Skip to main content

Overview

Environment variables are set in apps/web/.env.local for local development and in Vercel project settings for production. Edge Function secrets are managed separately via the Supabase CLI.
Never commit .env.local or any file containing secret keys to version control. The .gitignore is configured to exclude these files.

Variable Reference

Supabase

VariableTypeRequiredDescription
NEXT_PUBLIC_SUPABASE_URLPublicYesSupabase project URL (https://hcyyegiialkkjcdxpfat.supabase.co)
NEXT_PUBLIC_SUPABASE_ANON_KEYPublicYesSupabase anonymous/public API key
SUPABASE_SERVICE_ROLE_KEYSecretYesService role key for admin operations (bypasses RLS)
NEXT_PUBLIC_ prefixed variables are exposed to the browser. Never put secret keys in NEXT_PUBLIC_ variables.

Stripe Billing

VariableTypeRequiredDescription
STRIPE_SECRET_KEYSecretYesStripe API secret key
NEXT_PUBLIC_STRIPE_PUBLISHABLE_KEYPublicYesStripe publishable key for client-side Elements
STRIPE_WEBHOOK_SECRETSecretYesWebhook endpoint signing secret (whsec_...)

Application

VariableTypeRequiredDescription
NEXT_PUBLIC_APP_URLPublicYesBase URL of the app (http://localhost:3000 locally, https://app.securatlas.com in production)

AI

VariableTypeRequiredDescription
ANTHROPIC_API_KEYSecretYesAnthropic Claude API key for evidence classification
ANTHROPIC_API_KEY must only be used server-side. It is never sent to the client. All AI calls go through Server Actions or Edge Functions.

Integration OAuth

VariableTypeRequiredDescription
INTEGRATION_STATE_SECRETSecretYesSecret for signing OAuth state parameters (CSRF protection)
GOOGLE_CLIENT_IDSecretYesGoogle OAuth client ID for Google Workspace integration
GOOGLE_CLIENT_SECRETSecretYesGoogle OAuth client secret
INTEGRATION_REDIRECT_URISecretYesOAuth callback URL for Azure AD / generic integrations
GWS_REDIRECT_URISecretYesOAuth callback URL for Google Workspace integration
Redirect URIs must exactly match what is configured in the provider’s OAuth app settings (Azure Portal, Google Cloud Console). Mismatches cause silent OAuth failures.

Edge Function Secrets

Edge Functions use a separate secrets store managed via the Supabase CLI: 
# Set a secret
supabase secrets set ANTHROPIC_API_KEY=sk-ant-...

# List all secrets
supabase secrets list

# Unset a secret
supabase secrets unset ANTHROPIC_API_KEY
Edge Functions automatically have access to:
  • SUPABASE_URL
  • SUPABASE_ANON_KEY
  • SUPABASE_SERVICE_ROLE_KEY
  • SUPABASE_DB_URL
Additional secrets must be set explicitly.

Local Development Setup

# apps/web/.env.local
NEXT_PUBLIC_SUPABASE_URL=https://hcyyegiialkkjcdxpfat.supabase.co
NEXT_PUBLIC_SUPABASE_ANON_KEY=eyJ...
SUPABASE_SERVICE_ROLE_KEY=eyJ...

NEXT_PUBLIC_APP_URL=http://localhost:3000

STRIPE_SECRET_KEY=sk_test_...
NEXT_PUBLIC_STRIPE_PUBLISHABLE_KEY=pk_test_...
STRIPE_WEBHOOK_SECRET=whsec_...

ANTHROPIC_API_KEY=sk-ant-...

INTEGRATION_STATE_SECRET=random-32-char-string
GOOGLE_CLIENT_ID=123456789.apps.googleusercontent.com
GOOGLE_CLIENT_SECRET=GOCSPX-...
INTEGRATION_REDIRECT_URI=http://localhost:3000/api/integrations/callback
GWS_REDIRECT_URI=http://localhost:3000/api/integrations/google/callback

Vercel Configuration

In Vercel project settings, add all variables under Settings > Environment Variables. Use different values for Preview and Production environments:
EnvironmentNEXT_PUBLIC_APP_URLINTEGRATION_REDIRECT_URI
Productionhttps://app.securatlas.comhttps://app.securatlas.com/api/integrations/callback
Previewhttps://preview.securatlas.comhttps://preview.securatlas.com/api/integrations/callback
Developmenthttp://localhost:3000http://localhost:3000/api/integrations/callback
Vercel automatically injects NEXT_PUBLIC_VERCEL_URL in preview deployments. However, SecurAtlas uses NEXT_PUBLIC_APP_URL explicitly to ensure consistent OAuth redirects.