Skip to main content

Backend Variables

Required

VariableDescriptionExample
SUPABASE_URLSupabase project URLhttps://xxx.supabase.co
SUPABASE_ANON_KEYSupabase anonymous keyeyJhbGciOiJIUzI1...
SUPABASE_SERVICE_ROLE_KEYSupabase service role keyeyJhbGciOiJIUzI1...
DATABASE_URLPostgreSQL connection stringpostgresql://...
SECRET_KEYApplication secret (256-bit)abc123...

Application

VariableDescriptionDefault
ENVIRONMENTEnvironment namedevelopment
DEBUGEnable debug modefalse
APP_VERSIONApplication version1.0.0
LOG_LEVELLogging levelINFO

Redis

VariableDescriptionDefault
REDIS_URLRedis connection URLredis://localhost:6379

Security

VariableDescriptionDefault
ALLOWED_ORIGINSCORS allowed originshttp://localhost:5173
RATE_LIMIT_REQUESTSRequests per window100
RATE_LIMIT_WINDOWWindow in seconds60

Monitoring

VariableDescriptionDefault
SENTRY_DSNSentry error tracking(none)

Frontend Variables

All frontend variables must be prefixed with VITE_.
VariableDescriptionExample
VITE_SUPABASE_URLSupabase project URLhttps://xxx.supabase.co
VITE_SUPABASE_ANON_KEYSupabase anonymous keyeyJhbGciOiJIUzI1...
VITE_API_URLBackend API URLhttps://api.risklegion.com
VITE_ENVIRONMENTEnvironment nameproduction
VITE_SENTRY_DSNSentry DSN (optional)https://...

Example Files

backend/.env.example

# Supabase
SUPABASE_URL=https://your-project.supabase.co
SUPABASE_ANON_KEY=your-anon-key
SUPABASE_SERVICE_ROLE_KEY=your-service-role-key
DATABASE_URL=postgresql://postgres:password@db.your-project.supabase.co:5432/postgres

# Application
SECRET_KEY=generate-a-secure-256-bit-key
ENVIRONMENT=development
DEBUG=true
APP_VERSION=1.0.0

# Redis
REDIS_URL=redis://localhost:6379

# CORS
ALLOWED_ORIGINS=http://localhost:5173

# Rate Limiting
RATE_LIMIT_REQUESTS=100
RATE_LIMIT_WINDOW=60

# Monitoring (optional)
SENTRY_DSN=

frontend/.env.example

VITE_SUPABASE_URL=https://your-project.supabase.co
VITE_SUPABASE_ANON_KEY=your-anon-key
VITE_API_URL=http://localhost:8000

Environment-Specific Values

Development

ENVIRONMENT=development
DEBUG=true
ALLOWED_ORIGINS=http://localhost:5173
VITE_API_URL=http://localhost:8000

Staging

ENVIRONMENT=staging
DEBUG=false
ALLOWED_ORIGINS=https://staging.risklegion.com
VITE_API_URL=https://api-test.risklegion.com

Production

ENVIRONMENT=production
DEBUG=false
ALLOWED_ORIGINS=https://app.risklegion.com
VITE_API_URL=https://api.risklegion.com

Generating Secret Key

# Python
python -c "import secrets; print(secrets.token_hex(32))"

# OpenSSL
openssl rand -hex 32

# Node.js
node -e "console.log(require('crypto').randomBytes(32).toString('hex'))"

Security Best Practices

Never commit .env files to version control. Always use .env.example as a template.
  • Store secrets in environment variables, not code
  • Use different keys for each environment
  • Rotate keys periodically
  • Never log secret values
  • Limit who has access to production secrets
  • Use secret management tools (AWS Secrets Manager, Vault)
  • Audit secret access
  • Use GitHub Secrets for CI/CD
  • Don’t echo secrets in logs
  • Mask secrets in output

Validating Configuration

Backend

The application validates required variables on startup: 
from pydantic_settings import BaseSettings

class Settings(BaseSettings):
    SUPABASE_URL: str
    SUPABASE_ANON_KEY: str
    SECRET_KEY: str
    
    class Config:
        env_file = ".env"

# Raises ValidationError if missing
settings = Settings()

Frontend

Check Vite loads variables correctly: 
console.log('API URL:', import.meta.env.VITE_API_URL);