TenderCheck AI uses two sets of environment variables: one for the backend Node.js server and one for the frontend Vite application. Backend variables are loaded at runtime viaDocumentation Index
Fetch the complete documentation index at: https://mintlify.com/elecodes/TenderCheck-AI/llms.txt
Use this file to discover all available pages before exploring further.
dotenv. Frontend variables are injected at build time by Vite and must be prefixed with VITE_ to be accessible in the browser bundle.
Backend Environment Variables
These variables are read by the Express server at startup. Copybackend/.env.example to backend/.env and fill in the values before running the server locally.
| Variable | Required | Description | Example |
|---|---|---|---|
PORT | Optional | Port the Express server listens on. Defaults to 3001 in the source (DEFAULT_PORT constant). | 3001 |
NODE_ENV | Required | Runtime environment. Controls cookie security settings and CORS strictness. Must be production for deployed services. | production |
GOOGLE_GENAI_API_KEY | Required | Gemini API key from Google AI Studio. Used by the AI analysis pipeline. | AIzaSy... |
GOOGLE_API_KEY | Required | Same Gemini key, exposed under the standard Google AI variable name. Required by Genkit 1.28.0 and later. | AIzaSy... |
TURSO_AUTH_TOKEN | Required | Auth token for your Turso database. Generate with turso db tokens create <db-name>. | eyJ... |
TURSO_DB_URL | Required | Turso connection URL. Use libsql:// locally. On Vercel, this must be https:// (see Security Notes). | libsql://your-db.turso.io |
JWT_SECRET | Required | Secret used to sign and verify JSON Web Tokens. Must be at least 32 random characters in production. | openssl rand -base64 32 output |
ALLOWED_ORIGINS | Required | Comma-separated list of frontend origins permitted by CORS. Must exactly match the frontend URL, including protocol. | https://tendercheckai.elecodes.online,http://localhost:3000 |
LANGCHAIN_TRACING_V2 | Optional | Set to true to enable LangSmith distributed tracing. | true |
LANGCHAIN_ENDPOINT | Optional | LangSmith API endpoint. | https://api.smith.langchain.com |
LANGCHAIN_API_KEY | Optional | Your LangSmith API key, found in the LangSmith dashboard. | ls__... |
LANGCHAIN_PROJECT | Optional | Project name under which traces are grouped in LangSmith. | TenderCheckAI |
Frontend Environment Variables
These variables are embedded into the React bundle at build time by Vite. Set them infrontend/.env for local development, or as build-time environment variables in your hosting platform.
| Variable | Required | Description | Example |
|---|---|---|---|
VITE_API_BASE_URL | Required | Full URL of the backend API, without a trailing slash. | https://tendercheck-backend.onrender.com |
VITE_GOOGLE_CLIENT_ID | Optional | OAuth 2.0 Client ID from Google Cloud Console. Enables the Google Sign-In button when provided. | 123456789.apps.googleusercontent.com |
VITE_ENABLE_GOOGLE_AUTH | Optional | Set to true to render the Google login button in the UI. Requires VITE_GOOGLE_CLIENT_ID to be set. | true |
VITE_LANGCHAIN_TRACING_V2 | Optional | Set to true to enable LangSmith tracing from the frontend. | true |
VITE_LANGCHAIN_ENDPOINT | Optional | LangSmith API endpoint for frontend traces. | https://api.smith.langchain.com |
VITE_LANGCHAIN_API_KEY | Optional | LangSmith API key for frontend traces. | ls__... |
VITE_LANGCHAIN_PROJECT | Optional | LangSmith project name for frontend traces. | TenderCheckAI |
frontend/.env.example also includes GOOGLE_GENAI_API_KEY, GOOGLE_API_KEY,
TURSO_DB_URL, and TURSO_AUTH_TOKEN as optional local development overrides.
These keys belong in the backend in production. Do not set them as Vite build
variables in any deployed environment, as they would be exposed in the browser bundle.Security Notes
JWT_SECRETmust be at least 32 randomly-generated characters in any production or staging environment. A short or guessable secret allows token forgery and full account compromise.TURSO_DB_URLon Vercel must use thehttps://protocol, notlibsql://. Thelibsql://WebSocket protocol is blocked in Vercel’s serverless runtime. This requirement was enforced in ADR 029.ALLOWED_ORIGINSmust exactly match your frontend domain, including protocol (https://) and without a trailing slash. The server parses this variable as a comma-separated list and rejects any origin not present in that list whenNODE_ENV=production.