Environment Variables
Copy .env.example to .env and populate each variable before starting the stack. Variables marked Required must be set — the app will fail to start or behave incorrectly without them.
cp .env.example .env App
| Variable | Required | Description |
|---|---|---|
NODE_ENV | Yes | Set to development or production. Controls Next.js optimizations and error verbosity. |
Database (PostgreSQL)
| Variable | Required | Description |
|---|---|---|
DATABASE_URL | Yes | PostgreSQL connection string. Example: postgresql://user:pass@host:5432/opencan. When using the bundled Docker Compose stack, this is pre-wired to the postgres service. |
Redis
| Variable | Required | Description |
|---|---|---|
REDIS_URL | Yes | Redis connection string. Example: redis://localhost:6379. Used for the session blocklist and rate limiting. |
Security
| Variable | Required | Description |
|---|---|---|
IP_HASH_SECRET | Yes |
32-byte hex string used to HMAC IP addresses for guest vote deduplication. Hashing preserves dedup without storing raw IPs.
Generate with: openssl rand -hex 32. Must be unique per environment.
|
Auth
| Variable | Required | Description |
|---|---|---|
AUTH_SECRET | Yes | NextAuth signing and encryption secret. Generate with: openssl rand -base64 32. Rotating this value invalidates all existing sessions. |
AUTH_URL | Yes | Full URL to your deployment, e.g. https://feedback.example.com. Used by NextAuth for OAuth callback URLs. |
GOOGLE_CLIENT_ID | Optional | Google OAuth app client ID. Only required if you want "Sign in with Google". Create credentials at console.cloud.google.com. |
GOOGLE_CLIENT_SECRET | Optional | Google OAuth app client secret. Required alongside GOOGLE_CLIENT_ID. |
GITHUB_CLIENT_ID | Optional | GitHub OAuth app client ID. Only required if you want "Sign in with GitHub". Create an OAuth app in your GitHub settings. |
GITHUB_CLIENT_SECRET | Optional | GitHub OAuth app client secret. Required alongside GITHUB_CLIENT_ID. |
Email (Resend)
| Variable | Required | Description |
|---|---|---|
RESEND_API_KEY | Yes | API key from your Resend account. Required for magic link login and email verification to work. |
RESEND_FROM | Yes | Sender address for all transactional emails. Example: OpenCan <noreply@opencan.dev>. The domain must be verified in Resend. |
Object Storage (MinIO / S3-compatible)
MinIO is bundled in the Docker Compose stack but is not yet used by the application (file upload is a planned feature). The Docker Compose defaults work out of the box — you only need to set these variables if you replace MinIO with external S3-compatible storage.
| Variable | Required | Description |
|---|---|---|
MINIO_ENDPOINT | Optional | MinIO host. Defaults to minio (the Docker service name). Override to point at an external S3-compatible endpoint. |
MINIO_PORT | Optional | MinIO port. Default is 9000. |
MINIO_ACCESS_KEY | Optional | MinIO access key. Defaults to minioadmin in the bundled stack. |
MINIO_SECRET_KEY | Optional | MinIO secret key. Defaults to minioadmin in the bundled stack. Change for production. |
MINIO_BUCKET_NAME | Optional | Name of the bucket. Defaults to opencan. |
MINIO_USE_SSL | Optional | Set to true when pointing at an external S3 provider with TLS. Leave unset for the bundled MinIO container. |
Webhooks
| Variable | Required | Description |
|---|---|---|
WEBHOOK_MAX | Optional | Maximum number of webhook endpoints per instance. Defaults to 10. Increase for multi-team deployments. |
Embeddable Widget
| Variable | Required | Description |
|---|---|---|
WIDGET_JWT_SECRET | Optional |
Shared secret (minimum 32 characters) used to verify HMAC HS256 tokens issued by your host app for widget JWT auto-login.
Generate with: openssl rand -hex 32. If unset, the widget works in guest mode only.
|
WIDGET_ALLOWED_ORIGINS | Optional |
Space-separated list of origins allowed to embed OpenCan in an iframe, set as the frame-ancestors CSP directive on embed routes.
Example: https://app.example.com https://staging.example.com.
Defaults to 'none' (no embedding allowed) when unset.
|
Playwright (E2E testing only)
| Variable | Required | Description |
|---|---|---|
PLAYWRIGHT_BASE_URL | Dev only | Base URL for E2E tests. Defaults to http://localhost:3000. Only needed when running npm run test:e2e. |