Skip to main content
The project is configured entirely through environment variables. No secrets or environment-specific values should be hardcoded in source files.

Backend (config/.env)

The Django backend reads its configuration from backend/config/.env using python-dotenv. A default file is committed for development convenience.

Django core

VariableRequiredDefaultDescription
DJANGO_SECRET_KEYYesinsecure dev keyDjango’s cryptographic signing key. Must be long, random, and unique per environment.
DJANGO_DEBUGYesTrueSet to False in production to disable the debug toolbar and detailed error pages.
DJANGO_ALLOWED_HOSTSYeslocalhost,127.0.0.1Comma-separated list of hostnames Django will serve. Add your production domain here.

Database

The project defaults to SQLite for development. Switch to MySQL for production by updating these variables and uncommenting the MySQL DATABASES block in config/settings.py.
VariableRequiredDefaultDescription
DATABASE_ENGINENodjango.db.backends.sqlite3Django database backend. Use django.db.backends.mysql for production.
DATABASE_NAMENoparque_marino_db.sqlite3Database name (filename for SQLite, schema name for MySQL).
DATABASE_USERMySQL onlyMySQL username.
DATABASE_PASSWORDMySQL onlyMySQL password.
DATABASE_HOSTMySQL onlylocalhostMySQL server hostname.
DATABASE_PORTMySQL only3306MySQL server port.

CORS

VariableRequiredDefaultDescription
DJANGO_CORS_ALLOWED_ORIGINSNosee belowComma-separated list of allowed CORS origins. Defaults to http://localhost:5173, http://127.0.0.1:5173, http://localhost:3000, http://127.0.0.1:3000.
CORS_ALLOW_CREDENTIALS is hardcoded to True in config/settings.py. This is required for JWT cookie-based authentication to work correctly with the frontend.

JWT

VariableRequiredDefaultDescription
JWT_ACCESS_TOKEN_LIFETIME_MINUTESNo5Access token validity in minutes.
JWT_REFRESH_TOKEN_LIFETIME_DAYSNo1Refresh token validity in days.
JWT_ALGORITHMNoHS256Signing algorithm.

Supabase Storage (optional)

Required only if you are using Supabase as the media file storage backend. See backend/SUPABASE_STORAGE_README.md for full setup instructions.
VariableRequiredDefaultDescription
SUPABASE_URLSupabase onlyYour Supabase project URL (e.g. https://abc123.supabase.co).
SUPABASE_API_KEYSupabase onlySupabase anonymous (public) key.
SUPABASE_SERVICE_KEYSupabase onlySupabase service role key. Used for administrative storage operations.
SUPABASE_STORAGE_BUCKETSupabase onlymedia-filesName of the default storage bucket.
ENVIRONMENTSupabase onlydevelopmentSet to production to activate Supabase storage instead of the local filesystem.

Email (optional)

Uncomment these variables in config/.env to enable Django’s SMTP email backend for system notifications.
VariableRequiredDefaultDescription
EMAIL_BACKENDNoSet to django.core.mail.backends.smtp.EmailBackend to enable SMTP.
EMAIL_HOSTNoSMTP server hostname (e.g. smtp.gmail.com).
EMAIL_PORTNoSMTP port (typically 587 for TLS).
EMAIL_USE_TLSNoSet to True for TLS-encrypted connections.
EMAIL_HOST_USERNoSMTP account email address.
EMAIL_HOST_PASSWORDNoSMTP account password or app-specific password.

Frontend (.env)

The Vite frontend reads variables prefixed with VITE_ from a .env file in the frontend/ directory. Create this file manually — there is no .env.example committed to the repository.
Only variables prefixed with VITE_ are exposed to the browser bundle. Never put server-side secrets in frontend environment variables.

Backend connection

VariableRequiredDefaultDescription
VITE_BACKEND_URLNohttp://localhost:8000Base URL of the Django API. Used to construct media file URLs (e.g. QR code images). The Axios instance in src/api/axiosInstance.js defaults to http://127.0.0.1:8000/ and should be updated to read from this variable for multi-environment support.

EmailJS

The frontend sends invoice emails directly from the browser using EmailJS. Configure a service and template in your EmailJS account, then set these variables.
VariableRequiredDefaultDescription
VITE_EMAILJS_SERVICE_IDYesEmailJS service ID (e.g. service_ke9gzcs). Found in your EmailJS dashboard under Email Services.
VITE_EMAILJS_TEMPLATE_IDYesPrimary template ID for invoice emails (e.g. template_factura).
VITE_EMAILJS_PUBLIC_KEYYesEmailJS public key (e.g. 3mQx8AVIUbbufg0BX). Found in AccountGeneral.
The current codebase has the EmailJS credentials hardcoded in src/services/emailInvoiceService.js. Move them to environment variables for proper secret management in production.

PayPal

The PayPal SDK is loaded as a <script> tag in frontend/index.html rather than via an environment variable. To update the client ID:
frontend/index.html
<script src="https://www.paypal.com/sdk/js?client-id=YOUR_PAYPAL_CLIENT_ID"></script>
Replace YOUR_PAYPAL_CLIENT_ID with your sandbox or live client ID from the PayPal Developer Dashboard.

Complete .env examples

# Django core
DJANGO_SECRET_KEY='django-insecure-replace-this-in-production'
DJANGO_DEBUG=True
DJANGO_ALLOWED_HOSTS=localhost,127.0.0.1

# Database — SQLite
DATABASE_ENGINE=django.db.backends.sqlite3
DATABASE_NAME=parque_marino_db.sqlite3

# CORS
DJANGO_CORS_ALLOWED_ORIGINS=http://localhost:5173,http://127.0.0.1:5173

# JWT
JWT_ACCESS_TOKEN_LIFETIME_MINUTES=5
JWT_REFRESH_TOKEN_LIFETIME_DAYS=1
JWT_ALGORITHM=HS256

Security checklist

Review this checklist before deploying to a production or shared environment.
  • DJANGO_SECRET_KEY is a strong, randomly generated value unique to this environment
  • DJANGO_DEBUG is set to False
  • DJANGO_ALLOWED_HOSTS contains only your actual production hostname(s)
  • DATABASE_PASSWORD is a strong, unique credential not shared with other services
  • SUPABASE_SERVICE_KEY is kept server-side only and never exposed to the browser
  • The config/.env file is listed in .gitignore and has never been committed with real credentials
  • The PayPal client-id in index.html is your live client ID, not the sandbox one

Build docs developers (and LLMs) love

Get started for freeTalk to us