Skip to main content

Environment File Setup

JOIP uses environment variables for configuration. All variables are loaded from a .env file in the project root.
1

Create Environment File

cp .env.example .env
2

Edit Configuration

Open .env in your editor and configure the required variables below.
3

Restart Server

npm run dev
Changes to .env require a server restart.
Never commit .env files to version control. The .gitignore file should already exclude them.

Core Configuration

Database Connection

DATABASE_URL
string
required
PostgreSQL connection string in URI format.
DATABASE_URL="postgresql://username:password@host:5432/database"
Examples:
  • Local: postgresql://postgres:password@localhost:5432/joip_dev
  • Supabase: postgresql://postgres:[password]@db.[project].supabase.co:5432/postgres
  • Neon: postgresql://[user]:[password]@[host].neon.tech/[database]
For production, enable SSL by appending ?sslmode=require to the connection string.

Session Management

SESSION_SECRET
string
required
Secret key for signing session cookies. Must be a strong random string.
SESSION_SECRET="your_session_secret_key"
Generate securely:
openssl rand -hex 32
Use a different secret for development and production. Changing this will invalidate all existing sessions.

Application Settings

NODE_ENV
string
default:"development"
Application environment mode.
NODE_ENV="development"  # or "production"
Effects:
  • development: Enables Vite HMR, verbose logging, local auth
  • production: Serves from dist/, minified assets, Replit OIDC
PORT
number
default:5000
Server port number.
PORT=5000
Replit automatically proxies this port. The default is always 5000.
JOIP_INTERNAL_PORT
number
Optional override for internal localhost callbacks/proxy calls.
# JOIP_INTERNAL_PORT=5000
Defaults to PORT when omitted. Only needed for special reverse proxy setups.
UPLOAD_DIR
string
default:"./uploads"
Directory for temporary file uploads.
UPLOAD_DIR="./uploads"
Deprecated: JOIP now uses Supabase Storage exclusively. This setting is retained for backward compatibility but not actively used.

Reddit Integration

Required for Reddit-based sessions, Gaslighter, and Scroller features.
REDDIT_CLIENT_ID
string
required
Reddit application client ID.
REDDIT_CLIENT_ID="your_reddit_client_id"
How to get:
  1. Go to https://www.reddit.com/prefs/apps
  2. Click “Create App” or “Create Another App”
  3. Choose “script” type
  4. The client ID is shown under the app name
REDDIT_CLIENT_SECRET
string
required
Reddit application client secret.
REDDIT_CLIENT_SECRET="your_reddit_client_secret"
Found in the same location as the client ID.

AI Services

Caption Generation

Choose one or both providers for AI caption generation:
OPENROUTER_API_KEY
string
OpenRouter API key for AI caption generation (recommended).
OPENROUTER_API_KEY="sk-or-v1-your_openrouter_api_key"
Features:
  • Access to Gemini 2.5 Pro and Flash models
  • Automatic fallback between models
  • Used for contextual/narrative captions in Manual Editor
  • Used for Smart Captions with themed prompts
Get your key:
  1. Sign up at https://openrouter.ai
  2. Navigate to Settings → API Keys
  3. Create a new key
Models used:
  • Manual Editor: google/gemini-2.5-pro (fallback: gemini-2.5-flash-lite)
  • Smart Captions: gemini-2.5-flash-lite
OPENAI_API_KEY
string
OpenAI API key as alternative to OpenRouter.
OPENAI_API_KEY="sk-your_openai_api_key"
The system will use OpenRouter if available, falling back to OpenAI.

AI Image Services

XAI_API_KEY
string
xAI API key for AI Undress feature (primary provider).
XAI_API_KEY="xai-your_xai_api_key"
Get your key:Model:
  • Uses grok-imagine-image-pro by default
  • Override with XAI_UNDRESS_MODEL
XAI_UNDRESS_MODEL
string
default:"grok-imagine-image-pro"
Optional xAI model override for AI Undress.
XAI_UNDRESS_MODEL="grok-imagine-image-pro"
FREEPIK_API_KEY
string
Freepik API key for AI Undress feature (fallback provider).
FREEPIK_API_KEY="your_freepik_api_key"
Get your key:Model:
  • Uses Seedream 4.5 Edit
  • Automatically used when xAI fails or is unavailable
UNDRESS_PRIMARY_PROVIDER
string
default:"xai"
Select primary provider for AI Undress.
UNDRESS_PRIMARY_PROVIDER="xai"  # or "freepik"
Options:
  • xai: Use xAI as primary, Freepik as fallback
  • freepik: Use Freepik as primary, xAI as fallback
REPLICATE_API_TOKEN
string
Replicate API token (dormant/legacy provider).
REPLICATE_API_TOKEN="r8_your_replicate_api_token"
This provider is dormant and kept for backward compatibility. The system uses xAI and Freepik.

Cloud Storage

Required for manual sessions, Media Vault, and file uploads.
SUPABASE_URL
string
required
Supabase project URL.
SUPABASE_URL="https://your-project.supabase.co"
Get from:
  1. Supabase Dashboard
  2. Select your project
  3. Settings → API → Project URL
SUPABASE_ANON_KEY
string
required
Supabase anonymous (public) key.
SUPABASE_ANON_KEY="your_supabase_anon_key"
Found in the same location as the project URL under “Project API keys” → “anon public”.
This key is safe to use in client-side code. It respects Row Level Security (RLS) policies.
SUPABASE_SERVICE_KEY
string
required
Supabase service role (admin) key.
SUPABASE_SERVICE_KEY="your_supabase_service_key"
Found under “Project API keys” → “service_role”.
Never expose this key client-side. It bypasses all RLS policies and has full admin access.

Storage Buckets

The application automatically creates these buckets:
  • user-media: User uploads and manual session media
    • Path structure: users/{userId}/manual-sessions/{sessionId}/
  • general: Community content and shared media
Test storage connectivity with:
curl http://localhost:5000/api/storage/status

External Services

Imgchest Integration

IMGCHEST_API_KEY
string
Imgchest API key for importing existing galleries.
IMGCHEST_API_KEY="your_imgchest_api_key"
Required only for the “Import JOIP” feature to import from Imgchest.

Replit Deployment

These variables are automatically set by Replit. Only configure manually for custom deployments.
REPLIT_DOMAINS
string
Replit domain for the deployed app.
REPLIT_DOMAINS="your-repl-domain.replit.dev"
Effects:
  • When set: Enables Replit OIDC authentication
  • When unset: Uses local development auth strategy
REPL_ID
string
Unique Replit project identifier.
REPL_ID="your_repl_id"
Used for Replit OIDC configuration.
ISSUER_URL
string
default:"https://identity.util.repl.co"
OIDC issuer URL for Replit authentication.
ISSUER_URL="https://identity.util.repl.co"
REPLIT_DEV_DOMAIN
string
Development domain (auto-populated by Replit).
# REPLIT_DEV_DOMAIN="your-dev-domain.replit.dev"
REPLIT_DB_URL
string
Replit database URL (auto-populated).
# REPLIT_DB_URL="your-replit-db-url"

Payment Integrations

Telegram Payments

TELEGRAM_BOT_TOKEN
string
Telegram bot token for Telegram Stars payments.
TELEGRAM_BOT_TOKEN="your_telegram_bot_token"
Required together with TELEGRAM_WEBHOOK_SECRET to enable Telegram payment flow.
TELEGRAM_WEBHOOK_SECRET
string
Telegram webhook secret for payment verification.
TELEGRAM_WEBHOOK_SECRET="your_telegram_webhook_secret"
TELEGRAM_BOT_USERNAME
string
default:"OfficialJoipBot"
Telegram bot username.
TELEGRAM_BOT_USERNAME="OfficialJoipBot"
Defaults to “OfficialJoipBot” when unset.
TELEGRAM_CHANNEL_ID
string
Telegram channel ID for membership features.
TELEGRAM_CHANNEL_ID="-1001234567890"
Only needed for channel invite/membership features.

Thirdweb Checkout

THIRDWEB_CLIENT_ID
string
Thirdweb client ID for crypto/card payments.
THIRDWEB_CLIENT_ID="your_thirdweb_client_id"
Required together with webhook secret to enable Thirdweb checkout flow.
THIRDWEB_WEBHOOK_SECRET
string
Thirdweb webhook secret for payment verification.
THIRDWEB_WEBHOOK_SECRET="your_thirdweb_webhook_secret"
THIRDWEB_SELLER_WALLET
string
Ethereum wallet address for receiving payments.
THIRDWEB_SELLER_WALLET="0xyour_seller_wallet_address"

Database Tuning

Optional connection pool and performance settings. 
# Maximum pool size
DB_POOL_MAX=20

# Minimum pool size  
DB_POOL_MIN=2

# Idle timeout in milliseconds
DB_POOL_IDLE=10000

# Connection timeout in seconds
DB_CONNECT_TIMEOUT=10

# Max connection lifetime in seconds
DB_MAX_LIFETIME=3600
These are optional. The application uses sensible defaults optimized for most deployments.

Logging Configuration

LOG_LEVEL
string
default:"info"
Application logging verbosity.
LOG_LEVEL="info"
Options:
  • error: Only errors
  • warn: Warnings and errors
  • info: General information (recommended)
  • debug: Detailed debugging information

Complete Example

# Database
DATABASE_URL="postgresql://postgres:password@localhost:5432/joip_dev"

# Session
SESSION_SECRET="generated-secure-random-string-here"

# Application
NODE_ENV="development"
PORT=5000

# Reddit
REDDIT_CLIENT_ID="your_reddit_client_id"
REDDIT_CLIENT_SECRET="your_reddit_client_secret"

# AI - Caption Generation
OPENROUTER_API_KEY="sk-or-v1-your_openrouter_key"

# AI - Image Services
XAI_API_KEY="xai-your_key"
FREEPIK_API_KEY="your_freepik_key"
UNDRESS_PRIMARY_PROVIDER="xai"

# Cloud Storage
SUPABASE_URL="https://yourproject.supabase.co"
SUPABASE_ANON_KEY="your_anon_key"
SUPABASE_SERVICE_KEY="your_service_key"

# Optional
IMGCHEST_API_KEY="your_imgchest_key"

Validation

The application validates environment configuration on startup via server/environmentConfig.ts. Startup checks:
  • Required variables are present
  • Database connection succeeds
  • Connection pool initializes
  • Supabase connectivity (if configured)
Validation errors: 
✗ DATABASE_URL must be set
✗ SESSION_SECRET must be set
✗ Supabase configuration incomplete

Diagnostics

Check Storage Status

curl http://localhost:5000/api/storage/status
Response: 
{
  "configured": true,
  "reachable": true,
  "buckets": ["user-media", "general"],
  "testPassed": true
}
Error codes:
  • STORAGE_CONFIG_ERROR: Missing environment variables
  • STORAGE_UNREACHABLE: Cannot connect to Supabase
  • STORAGE_PREFLIGHT_FAILED: Bucket test upload failed

Check Database Connection

Verify the database is accessible: 
psql "$DATABASE_URL" -c "SELECT version();"

Test API Keys

Create a Reddit session and verify media loads. Check server logs for:
✓ Reddit API request successful
✓ Fetched 100 posts from r/subreddit
Try generating a caption in Smart Captions. Look for:
✓ OpenRouter request successful
✓ Generated caption with gemini-2.5-flash-lite
Upload an image in Media Vault. Verify:
✓ File uploaded to user-media bucket
✓ Public URL generated

Security Best Practices

1

Secret Management

  • Never commit .env files to Git
  • Use different secrets for dev/staging/production
  • Rotate API keys regularly (quarterly recommended)
  • Store production secrets in secure vaults (Replit Secrets, AWS Secrets Manager)
2

API Key Security

  • Never expose service keys client-side
  • Use SUPABASE_ANON_KEY for client operations only
  • Keep SUPABASE_SERVICE_KEY server-side only
  • Monitor API usage for anomalies
3

Database Security

  • Use SSL for production database connections
  • Implement IP whitelisting where possible
  • Use strong passwords (20+ characters)
  • Enable connection pooling with max limits
4

Session Security

  • Use strong SESSION_SECRET (32+ bytes)
  • Enable secure cookies in production (HTTPS only)
  • Set appropriate session timeouts
  • Implement CSRF protection

Troubleshooting

Symptom: Manual session creation returns 503 with error codesSolutions:
  1. Verify all three Supabase variables are set
  2. Check if Supabase project is paused (resume it)
  3. Test with /api/storage/status
  4. Review error code:
    • STORAGE_CONFIG_ERROR: Add missing env vars
    • STORAGE_UNREACHABLE: Check URL and network
    • STORAGE_PREFLIGHT_FAILED: Verify bucket permissions
Symptom: Caption generation fails silentlySolutions:
  1. Check API keys are valid (not expired)
  2. Verify sufficient credits/quota on provider
  3. Check server logs for specific errors
  4. Test fallback: if OpenRouter fails, try OpenAI
Symptom: 429 errors when fetching Reddit contentSolutions:
  1. Built-in retry logic should handle this automatically
  2. Reduce concurrent requests
  3. Check if Reddit credentials are valid
  4. Wait for rate limit to reset (typically 1 minute)
Symptom: Cannot connect to databaseSolutions:
  1. Verify DATABASE_URL format is correct
  2. Check database is running and accessible
  3. For cloud databases: verify IP whitelist
  4. Test connection: psql "$DATABASE_URL"
  5. Check connection pool settings if hitting limits

Next Steps

Quick Start Guide

Create your first session with AI captions

API Reference

Explore all available API endpoints

Build docs developers (and LLMs) love

Get started for freeTalk to us