WayFy relies on environment variables to wire together its Flask backend and Vite-powered React frontend without hardcoding sensitive credentials or deployment-specific URLs. Each side of the stack has its ownDocumentation Index
Fetch the complete documentation index at: https://mintlify.com/jhonyes04/new-wayfy/llms.txt
Use this file to discover all available pages before exploring further.
.env file: backend/.env controls the Python process (database connection, JWT secrets, third-party API keys, and CORS policy), while frontend/.env exposes a small set of public values to the browser bundle through Vite’s VITE_ prefix convention. Copy the .env.example files provided in each directory and fill in the values described below before running either service.
Backend Variables
Place these inbackend/.env. The Flask development server and any production WSGI host (e.g. Gunicorn on Render) will read them from the process environment.
| Variable | Required | Default | Description |
|---|---|---|---|
DATABASE_URL | ✅ Yes | — | SQLAlchemy connection URI. postgres:// is automatically converted to postgresql:// at startup. |
JWT_SECRET_KEY | ✅ Yes | — | Secret used to sign and verify JWT tokens. Use a long, random string in production. |
FLASK_APP | Yes | — | Entry point for the Flask CLI. Must be set to src/app.py. |
FLASK_APP_KEY | Yes | — | Flask SECRET_KEY used for session signing and CSRF protection. |
FLASK_DEBUG | No | 0 | Set to 1 to enable the Werkzeug debugger and auto-reloader. Never enable in production. |
DEBUG | No | FALSE | Additional debug flag consumed by app logic. Mirror FLASK_DEBUG in development. |
JWT_ACCESS_TOKEN_EXPIRES_HOURS | No | 1 | Lifetime of issued access tokens in hours. Increase for longer sessions or decrease for tighter security. |
CORS_ALLOWED_ORIGINS | No | http://localhost:3000 | Comma-separated list of origins permitted by Flask-CORS. Add your production frontend URL here. |
CLOUDINARY_CLOUD_NAME | No* | — | Cloudinary account identifier. Required when accessibility photo or trip cover image uploads are enabled. |
CLOUDINARY_API_KEY | No* | — | Cloudinary API key. Required alongside CLOUDINARY_CLOUD_NAME. |
CLOUDINARY_API_SECRET | No* | — | Cloudinary API secret. Required alongside CLOUDINARY_CLOUD_NAME. |
GROQ_API_KEY | No* | — | API key for the Groq/Llama AI assistant. Required for the AI trip-planning features. |
CONTACT_EMAIL | No | — | Email address used by the contact/support form backend handler. |
GOOGLE_PLACES_KEY | No* | — | Google Places API key used by the utility route for place lookups. Required for place-search features powered by Google. |
Variables marked No* are optional in the sense that the server will start without them, but the features that depend on them (photo uploads, AI assistant, place search) will return errors at runtime if the keys are absent.
Frontend Variables
Place these infrontend/.env. Vite only injects variables prefixed with VITE_ into the browser bundle — any variable without that prefix is ignored and will be undefined at runtime.
| Variable | Required | Default | Description |
|---|---|---|---|
VITE_BACKEND_URL | ✅ Yes | — | Base URL for all fetch calls to the Flask API. Do not include a trailing slash. Example: https://api.wayfy.app. Locally the Flask dev server runs on port 3001. |
VITE_MAPBOX_TOKEN | ✅ Yes | — | Mapbox GL JS access token. Obtain one from mapbox.com. The map will not render without it. |
VITE_GEOAPIFY_KEY | No* | — | API key for Geoapify geocoding and place autocomplete. Required for the search-and-autocomplete features on the trip planner. Not included in the default frontend/.env.example but referenced in the codebase. |
VITE_BASENAME | No | / | React Router basename. Set to a sub-path (e.g. /app) if the frontend is served from a non-root URL. |
Setting Up for Local Development
Configure the backend
Open
backend/.env and fill in at minimum:DATABASE_URL— point to your local PostgreSQL or SQLite instanceJWT_SECRET_KEY— any long, random string works locallyFLASK_APP_KEY— any string works for local development
Configure the frontend
Open
frontend/.env and set the backend URL and your Mapbox token. The Flask dev server runs on port 3001 by default:Production Checklist
Rotate JWT Secret
Use a cryptographically random secret for
JWT_SECRET_KEY in production (e.g. openssl rand -hex 32). A weak or default secret allows token forgery.Restrict CORS Origins
Set
CORS_ALLOWED_ORIGINS to only your production frontend domain. Wildcards (*) allow any origin to call your API.Disable Debug Mode
Set
FLASK_DEBUG=0 and DEBUG=FALSE in production. The Werkzeug debugger exposes an interactive Python console if left enabled.Secure Cloudinary Credentials
Store
CLOUDINARY_API_SECRET in your hosting provider’s secret manager, not in version-controlled files. The .env file is listed in .gitignore by default.