Envault

Production Deployment

Deploying Envault to Vercel, Railway, or your own infrastructure

Envault is designed to be easily deployable to any platform that supports Next.js (Node.js).

Environment Variables

Before deploying, ensure you have the following environment variables configured in your production environment:

VariableDescriptionRequired
NEXT_PUBLIC_SUPABASE_URLYour Supabase Project URLYes
NEXT_PUBLIC_SUPABASE_ANON_KEYYour Supabase Anon KeyYes
SUPABASE_SERVICE_ROLE_KEYSupabase Service Role Key (for Admin tasks)Yes
ENCRYPTION_KEY32-byte hex string for Master KeyYes
NEXT_PUBLIC_APP_URLPublic app URL used in callbacks and email links (e.g. https://envault.app)Yes
NEXT_PUBLIC_API_SIGNATURE_SALTHMAC secret used to verify mutation signaturesStrongly recommended
UPSTASH_REDIS_REST_URLUpstash Redis REST URL for cache-backed access checks and metadata cachingStrongly recommended
UPSTASH_REDIS_REST_TOKENToken for UPSTASH_REDIS_REST_URLStrongly recommended
CRON_SECRETSecret used by /api/cron/digest email digest endpointFor notification digests
ACCOUNT_DELETION_CRON_SECRETSecret header validation for process-account-deletions Edge FunctionYes (recommended for production)
ROTATE_KEYS_CRON_SECRETSecret header validation for rotate-keys Edge FunctionYes (recommended for production)
ENVAULT_GITHUB_APP_CLIENT_IDGitHub App Client IDFor GitHub Integration
ENVAULT_GITHUB_APP_PRIVATE_KEYRSA private key, single-line \n-escapedFor GitHub Integration
ENVAULT_GITHUB_WEBHOOK_SECRETSecret to verify GitHub webhook payloadsFor GitHub Integration
NEXT_PUBLIC_GITHUB_APP_NAMEYour GitHub App's slug nameFor GitHub Integration
RESEND_API_KEYResend key for transactional + digest emailsFor email delivery
EMAIL_DOMAINSender domain for outgoing emailsOptional (defaults to mail.envault.tech)

Never check your SUPABASE_SERVICE_ROLE_KEY or ENCRYPTION_KEY into version control. Always set them in your deployment platform's dashboard.

Deployment Providers

Deploy to Vercel

Vercel is the creators of Next.js and offers the seamless deployment experience.

  1. Push your code to a Git repository (GitHub, GitLab, Bitbucket).
  2. Import the project into Vercel.
  3. Add the Environment Variables listed above.
  4. Click Deploy.

Docker Build

You can containerize Envault using the standard Next.js Dockerfile.

FROM node:18-alpine AS base

# Install dependencies only when needed
FROM base AS deps
WORKDIR /app
COPY package.json yarn.lock* package-lock.json* pnpm-lock.yaml* ./
RUN npm ci

# Rebuild the source code only when needed
FROM base AS builder
WORKDIR /app
COPY --from=deps /app/node_modules ./node_modules
COPY . .
RUN npm run build

# Production image, copy all the files and run next
FROM base AS runner
WORKDIR /app
ENV NODE_ENV production
COPY --from=builder /app/public ./public
COPY --from=builder /app/.next/standalone ./
COPY --from=builder /app/.next/static ./.next/static

EXPOSE 3000
CMD ["node", "server.js"]

Build and run:

docker build -t envault .
docker run -p 3000:3000 --env-file .env.production envault

Deploy to Railway

Railway requires zero configuration for Next.js apps.

  1. Connect your GitHub repository.
  2. Railway will automatically detect the package.json and build command.
  3. Go to Variables and add the required environment variables.
  4. Deployment will trigger automatically.

Post-Deployment Checklist

  • HTTPS: Ensure your domain is serving over HTTPS.
  • Database Backups: Enable Point-in-Time Recovery (PITR) on Supabase.
  • Key Backup: Securely back up your ENCRYPTION_KEY in a password manager. If you lose this, all data is lost.

Required Scheduled Jobs

Configure these recurring jobs after deploy:

  1. Email Digest Cron (/api/cron/digest)
  • Send authenticated GET requests with Authorization: Bearer <CRON_SECRET>.
  1. Account Deletion Purge (supabase/functions/v1/process-account-deletions)
  • Trigger daily with x-cron-secret: <ACCOUNT_DELETION_CRON_SECRET>.
  1. Key Rotation / Scavenger (supabase/functions/v1/rotate-keys)
  • Trigger with x-cron-secret: <ROTATE_KEYS_CRON_SECRET> on your desired cadence.

For Supabase-hosted schedules, use the SQL migration templates under supabase/migrations and replace the placeholder cron secrets before applying in production.

MCP & Agent Development

Local development, testing, and architecture for the Envault Model Context Protocol (MCP) server.

CI/CD Deployment

Integrating Envault into build pipelines (GitHub Actions, GitLab, Docker).

On this page

Environment Variables
Deployment Providers
Deploy to Vercel
Docker Build
Deploy to Railway
Post-Deployment Checklist
Required Scheduled Jobs