Configuration File
Environment variables are stored in.env.local (development) or configured in your hosting platform (production).
Never commit
.env.local or .env files to version control. Use .env.example as a template.apps/app/.env.example
Required Variables
These variables are essential for Featul to function:Application URLs
- NEXT_PUBLIC_APP_URL: Public-facing application URL
- Used for OAuth callbacks, email links, and API endpoints
- Must include protocol (
https://) - Should match your production domain
Database
- DATABASE_URL: PostgreSQL connection string
- Must use
postgresql://protocol - For Neon: Use the pooled connection string from dashboard
- Format:
postgresql://[user]:[password]@[host]:[port]/[database]?sslmode=require
Authentication
-
BETTER_AUTH_SECRET: Secret key for JWT signing and encryption
- Minimum 32 characters
- Generate:
openssl rand -base64 32 - Must be consistent across deployments
-
AUTH_COOKIE_DOMAIN: Root domain for cross-subdomain authentication
- Use root domain without protocol:
featul.com - Enables authentication across workspace subdomains
- Use root domain without protocol:
-
AUTH_TRUSTED_ORIGINS: Comma-separated list of allowed origins
- Include main domain and wildcard for subdomains
- Used for CORS and OAuth redirects
Passkeys (WebAuthn)
- PASSKEY_RP_ID: Relying party identifier (typically your domain)
- PASSKEY_RP_NAME: Display name for passkey prompts
- PASSKEY_ORIGIN: Full origin URL for WebAuthn
Optional Variables
Redis (Rate Limiting & Caching)
- UPSTASH_REDIS_REST_URL: Upstash Redis REST API endpoint
- UPSTASH_REDIS_REST_TOKEN: Authentication token from Upstash dashboard
- Used for: Rate limiting, session storage, caching
- Get from: console.upstash.com
AI Features (OpenRouter)
- OPENROUTER_API_KEY: API key from OpenRouter
- OPENROUTER_MODEL: Model to use (default:
openrouter/auto) - OPENROUTER_APP_NAME: Application name for tracking
- OPENROUTER_REFERER: Referer URL for API requests
OAuth Providers
- Google
- GitHub
- Create OAuth 2.0 credentials
- Add authorized redirect URI:
https://app.featul.com/api/auth/callback/google
Payments (Polar)
- POLAR_ACCESS_TOKEN: API token from Polar dashboard
- POLAR_WEBHOOK_SECRET: Webhook signing secret
- POLAR_SERVER: Use
sandboxfor testing,productionfor live - POLAR_PRODUCT_ID_*: Product IDs for subscription tiers
Monitoring (Sentry)
- SENTRY_AUTH_TOKEN: Auth token for uploading source maps
- Get from: Sentry Settings
- Used during build for source map uploads
- Sentry is pre-configured in
next.config.ts
Credential Encryption (Notra)
- NOTRA_CREDENTIALS_ENCRYPTION_KEY: Encryption key for stored credentials
- Minimum 32 characters
- Generate:
openssl rand -base64 32 - Used for encrypting third-party integration credentials
Storage (Cloudflare R2)
- R2_ACCOUNT_ID: Cloudflare account ID for R2 storage
- R2_ACCESS_KEY_ID: R2 API access key ID
- R2_SECRET_ACCESS_KEY: R2 API secret access key
- R2_BUCKET: Name of your R2 bucket
- R2_PUBLIC_BASE_URL: Public base URL for accessing uploaded files
- Go to Cloudflare Dashboard > R2
- Create a new bucket or use existing one
- Generate R2 API tokens from “Manage R2 API Tokens”
- Configure public access or custom domain for
R2_PUBLIC_BASE_URL
R2 storage is used for file uploads (avatars, attachments, etc.). Without these variables, file upload features will not work.
Email (Resend)
- RESEND_API_KEY: API key from Resend for sending emails
- RESEND_FROM: Email address and name for outgoing emails
- Used for: Authentication emails, password resets, notifications
- Get from: resend.com/api-keys
Without Resend configured, email verification and password reset will not work in production.
Custom Domains (Vercel API)
- VERCEL_TOKEN: Vercel API token for managing custom domains
- VERCEL_PROJECT_ID or VERCEL_PROJECT_NAME: Your Vercel project identifier
- CUSTOM_DOMAIN_CNAME_TARGET: CNAME target for custom workspace domains (default:
origin.featul.com) - Used for: Automated custom domain configuration for workspaces
- Get token from: Vercel Settings > Tokens
Required only if you want to support custom domains for user workspaces.
Platform-Specific Configuration
- Vercel
- Cloudflare
- Local Development
Set environment variables in:
- Project Settings > Environment Variables
- Add variables for Production, Preview, and Development
- Use Vercel CLI:
vercel env add [name]
VERCEL_URL: Deployment URLVERCEL_ENV: Environment (production,preview,development)
Validation
Verify your environment variables are correctly set:Security Best Practices
- Rotate secrets regularly: Change
BETTER_AUTH_SECRETand API keys periodically - Use separate environments: Different secrets for development, staging, production
- Limit access: Use environment-specific database users with minimal permissions
- Enable audit logs: Track environment variable changes in your platform
- Never log secrets: Ensure secrets aren’t logged or exposed in error messages
Troubleshooting
Database Connection Fails
DATABASE_URL is set and uses correct format:
Authentication Errors
- Verify
BETTER_AUTH_SECRETis set and consistent - Ensure it’s at least 32 characters
- Check it’s the same across all deployment instances
OAuth Redirect Mismatch
- Verify
NEXT_PUBLIC_APP_URLmatches your OAuth callback URL - Update redirect URIs in Google/GitHub OAuth settings
- Include both
http://localhost:3000(dev) and production URLs
Next Steps
Database Setup
Configure PostgreSQL and run migrations
Deploy to Vercel
Deploy with environment variables to Vercel