | Default |
|---|---|---|
RESEND_API_KEY | Resend API key for sending application emails. | Not set |
EMAIL_DOMAIN | Sender domain for system emails (team@..., security@..., etc.). | mail.envault.tech |
PORT | Runtime port for local/server process startup. | Platform default |
NODE_ENV | Runtime mode for framework behavior and development-only fallbacks. | development |
GitHub Integration Variables (Optional)
If you enable GitHub integration, add the following:
| Variable | Description | Example |
|---|---|---|
NEXT_PUBLIC_GITHUB_APP_NAME | GitHub App slug name | envault |
ENVAULT_GITHUB_APP_CLIENT_ID | GitHub App client ID | Iv1.xxxxx |
ENVAULT_GITHUB_APP_PRIVATE_KEY | GitHub App private key (single-line, \n escaped) | "-----BEGIN RSA PRIVATE KEY-----\n...\n-----END RSA PRIVATE KEY-----" |
ENVAULT_GITHUB_WEBHOOK_SECRET | Secret to verify GitHub webhook signatures | whsec_xxxxx |
Supabase Edge Function Variables (If You Use Scheduled Jobs)
These are used by Supabase Edge Functions and should be configured in the Supabase project environment, not just the Next.js app:
| Variable | Description |
|---|---|
ACCOUNT_DELETION_CRON_SECRET | Secret checked by process-account-deletions Edge Function (x-cron-secret header). |
ROTATE_KEYS_CRON_SECRET | Secret checked by rotate-keys Edge Function (x-cron-secret header). |
Generating Keys
To generate a secure ENCRYPTION_KEY, use:
openssl rand -hex 32node -e "console.log(require('crypto').randomBytes(32).toString('hex'))"