Environment Variables
AllyProof uses environment variables for all secrets, service connections, and configuration. Never commit secrets to source control. Use .env.local for local development.
Required Variables
These must be set for the application to start and function correctly:
| Variable | Description | Example |
|---|
NEXT_PUBLIC_SUPABASE_URL | Supabase project URL (public, safe for client) | https://xxxxx.supabase.co |
NEXT_PUBLIC_SUPABASE_ANON_KEY | Supabase anonymous/public key (public, safe for client) | eyJhbGciOi... |
SUPABASE_SERVICE_ROLE_KEY | Supabase service role key (server-only, bypasses RLS) | eyJhbGciOi... |
NEXT_PUBLIC_APP_URL | Full application URL (used for links in emails and statements) | https://app.allyproof.com |
AI / LLM
| Variable | Description | Example |
|---|
ANTHROPIC_API_KEY | Claude API key for AI fix suggestions and VPAT summaries | sk-ant-... |
If not set, AI features are disabled gracefully — scans still run but fix suggestions and VPAT executive summaries are not generated.
Email (Resend)
| Variable | Description | Example |
|---|
RESEND_API_KEY | Resend API key for sending transactional emails | re_xxxxxxxxxx |
RESEND_FROM_EMAIL | Sender email address (must be verified in Resend) | AllyProof <notifications@allyproof.com> |
If not set, email notifications are disabled. Scans complete normally but no notification emails are sent.
Scheduled Scans
| Variable | Description | Example |
|---|
CRON_SECRET | Shared secret for authenticating pg_cron webhook calls | a1b2c3d4e5... (use openssl rand -hex 32) |
This secret must match the value configured in Supabase's app.settings.cron_secret. See the Scheduled Scans guide for setup instructions.
Payments (Paddle)
| Variable | Description | Example |
|---|
PADDLE_API_KEY | Paddle API key for subscription management | pdl_... |
PADDLE_WEBHOOK_SECRET | Secret for verifying Paddle webhook signatures | pdl_ntfset_... |
NEXT_PUBLIC_PADDLE_CLIENT_TOKEN | Paddle client-side token for checkout (public, safe for client) | test_... |
NEXT_PUBLIC_PADDLE_ENV | Paddle environment (sandbox or production) | sandbox |
Storage (Cloudflare R2)
| Variable | Description | Example |
|---|
R2_ACCESS_KEY_ID | Cloudflare R2 access key | xxxxxxxx |
R2_SECRET_ACCESS_KEY | Cloudflare R2 secret key | xxxxxxxx |
R2_BUCKET_NAME | R2 bucket for report storage | allyproof-reports |
R2_ENDPOINT | R2 S3-compatible endpoint | https://xxxx.r2.cloudflarestorage.com |
Monitoring
| Variable | Description | Example |
|---|
SENTRY_DSN | Sentry error tracking DSN | https://xxxxx@o0.ingest.sentry.io/0 |
NEXT_PUBLIC_SENTRY_DSN | Sentry DSN for client-side error tracking | Same as SENTRY_DSN |
Security Notes
- Variables prefixed with
NEXT_PUBLIC_ are exposed to the browser. Only use this prefix for values that are safe to be public (Supabase anon key, Paddle client token, app URL). SUPABASE_SERVICE_ROLE_KEY bypasses Row Level Security. It must never be exposed to the client. Only use it in server-side code (API routes, server actions, Trigger.dev jobs).- In production, set environment variables through your hosting provider's dashboard or secrets manager. Do not use
.env files in production. - The
.env.local file is gitignored by default. The .env.example file in the repository shows all required variables with placeholder values.