Maleku System reads its configuration exclusively from environment variables — no hard-coded values exist in the codebase. The backend usesDocumentation Index
Fetch the complete documentation index at: https://mintlify.com/IvanchoDev89/maleku-system/llms.txt
Use this file to discover all available pages before exploring further.
pydantic-settings (BaseSettings) to validate and coerce every variable at startup; missing required values raise a ValueError immediately so misconfigured deployments fail fast. The frontend reads three public variables at build time via Nuxt.js runtime config.
Backend Variables
Core Application
Human-readable application name used in log output and email templates.
Application version string. Exposed in API responses and log entries.
Runtime environment. Accepted values:
development, staging, production, test. Controls CORS enforcement, logging format, and Stripe test-mode detection.Enables FastAPI debug mode and verbose error responses. Must be
False in production.HMAC secret used to sign JWT tokens. Must be at least 32 characters. The application raises
ValueError at startup if this is missing or too short.Standard Python logging level:
DEBUG, INFO, WARNING, ERROR, CRITICAL.Set to
json to enable the JSONFormatter for structured log output. When empty, the SimpleFormatter with ANSI colours is used (recommended for development).Database & Cache
When deploying to Railway,
DATABASE_URL and REDIS_URL are automatically injected by the platform from the provisioned PostgreSQL and Redis services. Do not set these manually in the Railway Variables tab or you will override the internal connection strings.Async SQLAlchemy connection string. Example:
postgresql+asyncpg://postgres:password@localhost:5432/costaricatravel. The app raises ValueError at startup if this is empty.Redis connection string used for session caching and rate-limiter state. Example with auth:
redis://:password@localhost:6379/0.Authentication & Security
Lifetime of JWT access tokens in minutes.
Lifetime of JWT refresh tokens in days.
JWT signing algorithm.
HS256 is used throughout the codebase.Minimum acceptable password length enforced at registration and password-change endpoints.
Regular expression applied to new passwords at registration and password-change endpoints. The default pattern requires at least one lowercase letter, one uppercase letter, one digit, and one special character (
@$!%*?&).JSON-encoded array of allowed CORS origins. In production, set this to exactly the Vercel frontend URL — the application rejects wildcard (
*) and 0.0.0.0 origins when ENVIRONMENT=production.Stripe Payments
Stripe secret key (
sk_live_… for production, sk_test_… for development). When empty or set to sk_test_..., the app treats Stripe as unconfigured and disables payment flows.Stripe publishable key sent to the frontend for Stripe.js initialisation.
Webhook signing secret from the Stripe Dashboard. Used to verify the
stripe-signature header on incoming webhook events.Platform commission deducted from vendor payouts expressed as a decimal (e.g.
0.10 = 10 %).Cloudinary (Media Storage)
Cloudinary cloud name from your account dashboard.
Cloudinary API key.
Cloudinary API secret. Keep this value out of version control.
Folder prefix prepended to all uploaded asset paths in Cloudinary.
Email (Resend + SMTP)
API key for the Resend transactional email service. When set, Resend is used as the primary email transport.
Sender email address used in the
From header of all outgoing emails.Human-readable sender name displayed in email clients.
When
True and RESEND_API_KEY is empty, falls back to the SMTP transport defined below. Set to True in development when using MailHog.SMTP server hostname. Use
mailhog when running inside Docker Compose.SMTP server port. MailHog listens on
1025.SMTP username (leave empty for MailHog / unauthenticated SMTP).
SMTP password (leave empty for MailHog / unauthenticated SMTP).
Enable STARTTLS for SMTP connections. Set to
True for production SMTP providers.BillionMail (Optional)
Base URL of a self-hosted BillionMail instance. Leave empty if not used.
API key for the BillionMail instance.
Sentry (Optional)
Sentry DSN for error tracking. Leave empty to disable Sentry integration.
Sentry environment tag (e.g.
production, staging).Pagination
Default number of items returned per paginated API response.
Maximum number of items a client can request per page.
Site
Canonical public URL of the site. Used in transactional email links and absolute URL generation on the backend.
Frontend Variables
The Nuxt.js 3 frontend reads three public variables at build time viaruntimeConfig.public:
Full URL to the FastAPI backend API, including the
/api/v1 prefix. Example: https://costarica-backend.up.railway.app/api/v1.Canonical URL of the frontend deployment. Used for SEO meta tags and absolute URL generation. Example:
https://costaricatravel.vercel.app.Runtime environment label exposed to the frontend. Set to
production on Vercel or staging in the staging Docker Compose stack.