You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: docs/ENVIRONMENT_VARIABLES.md
+10-1Lines changed: 10 additions & 1 deletion
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -34,14 +34,21 @@ These are bundled into the client code and exposed to the browser:
34
34
-`VITE_STACK_PROJECT_ID` - Stack Auth project ID
35
35
-`VITE_STACK_PUBLISHABLE_CLIENT_KEY` - Stack Auth public key
36
36
-`VITE_API_URL` - API base URL (empty for production, http://localhost:3000 for dev)
37
+
-`VITE_GEMINI_API_KEY` - **Required**; Gemini API key used for Gemini integration and bundled into client code (e.g. `AIza...`)
38
+
-`VITE_OCR_ENDPOINT` - **Optional**; custom OCR backend endpoint URL (default: use the app's built-in OCR flow/config if unset; e.g. `http://localhost:3000/api/ocr`)
37
39
38
40
### Backend (Vercel Functions) - Server-side only
41
+
39
42
These are only accessible on the server:
40
43
-`STACK_PROJECT_ID` - Stack Auth project ID (server-side)
41
44
-`STACK_SECRET_SERVER_KEY` - Stack Auth secret key (**NEVER expose to client**)
42
-
-`JWT_SECRET` - Secret for signing JWT tokens
45
+
-`JWT_SECRET` - Secret for signing JWT tokens (required; API/server will fail fast if missing)
-`ALLOWED_ORIGINS` - Comma-separated allowlist for CORS (e.g. `https://your-app.vercel.app,http://localhost:5173`)
48
+
-`CORS_ALLOW_CREDENTIALS` - Set to `true` only if you need to send cookies with cross-origin requests
43
49
-`DATABASE_URL` - PostgreSQL connection string
44
50
- All `POSTGRES_*` and `PG*` variables from Neon
51
+
-`GEMINI_API_KEY` - **MUST be server-side only** (no `VITE_` prefix); Gemini API key for AI features (e.g., spreadsheet parsing). **NEVER expose to client code**. All Gemini API calls must be routed through server endpoints (e.g., `/api/parse-spreadsheet`) - the browser should never have direct access to this key.
45
52
46
53
## Common Issues
47
54
@@ -76,6 +83,8 @@ If you get 401 Unauthorized errors when logged in with OAuth:
76
83
77
84
3. Never commit `.env`, `.env.development`, or `.env.production` files - they're gitignored for security.
78
85
86
+
4. For the local Express server (`server/server.js`), create `server/.env` (or `.env.local`) with `JWT_SECRET` and `ALLOWED_ORIGINS` that match your dev URLs. See `server/.env.example` for defaults.
87
+
79
88
## Production Deployment
80
89
81
90
Environment variables for production are managed in Vercel:
0 commit comments