Floralé connects to Supabase for its database, authentication, and file storage. Before running the app locally or deploying to production, you must supply three environment variables in aDocumentation Index
Fetch the complete documentation index at: https://mintlify.com/dlampatricio/florale/llms.txt
Use this file to discover all available pages before exploring further.
.env.local file at the project root. Two of them are safe to expose in the browser; one is a privileged secret that must never leave the server.
Required variables
The base URL of your Supabase project, in the form
https://<project-ref>.supabase.co. Every API request — database queries, auth flows, and storage operations — is sent to this endpoint. Because it is prefixed with NEXT_PUBLIC_, Next.js bundles it into the browser build and it is visible to anyone who inspects the page source. This is expected and safe; the URL on its own grants no access.The public anonymous key issued by Supabase. It is a signed JWT that identifies your project and carries the
anon role. All browser-side queries — browsing products, loading categories, reading cart state — use this key. Row Level Security (RLS) policies remain fully active, so the anon key can only read or write whatever your policies explicitly permit. Like the URL, this key is intentionally public and safe to ship in client-side code.The service role key is a privileged JWT that bypasses Row Level Security entirely. It is used only in server-side code (API routes, Server Actions, or
lib/supabase-service.ts) to perform admin operations such as seeding data or managing uploads on behalf of users. This variable has no NEXT_PUBLIC_ prefix, so Next.js never includes it in the browser bundle..env.local example
Create a file named .env.local in the project root (next to package.json) and populate it with the values from your Supabase dashboard:
Where to find each value
All three values live in one place: Project Settings → API in the Supabase dashboard.- Open supabase.com and navigate to your project.
- Click Project Settings (gear icon) in the left sidebar.
- Select the API tab.
| Variable | Dashboard label | Section |
|---|---|---|
NEXT_PUBLIC_SUPABASE_URL | Project URL | Project URL |
NEXT_PUBLIC_SUPABASE_ANON_KEY | anon / public | Project API keys |
SUPABASE_SERVICE_ROLE_KEY | service_role / secret | Project API keys |
.env.local. Restart your dev server (npm run dev) after saving the file so Next.js picks up the new variables.
Public vs. server-only variables
Next.js uses theNEXT_PUBLIC_ prefix as an explicit opt-in for client-side exposure. Variables with the prefix are inlined into the JavaScript bundle at build time and readable by anyone. Variables without the prefix are only available in Node.js server processes — API routes, middleware, and Server Actions — and are stripped out of the browser bundle entirely.
| Variable | Available in browser | Available on server | Respects RLS |
|---|---|---|---|
NEXT_PUBLIC_SUPABASE_URL | ✅ | ✅ | — |
NEXT_PUBLIC_SUPABASE_ANON_KEY | ✅ | ✅ | ✅ Yes |
SUPABASE_SERVICE_ROLE_KEY | ❌ Never | ✅ | ❌ Bypasses |
Supabase client initializations
Floralé maintains two separate client instances to enforce this boundary clearly.lib/supabase.ts — browser client (anon key)
Used in React components, hooks, and any code that runs in the browser. All queries respect Row Level Security policies.
lib/supabase-service.ts — server-only admin client (service role)
Used exclusively in server-side code. Session persistence and token refresh are disabled because this client authenticates via the service role key rather than a user session, and it should never be instantiated in the browser.
If you import
supabaseAdmin from lib/supabase-service.ts inside a React component or any other file that gets bundled for the browser, Next.js will throw a build error because SUPABASE_SERVICE_ROLE_KEY is undefined on the client. Keep all imports of supabaseAdmin inside app/api/, server components marked with "use server", or files that Next.js never bundles for the client.