Environment Setup
Configure production environment variables and secrets.
Before deploying to production, you need to configure all required environment variables. This guide covers the essential variables and how to set them up for the Drizzle kit.
Using Dev Tools (Recommended)
The easiest way to configure production environment variables is using the Dev Tools application:
- Run Dev Tools:
pnpm --filter dev-tool dev - Open
http://localhost:3010/variables - Select Production mode from the dropdown
- Fill in missing variables (highlighted in red)
- Click Copy to copy all variables
- Paste into your hosting provider's environment settings
For more details, see the Dev Tools documentation.
Required Environment Variables
Database
DATABASE_URL=postgresql://user:password@host:5432/databaseYour PostgreSQL connection string. Get this from your database provider (Neon, Supabase, Railway, etc.).
Site URL
NEXT_PUBLIC_SITE_URL=https://your-domain.comYour production domain. Must match exactly - used for authentication callbacks, emails, and absolute URLs.
Authentication Secret
BETTER_AUTH_SECRET=your-random-secret-stringA random secret string used to sign authentication tokens and cookies. Generate a secure random string (at least 32 characters). You can generate one using:
openssl rand -base64 32Security Critical
Use a unique, randomly generated secret for production. Never reuse your development secret or share it publicly.
Billing Provider
NEXT_PUBLIC_BILLING_PROVIDER=stripeSet to stripe or polar depending on your billing provider.
For Stripe:
STRIPE_SECRET_KEY=sk_live_...STRIPE_WEBHOOK_SECRET=whsec_...For Polar:
POLAR_ACCESS_TOKEN=...Storage (S3-Compatible)
STORAGE_BASE_URL=https://your-bucket-endpoint.comSTORAGE_S3_ACCESS_KEY_ID=...STORAGE_S3_SECRET_ACCESS_KEY=...STORAGE_S3_BUCKET=your-bucket-nameSTORAGE_S3_REGION=us-east-1Required for file uploads. Works with AWS S3, Cloudflare R2, Railway Storage, or any S3-compatible provider.
EMAIL_SENDER=noreply@your-domain.comPlus your email provider credentials (Resend, Postmark, SendGrid, etc.).
Optional Environment Variables
OAuth Providers
If you enabled social login during development:
Google:
GOOGLE_CLIENT_ID=...GOOGLE_CLIENT_SECRET=...GitHub:
GITHUB_CLIENT_ID=...GITHUB_CLIENT_SECRET=...OAuth Redirect URLs
Remember to add your production domain to the OAuth provider's allowed redirect URLs.
Feature Flags
NEXT_PUBLIC_ENABLE_PERSONAL_ACCOUNT_BILLING=trueNEXT_PUBLIC_ENABLE_TEAM_ACCOUNTS=trueMatch these to your development configuration.
Environment Variables Reference
| Variable | Required | Description |
|---|---|---|
DATABASE_URL | Yes | PostgreSQL connection string |
NEXT_PUBLIC_SITE_URL | Yes | Production domain URL |
BETTER_AUTH_SECRET | Yes | Authentication token signing secret |
NEXT_PUBLIC_BILLING_PROVIDER | Yes | stripe or polar |
STRIPE_SECRET_KEY | If Stripe | Stripe secret key |
STRIPE_WEBHOOK_SECRET | If Stripe | Stripe webhook signing secret |
POLAR_ACCESS_TOKEN | If Polar | Polar API token |
STORAGE_BASE_URL | Yes | S3 endpoint URL |
STORAGE_S3_ACCESS_KEY_ID | Yes | S3 access key |
STORAGE_S3_SECRET_ACCESS_KEY | Yes | S3 secret key |
STORAGE_S3_BUCKET | Yes | S3 bucket name |
STORAGE_S3_REGION | Yes | S3 region |
EMAIL_SENDER | Yes | From email address |
For the complete list, see the Environment Variables Reference.
Best Practices
- Never commit secrets - Use
.env.localfor local development, never commit to git - Use different values per environment - Don't reuse development keys in production
- Validate before deploying - Use Dev Tools to check all required variables are set
- Rotate secrets regularly - Especially after team member changes
- Use your provider's secret management - Most hosting platforms encrypt environment variables
Common Mistakes
- Wrong site URL - Must match your actual domain exactly, including
https:// - Missing webhook secrets - Billing won't work without webhook configuration
- Development keys in production - Stripe test keys won't process real payments
- Typos in variable names - Double-check spelling, especially for
NEXT_PUBLIC_prefix