Skip to main content
Dependify uses environment variables to configure the application for different environments. This page documents all available variables, their purposes, and where to obtain the required API keys.

Overview

Environment variables are split between three locations:
  1. Backend - .env file in backend/ directory
  2. Frontend - .env.local file in frontend/ directory
  3. Modal - Secrets stored in Modal for serverless containers

Backend Variables

These variables are defined in backend/.env and loaded by config.py.

AI & Processing

GROQ_API_KEY
string
required
API key for Groq AI inference service. Used for both code analysis and refactoring with Llama models.Where to get: console.groq.comModels used:
  • llama-3.1-8b-instant - Fast file analysis
  • llama-3.3-70b-versatile - High-quality code refactoring
GROQ_API_KEY=gsk_...
ANTHROPIC_API_KEY
string
API key for Anthropic’s Claude models (optional fallback).Where to get: console.anthropic.comStatus: Not currently used in production but available for future features.
ANTHROPIC_API_KEY=sk-ant-...

Database

SUPABASE_URL
string
required
URL for your Supabase project. Used for real-time progress updates and session management.Where to get: app.supabase.com → Project Settings → APIFormat: https://your-project.supabase.co
SUPABASE_URL=https://abcdefghijklmnop.supabase.co
SUPABASE_KEY
string
required
Service role key for Supabase. Use the service role key, not the anon key for backend operations.Where to get: app.supabase.com → Project Settings → API → service_role key
The service role key has admin privileges. Keep it secret and never expose it in frontend code.
SUPABASE_KEY=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...

GitHub

GITHUB_CLIENT_ID
string
required
Client ID for your GitHub OAuth application. Used for user authentication.Where to get: Create an OAuth app at github.com/settings/developersOAuth App Settings:
  • Homepage URL: http://localhost:3000 (dev) or https://yourdomain.com (prod)
  • Callback URL: http://localhost:3000/auth/callback (dev) or https://yourdomain.com/auth/callback (prod)
GITHUB_CLIENT_ID=Iv1.a1b2c3d4e5f6g7h8
GITHUB_CLIENT_SECRET
string
required
Client secret for your GitHub OAuth application.Where to get: Same location as Client ID. Generate a new secret if needed.
GITHUB_CLIENT_SECRET=1234567890abcdef1234567890abcdef12345678
GITHUB_TOKEN
string
required
Personal access token for GitHub API operations (creating forks, PRs, pushing code).Where to get: github.com/settings/tokens → Generate new token (classic)Required scopes:
  • repo - Full control of private repositories
  • workflow - Update GitHub Actions workflows (if needed)
This token is used to create forks and push changes. It should belong to a service account or the main developer account.
GITHUB_TOKEN=ghp_1234567890abcdefghijklmnopqrstuvwxyz

Security

API_SECRET_KEY
string
required
Secret key for signing JWT tokens. Used for session management and API authentication.How to generate:
openssl rand -hex 32
Or use Python:
import secrets
print(secrets.token_hex(32))

API_SECRET_KEY=abc123def456ghi789jkl012mno345pqr678stu901vwx234yz

Server Configuration

PORT
number
default:"5001"
Port for the FastAPI backend server.
PORT=5001
FRONTEND_URL
string
required
URL of the frontend application. Used for CORS configuration.Development: http://localhost:3000Production: Your Vercel deployment URL (e.g., https://dependify.vercel.app)
FRONTEND_URL=http://localhost:3000

Rate Limiting

RATE_LIMIT_PER_MINUTE
number
default:"10"
Maximum requests per minute per IP address.
RATE_LIMIT_PER_MINUTE=10
RATE_LIMIT_PER_HOUR
number
default:"100"
Maximum requests per hour per IP address. Applied to the /update endpoint.
RATE_LIMIT_PER_HOUR=100

Frontend Variables

These variables are defined in frontend/.env.local. All frontend variables must start with NEXT_PUBLIC_ to be available in the browser.
NEXT_PUBLIC_GITHUB_CLIENT_ID
string
required
Same GitHub OAuth Client ID used in the backend. Required for initiating OAuth flow.
NEXT_PUBLIC_GITHUB_CLIENT_ID=Iv1.a1b2c3d4e5f6g7h8
NEXT_PUBLIC_API_URL
string
required
URL of the backend API.Development: http://localhost:5001Production: Your Render deployment URL (e.g., https://dependify-api.onrender.com)
NEXT_PUBLIC_API_URL=http://localhost:5001
NEXT_PUBLIC_SUPABASE_URL
string
required
Same Supabase URL used in the backend. Required for real-time subscriptions.
NEXT_PUBLIC_SUPABASE_URL=https://abcdefghijklmnop.supabase.co
NEXT_PUBLIC_SUPABASE_ANON_KEY
string
required
Supabase anonymous key for frontend. Use the anon key, not the service role key.Where to get: app.supabase.com → Project Settings → API → anon public key
The anon key is safe to expose in frontend code. It has limited permissions controlled by Row Level Security (RLS) policies.
NEXT_PUBLIC_SUPABASE_ANON_KEY=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...
Modal containers require secrets to be configured separately using the Modal CLI. These secrets are injected as environment variables when containers run.
1

Install Modal CLI

pip install modal
modal setup
2

Create secrets

modal secret create GROQ_API_KEY
modal secret create SUPABASE_URL
modal secret create SUPABASE_KEY
Each command will prompt you to enter the secret value.
3

Verify secrets

modal secret list
You should see your three secrets listed.
Modal secrets must use the exact same values as your backend .env file for Groq and Supabase variables.

Configuration Validation

The backend automatically validates required environment variables on startup: 
# backend/config.py
required_vars = {
    "GROQ_API_KEY": Config.GROQ_API_KEY,
    "SUPABASE_URL": Config.SUPABASE_URL,
    "SUPABASE_KEY": Config.SUPABASE_KEY,
    "GITHUB_TOKEN": Config.GITHUB_TOKEN,
    "API_SECRET_KEY": Config.API_SECRET_KEY,
}
If any required variables are missing, you’ll see a warning on startup: 
⚠️  WARNING: Missing required environment variables: GROQ_API_KEY, GITHUB_TOKEN
Please create a .env file based on .env.example and fill in the required values.

Environment-Specific Configuration

Development

GROQ_API_KEY=gsk_...
SUPABASE_URL=https://your-project.supabase.co
SUPABASE_KEY=eyJ...
GITHUB_CLIENT_ID=Iv1...
GITHUB_CLIENT_SECRET=abc...
GITHUB_TOKEN=ghp_...
API_SECRET_KEY=random-secret-key
FRONTEND_URL=http://localhost:3000
PORT=5001

Production

GROQ_API_KEY=gsk_...
SUPABASE_URL=https://your-project.supabase.co
SUPABASE_KEY=eyJ...
GITHUB_CLIENT_ID=Iv1...
GITHUB_CLIENT_SECRET=abc...
GITHUB_TOKEN=ghp_...
API_SECRET_KEY=random-secret-key
FRONTEND_URL=https://dependify.vercel.app
PORT=5001

Security Best Practices

Never commit secrets

Add .env and .env.local to .gitignore. Use .env.example for documentation.

Use different keys per environment

Generate separate API keys for development and production.

Rotate tokens regularly

Regenerate GitHub tokens and API keys periodically for security.

Limit token scopes

Only grant the minimum required permissions to each token.

Troubleshooting

If you see missing environment variable warnings:
  1. Verify the .env file exists in the correct directory
  2. Check for typos in variable names (they’re case-sensitive)
  3. Ensure there are no spaces around the = sign
  4. Restart the server after making changes
If you see CORS errors in the browser:
  1. Verify FRONTEND_URL in backend matches your frontend URL exactly
  2. For production, use the full domain (e.g., https://dependify.vercel.app)
  3. No trailing slash in URLs
  4. Restart backend after changing CORS settings

Next Steps

Setup Guide

Complete local development setup

Deployment

Deploy to production

Build docs developers (and LLMs) love

Get started for freeTalk to us