Skip to content
Korta

Environment Variables

Backend variables (local: backend/.env.development)

Section titled “Backend variables (local: backend/.env.development)”

For local workflow, prefer backend/.env.development and run local scripts (dev:local, test:local, Prisma local scripts).

Required variables

Section titled “Required variables”
VariableRequiredDefaultDescription
DATABASE_URLYes-PostgreSQL connection string used by Prisma.
GOOGLE_CLIENT_IDYes-Google OAuth client ID.
GOOGLE_CLIENT_SECRETYes-Google OAuth client secret.
GOOGLE_CALLBACK_URLYes-OAuth callback URL handled by backend.
JWT_SECRET or JWT_SECRET_KEYYes (one of both)-Secret used to sign/verify JWT tokens.
FRONTEND_URLYeshttp://localhost:5173Primary frontend origin (used for CORS fallback/redirects).

Optional variables

Section titled “Optional variables”
VariableRequiredDefaultDescription
PORTNo5000Backend HTTP port.
NODE_ENVNodevelopmentRuntime mode (development, test, production).
CORS_ORIGINSNoFRONTEND_URLComma-separated allowlist of frontend origins.
SMTP_HOSTNo-SMTP provider host.
SMTP_PORTNo587SMTP provider port.
SMTP_USERNo-SMTP username.
SMTP_PASSNo-SMTP password or API token.
EMAIL_FROMNonoreply@korta.clickSender email used in verification emails.

Frontend variables (frontend/.env)

Section titled “Frontend variables (frontend/.env)”
VariableRequiredDefaultDescription
VITE_API_URLYes (prod)http://localhost:5000/api/v1Backend API base URL.
VITE_GOOGLE_AUTH_URLYes (prod)http://localhost:5000/api/v1/auth/googleGoogle auth entrypoint in backend.
VITE_BASE_URLYes (prod)-Public frontend base URL for share/copy links.

Example

Section titled “Example”
backend/.env.development
PORT=5000
NODE_ENV=development
DATABASE_URL=postgresql://postgres:postgres@localhost:5432/korta
TEST_DATABASE_URL=postgresql://postgres:postgres@localhost:5432/korta_test
SHADOW_DATABASE_URL=postgresql://postgres:postgres@localhost:5432/korta_shadow


FRONTEND_URL=http://localhost:5173
CORS_ORIGINS=http://localhost:5173


JWT_SECRET=change-me-strong-secret


GOOGLE_CLIENT_ID=your-google-client-id
GOOGLE_CLIENT_SECRET=your-google-client-secret
GOOGLE_CALLBACK_URL=http://localhost:5000/api/v1/auth/google/callback


SMTP_HOST=smtp.resend.com
SMTP_PORT=587
SMTP_USER=resend
SMTP_PASS=your-resend-api-key
EMAIL_FROM=onboarding@resend.dev


# frontend/.env
VITE_API_URL=http://localhost:5000/api/v1
VITE_GOOGLE_AUTH_URL=http://localhost:5000/api/v1/auth/google
VITE_BASE_URL=http://localhost:5173

Security notes

Section titled “Security notes”
  • Never commit real secrets to Git.
  • Rotate secrets immediately if exposed (DATABASE_URL, JWT_SECRET, GOOGLE_CLIENT_SECRET, SMTP_PASS).
  • Keep separate credentials per environment (dev/staging/prod).
  • Ensure CORS_ORIGINS, FRONTEND_URL, and Google OAuth callback/origin values match exact deployed domains.