B2B Import ERP reads its runtime configuration exclusively from environment variables. Three Supabase credentials are mandatory — the app will not start without them. All other variables are optional and activate specific features when present. In local development these values go inDocumentation Index
Fetch the complete documentation index at: https://mintlify.com/ency07/B2B-import/llms.txt
Use this file to discover all available pages before exploring further.
.env.local; in production they are injected as secrets through your hosting provider (Vercel, Railway, etc.).
Required Variables
Your Supabase project URL, e.g.
https://abcdef.supabase.co. This value is embedded in the client bundle and exposed to the browser — it identifies which Supabase project to connect to for all API calls.The Supabase anonymous (public) key for your project. Used for all client-side Supabase operations — authentication, real-time subscriptions, and Row Level Security–filtered data fetches. This key is safe to expose to the browser because RLS policies restrict what an anonymous or authenticated user can access.
The Supabase service role key. This key bypasses all Row Level Security policies and grants unrestricted access to every table. It is used exclusively in server-side Next.js Server Actions via the
supabaseAdmin client. Never prefix this with NEXT_PUBLIC_ and never include it in client-side code.Database Connection Variables
These variables are read by migration scripts and standalone test scripts that use thepg PostgreSQL client directly (rather than the Supabase JS client). They are not used by the Next.js application itself.
Direct PostgreSQL connection string for running scripts with the
pg package. Either DATABASE_URL or SUPABASE_DB_URL is accepted. Example: postgresql://postgres:[password]@aws-0-us-west-2.pooler.supabase.com:5432/postgres.Alternative name for the direct PostgreSQL connection string. Used by migration tooling. Either this or
DATABASE_URL is sufficient.The test connection script (
scripts/test-conn.ts) connects directly via the pg client using hardcoded host, port, user, password, and database parameters — it does not read DATABASE_URL or SUPABASE_DB_URL from the environment. Update those values in the script file directly if you need to validate connectivity against a different Supabase project.Optional Variables
The public base URL of the deployment, e.g.
https://app.b2bimport.co. Used to construct absolute links inside transactional emails (password reset, invitation, notifications). If omitted, email links may default to localhost in development.Fallback non-public alias for
NEXT_PUBLIC_SUPABASE_URL. Accepted by test scripts (test-clients.ts, test-quotes.ts, etc.) that run outside the Next.js runtime and do not have access to NEXT_PUBLIC_ variables. You only need this if running scripts in an environment where NEXT_PUBLIC_ vars are not forwarded.How Supabase Clients Are Initialized
The filesrc/utils/supabase.ts exports two pre-configured Supabase client instances used throughout the application:
supabase (client)
Initialized with the anon key. Respects all RLS policies — users only see data belonging to their tenant. Safe to use in React components, client components, and public-facing routes.
supabaseAdmin (server)
Initialized with the service role key with session persistence disabled. Bypasses RLS entirely. Use only in Next.js Server Actions, API routes, and migration scripts. Never import this in client components.
Sample .env.local File
Copy this template to .env.local in your project root and fill in your actual Supabase project values:
.env.local is listed in .gitignore by default in Next.js projects. Never commit it to version control. Use your CI/CD provider’s secrets management (Vercel Environment Variables, GitHub Actions secrets, etc.) to inject these values in production.Next.js Configuration
Thenext.config.ts file currently uses the default Next.js 16 configuration without custom overrides:
Production Checklist
Before deploying to a production environment, verify the following:Auth Configuration
Email confirmation is enabled in the Supabase Auth settings. Users must verify their email address before gaining access.
Secret Management
SUPABASE_SERVICE_ROLE_KEY is stored as an environment secret in your hosting provider — not committed to git or exposed in any client bundle.RLS Enforcement
Row Level Security is enabled on every table. Each table must have explicit policies for
SELECT, INSERT, UPDATE, and DELETE scoped to tenant_id.Seed Data Isolation
The
seed_master_data migration is applied only to development and staging databases. Demo data (25 companies, 106 users) must not be applied to production.