Skip to main content

Documentation Index

Fetch the complete documentation index at: https://mintlify.com/bloom-housing/bloom/llms.txt

Use this file to discover all available pages before exploring further.

Each service in the Bloom Housing platform is configured through environment variables defined in a .env file at the root of its respective directory. Copy the .env.template file in each service directory to create your .env file and fill in the required values.
The API reads its configuration from api/.env. The template is located at api/.env.template.
Variables marked as secret (such as APP_SECRET, EMAIL_API_KEY, TWILIO_AUTH_TOKEN, CLOUDINARY_SECRET, API_PASS_KEY, and S3/Google credentials) must never be committed to source control. Store them securely using your environment’s secrets management solution.

Database

VariableDescriptionDefaultRequired
DATABASE_URLPostgreSQL connection URLpostgres://<username>@localhost:5432/bloom_prismaYes

Server

VariableDescriptionDefaultRequired
PORTPort the API server listens on3100Yes
NODE_ENVRuntime environment (development, production, test)developmentYes
CORS_ORIGINSJSON array of exact-match URLs allowed to make cross-origin requests["http://localhost:3000", "http://localhost:3001"]Yes
CORS_REGEXJSON array of strings converted to regex patterns for additional CORS allowances["test1", "test2"]No
PROXY_URLURL for the proxy serverNo

Authentication

APP_SECRET and API_PASS_KEY are secrets. Use long, randomly generated values in production.
VariableDescriptionDefaultRequired
APP_SECRETSecret key used to sign JWTs and session tokenssome-long-secret-keyYes
MFA_CODE_LENGTHNumber of digits in a generated MFA code5Yes
MFA_CODE_VALIDTime-to-live for MFA codes, in milliseconds60000 (1 minute)Yes
AUTH_LOCK_LOGIN_COOLDOWNDuration of an account lock after too many failed login attempts, in milliseconds1800000 (30 minutes)Yes
AUTH_LOCK_LOGIN_AFTER_FAILED_ATTEMPTSNumber of failed login attempts before an account is locked5Yes
API_PASS_KEYPasskey required on all incoming API requests. The frontend services must send the same keysome-key-hereYes

Email

EMAIL_API_KEY is a secret SendGrid API key. Keep it out of source control.
VariableDescriptionDefaultRequired
EMAIL_API_KEYSendGrid API key used to send transactional emailsSG.ExampleApiKeyYes

SMS

TWILIO_AUTH_TOKEN is a secret. Store it securely.
VariableDescriptionDefaultRequired
TWILIO_PHONE_NUMBERTwilio phone number used to send SMS messagesNo
TWILIO_ACCOUNT_SIDTwilio account SIDNo
TWILIO_AUTH_TOKENTwilio account auth tokenNo

File storage

CLOUDINARY_SECRET, S3_ACCESS_TOKEN, and S3_SECRET_TOKEN are secrets.
VariableDescriptionDefaultRequired
CLOUDINARY_SECRETCloudinary API secret for image managementNo
CLOUDINARY_CLOUD_NAMECloudinary cloud nameexygyNo
S3_REGIONAWS region for the S3 bucket used for large file transfers (CSV/spreadsheet zips)No
S3_BUCKETS3 bucket name for large file transfersNo
S3_ACCESS_TOKENAWS access key ID for the S3 service accountNo
S3_SECRET_TOKENAWS secret access key for the S3 service accountNo

Translation

VariableDescriptionDefaultRequired
GOOGLE_API_EMAILGoogle Translate service account emailNo
GOOGLE_API_IDGoogle Translate API project IDNo
GOOGLE_API_KEYGoogle Translate API keyNo

Cron jobs

All cron schedule strings use standard cron syntax (minute hour day month weekday).
VariableDescriptionDefault
LISTING_PROCESSING_CRON_STRINGSchedule for the listing processing cron job0 * * * * (every hour)
LOTTERY_PUBLISH_PROCESSING_CRON_STRINGSchedule for the lottery publish cron job58 23 * * * (23:58 daily)
LOTTERY_PROCESSING_CRON_STRINGSchedule for the lottery cron job0 * * * * (every hour)
MSQ_RETIRE_CRON_STRINGSchedule for the MSQ retire cron job (should run after LISTING_PROCESSING_CRON_STRING)5 * * * *
PII_DELETION_CRON_STRINGSchedule for the PII deletion cron job0 * * * *
USER_DELETION_CRON_STRINGSchedule for the user deletion cron job0 * * * *
USER_DELETION_WARN_CRON_STRINGSchedule for the user deletion warning cron job0 * * * *
DUPLICATES_PROCESSING_CRON_STRINGSchedule for the duplicate application (AFS) detection cron job15 * * * *
TEMP_FILE_CLEAR_CRON_STRINGSchedule for the temporary file clearing cron job0 * * *

Rate limiting

VariableDescriptionDefaultRequired
THROTTLE_TTLDuration of the rate limiting window, in milliseconds3600000 (1 hour)Yes
THROTTLE_LIMITMaximum number of requests allowed per window100Yes

Lottery

VariableDescriptionDefaultRequired
LOTTERY_DAYS_TILL_EXPIRYNumber of days before lottery data expires and is purged45No

Data expiry

VariableDescriptionDefaultRequired
APPLICATION_DAYS_TILL_EXPIRYNumber of days before application PII data is deletedNo
USERS_DAYS_TILL_EXPIRYNumber of days of inactivity before a user account is deletedNo

Geocoding and reCAPTCHA

VariableDescriptionDefaultRequired
RECAPTCHA_KEYGoogle reCAPTCHA v3 API key. When set, reCAPTCHA validation is enabled on the backendNo
GOOGLE_CLOUD_PROJECT_IDGoogle Cloud project ID required for reCAPTCHA setupNo
RECAPTCHA_THRESHOLDMinimum reCAPTCHA score (0–1) required to bypass two-factor authentication0.7No
ENABLE_RECAPTCHAWhen TRUE, reCAPTCHA scores can block login flowsTRUENo

Other

VariableDescriptionDefaultRequired
TIME_ZONEDefault time zone for dates in data exportsAmerica/Los_AngelesYes
PARTNERS_PORTAL_URLURL of the Partners Portal frontend, used in email linkshttp://localhost:3001Yes
SKIP_SNAPSHOTSWhen TRUE, creating application snapshots is skippedFALSENo
CONTACT_EMAILSupport contact email address displayed in the UI and emailsemail@example.comNo
DB_NO_SSLWhen TRUE, the database connection is made without SSL. Use only for local development or CITRUENo
TEST_CONNECTION_STRINGConnection string used by the script runner data transfer job during testingNo

Build docs developers (and LLMs) love

Get started for freeTalk to us