Skip to content
Korta logo Korta

Environment Variables

Backend variables

Section titled “Backend variables”

For local workflow, keep backend defaults in backend/.env.development.

Required core

Section titled “Required core”
VariableRequiredDefaultDescription
DATABASE_URLYes-PostgreSQL connection string used by Prisma.
JWT_SECRET or JWT_SECRET_KEYYes (one)-JWT signing/verification secret.
GOOGLE_CLIENT_IDYes-Google OAuth client ID.
GOOGLE_CLIENT_SECRETYes-Google OAuth client secret.
GOOGLE_CALLBACK_URLYes-OAuth callback URL handled by backend.

Production-required

Section titled “Production-required”
VariableRequiredDefaultDescription
RESEND_API_KEYYes (production)-Resend API key for verification and reset emails.

Optional / recommended

Section titled “Optional / recommended”
VariableRequiredDefaultDescription
FRONTEND_URLNohttp://localhost:5173Frontend origin used for redirects and CORS fallback.
CORS_ORIGINSNofalls back to FRONTEND_URLComma-separated CORS allowlist.
EMAIL_FROMNonoreply@korta.clickSender address used by Resend.
TRUST_PROXY_HOPSNo0 (dev), recommended 1 on RailwayReverse-proxy trust depth for correct client IP/protocol handling.

Frontend variables

Section titled “Frontend variables”

Local env strategy:

  • frontend/.env.development is the shared local base.
  • frontend/.env.development.local is optional and overrides local machine values.
VariableRequiredDefaultDescription
VITE_API_URLYes (prod)http://localhost:5000/api/v1Backend API base URL.
VITE_GOOGLE_AUTH_URLYes (prod)http://localhost:5000/api/v1/auth/googleGoogle auth entrypoint in backend.
VITE_BASE_URLYes (prod)-Public frontend base URL for share/copy links.

Example

Section titled “Example”
backend/.env.development
PORT=5000
NODE_ENV=development
DATABASE_URL=postgresql://postgres:postgres@localhost:5432/korta


JWT_SECRET=change-me-strong-secret


GOOGLE_CLIENT_ID=your-google-client-id
GOOGLE_CLIENT_SECRET=your-google-client-secret
GOOGLE_CALLBACK_URL=http://localhost:5000/api/v1/auth/google/callback


FRONTEND_URL=http://localhost:5173
CORS_ORIGINS=http://localhost:5173
EMAIL_FROM=noreply@korta.click
TRUST_PROXY_HOPS=0


TEST_DATABASE_URL=postgresql://postgres:postgres@localhost:5432/korta_test
SHADOW_DATABASE_URL=postgresql://postgres:postgres@localhost:5432/korta_shadow


# production only
RESEND_API_KEY=re_your_resend_api_key


# frontend/.env.development
VITE_API_URL=http://localhost:5000/api/v1
VITE_GOOGLE_AUTH_URL=http://localhost:5000/api/v1/auth/google
VITE_BASE_URL=http://localhost:5173


# frontend/.env.development.local (optional overrides)
# VITE_API_URL=http://localhost:5001/api/v1

Security notes

Section titled “Security notes”
  • Never commit real secrets to Git.
  • Rotate secrets immediately if exposed (DATABASE_URL, JWT secret, GOOGLE_CLIENT_SECRET, RESEND_API_KEY).
  • Keep separate credentials per environment (dev/staging/prod).
  • Ensure CORS_ORIGINS, FRONTEND_URL, and Google OAuth callback/origin values match exact deployed domains.