MELIKA’s runtime behaviour is driven entirely by environment variables — no secrets are ever committed to the repository. Before starting either service you must define every required variable in the appropriateDocumentation Index
Fetch the complete documentation index at: https://mintlify.com/Imjuanisss/proyecto-melika/llms.txt
Use this file to discover all available pages before exploring further.
.env file (for local development) or in the Railway service dashboard (for production). This page catalogues every variable, shows example values, and walks through the Gmail OAuth2 credential flow that powers transactional email delivery.
Server environment variables
The Express backend reads these variables at startup. Missing required variables will cause the server to crash or silently degrade security-sensitive features.| Variable | Description | Example value | Required |
|---|---|---|---|
PORT | TCP port the Express server listens on. Railway injects this automatically; default is 3000 locally. | 3000 | No |
DB_HOST | Hostname of the PostgreSQL server. | localhost | Yes |
DB_PORT | Port the PostgreSQL server listens on. | 5432 | Yes |
DB_NAME | Name of the PostgreSQL database. | melika_db | Yes |
DB_USER | PostgreSQL user with access to DB_NAME. | postgres | Yes |
DB_PASSWORD | Password for DB_USER. | s3cr3t | Yes |
JWT_SECRET | Secret used to sign and verify JSON Web Tokens. Must be long and unpredictable. Rotating this value invalidates every active session. | a8f3... (64+ random chars) | Yes |
FRONTEND_URL | Allowed CORS origin for the production frontend. Must match the deployed client URL exactly — no trailing slash. | https://melika-client.up.railway.app | Yes |
EMAIL_USER | Gmail address that sends verification and notification emails via the Gmail API. | noreply@yourapp.com | Yes |
EMAIL_FROM | Display name and address shown in the From header. Defaults to MELIKA Salud <EMAIL_USER> when omitted. | MELIKA Salud <noreply@yourapp.com> | No |
GMAIL_CLIENT_ID | OAuth2 client ID obtained from Google Cloud Console. | 1234567890-abc.apps.googleusercontent.com | Yes |
GMAIL_CLIENT_SECRET | OAuth2 client secret paired with GMAIL_CLIENT_ID. | GOCSPX-... | Yes |
GMAIL_REFRESH_TOKEN | Long-lived OAuth2 refresh token used to mint access tokens for the Gmail API. | 1//04... | Yes |
Client environment variables
Vite injects variables prefixed withVITE_ into the browser bundle at build time. Any variable without this prefix is stripped from the bundle and will be undefined in the browser.
| Variable | Description | Example value | Required |
|---|---|---|---|
VITE_API_URL | Base URL of the MELIKA backend. The React app appends API paths to this value. Must not have a trailing slash. | https://melika-server.up.railway.app | Yes |
Gmail OAuth2 setup
MELIKA uses Gmail’s OAuth2 flow instead of a plain SMTP password so that Google cannot block transactional email as “less secure app access”. Railway (and most cloud providers) also block outbound SMTP ports (25, 465, 587) at the network level — the Gmail API travels over HTTPS (port 443) and is never blocked. Follow these steps once to obtain the four Gmail-related variables.Create a Google Cloud project
Go to console.cloud.google.com, click New Project, give it a name (e.g.
melika-mail), and note the project ID.Enable the Gmail API
In the project, navigate to APIs & Services → Library, search for Gmail API, and click Enable.
Create OAuth2 credentials
Go to APIs & Services → Credentials → Create Credentials → OAuth client ID. Choose Web application as the application type. Add
https://developers.google.com/oauthplayground as an authorised redirect URI, then click Create. Copy the Client ID → GMAIL_CLIENT_ID and Client Secret → GMAIL_CLIENT_SECRET.Obtain a refresh token
Open OAuth 2.0 Playground. Click the gear icon (OAuth2 configuration), enable Use your own OAuth credentials, and paste your Client ID and Client Secret. In Step 1, select
https://mail.google.com/ from the Gmail API scopes and click Authorise APIs. Sign in with the EMAIL_USER address. In Step 2, click Exchange authorization code for tokens. Copy the Refresh token → GMAIL_REFRESH_TOKEN.Refresh tokens for Google Workspace accounts do not expire unless revoked. For personal Gmail accounts, tokens expire if unused for six months. Regenerate the token and update
GMAIL_REFRESH_TOKEN if email delivery stops working.CORS configuration
The server’s allowed-origins list is defined inserver.js as:
server/src/server.js
credentials: true is also set, which means the browser will include cookies and Authorization headers in cross-origin requests. Both constraints apply:
JWT secret guidance
Example .env files
Add both
.env files to .gitignore before your first commit. Railway injects production values through its service dashboard, so .env files are only needed for local development.Data protection — Colombia Ley 1581/2012
MELIKA stores datos sensibles de salud (clinical histories, diagnoses, prescriptions) which are classified as sensitive personal data under Colombia’s Ley 1581 de 2012 and its regulatory decree 1377 de 2013. Operators must:- Obtain explicit, informed consent from patients before collecting health data.
- Store all database credentials and
JWT_SECRETonly in secure secret stores — never in source code or public repositories. - Restrict database access to the minimum set of users and services that require it.
- Maintain an audit log of access to clinical histories (MELIKA’s
logs_citastable partially satisfies this requirement). - Appoint a Responsable del Tratamiento and publish a Política de Tratamiento de Datos Personales accessible to all users.
- Report data breaches to the Superintendencia de Industria y Comercio (SIC) within the timeframes established by the authority.