PrintHeritage uses environment variables to configure three services —Documentation Index
Fetch the complete documentation index at: https://mintlify.com/joaomonteir0/printheritage/llms.txt
Use this file to discover all available pages before exploring further.
db-auth, auth-service, and front-end — each with distinct settings for database credentials, JWT signing, and API connectivity. The variables below are defined in docker-compose.yml and read at container startup; changes take effect only after restarting (or rebuilding) the relevant service.
Variable Reference
The table below covers every environment variable consumed across all three services, including the JWT-related constants that are hardcoded inauth-service/security.py.
| Variable | Service | Required | Default | Description |
|---|---|---|---|---|
DATABASE_URL | auth-service | ✅ Yes | postgresql://auth_user:auth_password@db-auth:5432/auth_db | Full PostgreSQL connection string consumed by SQLAlchemy. Format: postgresql://user:password@host:port/dbname. The hostname db-auth resolves to the db-auth container on the Docker Compose network. |
SECRET_KEY | auth-service | ✅ Yes | CHAVE_MUITO_SECRETA_PARA_PRODUCAO | Symmetric secret used by python-jose to sign and verify HS256 JWT access tokens. Any token signed with the old key becomes invalid after rotation, forcing all active sessions to re-authenticate. |
POSTGRES_USER | db-auth | ✅ Yes | auth_user | PostgreSQL superuser created when the container initialises a fresh data volume. Must match the username in DATABASE_URL. |
POSTGRES_PASSWORD | db-auth | ✅ Yes | auth_password | Password for POSTGRES_USER. Must match the password in DATABASE_URL. |
POSTGRES_DB | db-auth | ✅ Yes | auth_db | Name of the database created on first run. Must match the database name in DATABASE_URL. |
REACT_APP_API_URL | front-end | ✅ Yes | http://localhost:8001 | Base URL the React application uses when making requests to the auth service. Update this to the public hostname or load-balancer address when deploying to a server. The REACT_APP_ prefix is required by Create React App so the variable is embedded at build time. |
ALGORITHM | auth-service | — | HS256 (hardcoded) | JWT signing algorithm, fixed in security.py. No environment override is provided; changing it requires a code edit. |
ACCESS_TOKEN_EXPIRE_MINUTES | auth-service | — | 60 (hardcoded) | Access token lifetime in minutes, fixed in security.py. Tokens expire 60 minutes after issuance regardless of activity. |
ALGORITHM and ACCESS_TOKEN_EXPIRE_MINUTES are compile-time constants defined directly in auth-service/security.py — they are not read from the environment. They appear in this table for operational visibility.Service-by-Service Details
db-auth — PostgreSQL 15
The
db-auth service runs postgres:15-alpine and uses three official PostgreSQL bootstrap variables. These are only applied when the named volume auth_db_data is first created; changing them after the volume exists has no effect without first running docker compose down -v.auth-service — FastAPI / Uvicorn
The auth service reads Generating a strong The output is a 128-character hex string suitable for use as
DATABASE_URL and SECRET_KEY at startup. The database connection is established with automatic retries (up to 5 attempts, 3-second delay each) to accommodate the time PostgreSQL takes to become ready.SECRET_KEY for production:SECRET_KEY. Store it in a secrets manager (e.g. Docker Secrets, AWS Secrets Manager, HashiCorp Vault) rather than committing it to source control.front-end — React / Create React App
The front-end container exposes a single runtime variable. Because Create React App embeds The front-end also honours three build-time flags defined in
REACT_APP_* variables at build time (via Webpack’s DefinePlugin), changing REACT_APP_API_URL after the image is built requires a full container rebuild with docker compose up --build front-end.front-end/.env:| Variable | Value | Purpose |
|---|---|---|
SKIP_PREFLIGHT_CHECK | true | Skips the CRA dependency pre-flight check to avoid false positives with custom toolchains. |
TSC_COMPILE_ON_SAVE | false | Disables TypeScript compilation-on-save in development. |
DISABLE_ESLINT_PLUGIN | true | Disables the ESLint Webpack plugin so build output is not cluttered with lint warnings. |
The variables in
front-end/.env are baked into the image during docker build. They do not need to be declared in docker-compose.yml because they are consumed by the build process, not the running container.Security Hardening Checklist
Rotate SECRET_KEY
Replace
CHAVE_MUITO_SECRETA_PARA_PRODUCAO with a cryptographically random value (minimum 64 bytes) before deploying. Store it outside of version control using a secrets manager.Rotate POSTGRES_PASSWORD
Replace
auth_password with a strong, unique password. Update both POSTGRES_PASSWORD and the DATABASE_URL in the same operation to keep the credentials consistent.Restrict DB port exposure
In production, remove the
5432:5432 port mapping from db-auth. PostgreSQL only needs to be reachable by the auth-service on the internal Docker network — not from the host or the internet.Set REACT_APP_API_URL
Point
REACT_APP_API_URL at the production hostname or API gateway URL. Using http://localhost:8001 will break in any environment where the client browser is not the Docker host.