Skip to main content
WebCorporativa API reads its runtime configuration from environment variables. Set these before starting the process. Values not provided fall back to built-in defaults, but you should always set DB_CONNECTION and JWT_KEY explicitly in any non-development environment.

Database

DB_CONNECTION
string
required
SQL Server connection string used by EF Core.
DB_CONNECTION="Server=db.example.com;Database=WebCorporativa;User Id=apiuser;Password=secret;"
If this variable is not set, the API falls back to a hard-coded development connection string compiled into the binary. Always override this in staging and production.

JWT authentication

JWT_KEY
string
required
Secret key used to sign and verify JWT tokens. A minimum of 32 characters is recommended; shorter keys reduce the security of the HMAC-SHA signature.
JWT_KEY="replace-this-with-a-strong-random-secret-at-least-32-chars"
The API ships with a default JWT_KEY value for development convenience. Never use the default key in a staging or production environment — any party who knows it can forge valid tokens for any user.
JWT_ISSUER
string
default:"WebCorporativaAPI"
The iss claim written into every issued token and validated on incoming tokens.
JWT_ISSUER="WebCorporativaAPI"
JWT_AUDIENCE
string
default:"WebCorporativaAPI"
The aud claim written into every issued token and validated on incoming tokens.
JWT_AUDIENCE="WebCorporativaAPI"

Image uploads (Cloudinary)

Cloudinary configuration is optional. If any of the three variables below are absent, image upload endpoints will return an error. All other API functionality — authentication, user management, profiles, modules, and permissions — continues to work normally.
CLOUDINARY_CLOUD_NAME
string
Your Cloudinary cloud name, visible in the Cloudinary dashboard.
CLOUDINARY_CLOUD_NAME="my-cloud"
CLOUDINARY_API_KEY
string
Cloudinary API key.
CLOUDINARY_API_KEY="123456789012345"
CLOUDINARY_API_SECRET
string
Cloudinary API secret. Treat this like a password.
CLOUDINARY_API_SECRET="your-api-secret"

Captcha validation (Cloudflare Turnstile)

The Turnstile secret key is read from appsettings.json (or its environment-specific overrides) under the key Turnstile:SecretKey. You can also supply it via the standard ASP.NET Core environment variable override syntax: 
Turnstile__SecretKey="your-turnstile-secret-key"
The double underscore (__) is the ASP.NET Core convention for mapping environment variable names to nested configuration keys. Turnstile__SecretKey maps to Turnstile:SecretKey in appsettings.json.
This key is sent to Cloudflare’s server-side verification endpoint each time a user attempts to log in. If the key is missing or invalid, all login requests will fail captcha validation.

Request size limit

The API accepts request bodies up to 10 MB. This limit accommodates Base64-encoded avatar images. It is configured in code and cannot be changed via environment variables without modifying the source.

Example: minimal environment for local development

export DB_CONNECTION="Server=localhost;Database=WebCorporativa;User Id=sa;Password=DevPassword123;"
export JWT_KEY="dev-only-key-do-not-use-in-production-32chars+"
export Turnstile__SecretKey="1x0000000000000000000000000000000AA"  # Turnstile always-pass test key
Cloudflare provides test keys for Turnstile that always pass or always fail validation. Use 1x0000000000000000000000000000000AA as Turnstile__SecretKey locally and pass any string as the captchaToken in login requests. See the Turnstile testing reference for the full list of test keys.

Build docs developers (and LLMs) love

Get started for freeTalk to us