Skip to main content

Documentation Index

Fetch the complete documentation index at: https://mintlify.com/viet2811/uk-travel-recommendation/llms.txt

Use this file to discover all available pages before exploring further.

The UK Travel Recommendation project separates secrets and environment-specific configuration from source code by using .env files that are never committed to version control. The Django backend reads its variables from backend/.env at startup (via python-dotenv), while the React Native/Expo frontend reads variables prefixed with EXPO_PUBLIC_ from frontend/.env or frontend/.env.local. This page is the authoritative reference for every variable the project recognises, along with guidance on generating safe values and understanding the JWT token lifetimes that are baked into settings.py.

Backend Environment File

The Django backend loads its configuration from backend/.env. When you run the stack with Docker Compose, this file is passed to both the backend container (via the env_file directive) and variables referenced inside the db service definition are read from the same file through Docker Compose variable interpolation. The file is plain text — one KEY=VALUE pair per line, no spaces around the =, no quotes required (though they are accepted). Comments begin with #.

Required Variables

The following variables must be present in backend/.env before the stack can start. The application will raise errors at startup or fail database operations if any of these are missing.
VariableDescriptionExample
DJANGO_SECRETDjango’s SECRET_KEY. Used for cryptographic signing of sessions, CSRF tokens, and password reset links. Must be a long, random, unpredictable string.(generated — see below)
POSTGRES_DBName of the PostgreSQL database Django will connect to. Must match the database created by the db container.uktravel
POSTGRES_USERPostgreSQL username. Used by both the db container (to create the role) and Django (to authenticate).postgres
POSTGRES_PASSWORDPassword for POSTGRES_USER. Choose a strong password even for local development.changeme

Example .env File

Copy the block below into backend/.env and replace the placeholder values with your own.
backend/.env
# Django
DJANGO_SECRET=replace-this-with-a-real-secret-key-generated-by-django

# PostgreSQL (used by both the db container and the Django backend)
POSTGRES_DB=uktravel
POSTGRES_USER=postgres
POSTGRES_PASSWORD=changeme
The POSTGRES_HOST and POSTGRES_PORT values are hardcoded in settings.py as db and 5432 respectively, matching the Docker Compose service name. You do not need to add them to .env unless you are running Django outside of Docker Compose and connecting to a different host.

Frontend Environment

The React Native/Expo frontend requires a single environment variable that tells it where to find the backend API. Create frontend/.env (or frontend/.env.local for local overrides that are not committed to version control):
frontend/.env
EXPO_PUBLIC_BACKEND_URL=http://localhost:8000/api

EXPO_PUBLIC_BACKEND_URL

The base URL for all API requests made by the mobile app. The Expo build system injects any variable prefixed with EXPO_PUBLIC_ into the JavaScript bundle at build time, making it accessible via process.env.EXPO_PUBLIC_BACKEND_URL.
DetailValue
Default (local Docker)http://localhost:8000/api
NoteDo not add a trailing slash. The app appends paths like /user/login/ directly.
Android emulatorUse http://10.0.2.2:8000/api — Android emulators route 10.0.2.2 to the host machine’s localhost
Physical deviceUse your machine’s local IP, e.g. http://192.168.1.100:8000/api

JWT Token Lifetimes

The following JWT settings are configured directly in backend/app/settings.py using Django Simple JWT. They are not overridable through .env and are listed here for reference only.

Access Token Lifetime

15 minutesShort-lived tokens sent in the Authorization: Bearer <token> header for every authenticated API request. The client must refresh them regularly using the refresh token.

Refresh Token Lifetime

30 daysLong-lived tokens used exclusively to obtain new access tokens via the /api/token/refresh/ endpoint. Store these securely in the app’s secure storage (e.g. Expo SecureStore), never in AsyncStorage.
The ROTATE_REFRESH_TOKENS setting is False, meaning refresh tokens are not rotated on use. A single refresh token remains valid for its full 30-day lifetime unless it is explicitly revoked.

Security Warnings

Never commit backend/.env to version control. The .gitignore file already includes .env entries to prevent accidental commits. Verify this with git status before pushing — if backend/.env appears as an untracked file, your .gitignore is working correctly. If it appears as a staged file, remove it immediately with git rm --cached backend/.env.
ALLOWED_HOSTS = ["*"] is set in settings.py for development convenience, meaning Django will accept requests addressed to any hostname. For production, change this to list only your actual domain(s), for example:
ALLOWED_HOSTS = ["api.yourdomain.com"]
Running with ALLOWED_HOSTS = ["*"] in production exposes your application to HTTP Host header attacks.

Build docs developers (and LLMs) love

Get started for freeTalk to us