Skip to main content

Environment Variables

This page explains env vars by purpose, not by implementation detail.

Start with these files

local baseline: api/.env.example
production baseline: api/.env.production.example

Core groups (what they control)

app runtime: NODE_ENV, PORT, API_PREFIX, CORS_ORIGINS
data: MONGODB_URI, REDIS_URL (or host/port)
auth: JWT_*, GOOGLE_*
LLM provider: LLM_PROVIDER and provider-specific keys
telegram: TELEGRAM_APP_*
mailbox: MAILCOW_*
feature flags: ATTACHMENTS_ENABLED, calendar flags

Best source of truth

Use Environment Matrix for:

required vs optional vars
where to store them (secrets vs vars)
production notes

Safety basics

never commit secrets
rotate keys periodically
keep production CORS strict
require real production secrets for JWT_SECRET, JWT_REFRESH_SECRET, ENCRYPTION_KEY

Start with these files
Core groups (what they control)
Best source of truth
Safety basics