Environment Variables

Copy .env.example to .env and populate each variable before starting the stack. Variables marked Required must be set — the app will fail to start or behave incorrectly without them.

cp .env.example .env

App

Variable Required Description
NODE_ENV Yes Set to development or production. Controls Next.js optimizations and error verbosity.

Database (PostgreSQL)

Variable Required Description
DATABASE_URL Yes PostgreSQL connection string. Example: postgresql://user:pass@host:5432/opencan. When using the bundled Docker Compose stack, this is pre-wired to the postgres service.

Redis

Variable Required Description
REDIS_URL Yes Redis connection string. Example: redis://localhost:6379. Used for the session blocklist and rate limiting.

Security

Variable Required Description
IP_HASH_SECRET Yes 32-byte hex string used to HMAC IP addresses for guest vote deduplication. Hashing preserves dedup without storing raw IPs. Generate with: openssl rand -hex 32. Must be unique per environment.

Auth

Variable Required Description
AUTH_SECRET Yes NextAuth signing and encryption secret. Generate with: openssl rand -base64 32. Rotating this value invalidates all existing sessions.
AUTH_URL Yes Full URL to your deployment, e.g. https://feedback.example.com. Used by NextAuth for OAuth callback URLs.
GOOGLE_CLIENT_ID Optional Google OAuth app client ID. Only required if you want "Sign in with Google". Create credentials at console.cloud.google.com.
GOOGLE_CLIENT_SECRET Optional Google OAuth app client secret. Required alongside GOOGLE_CLIENT_ID.
GITHUB_CLIENT_ID Optional GitHub OAuth app client ID. Only required if you want "Sign in with GitHub". Create an OAuth app in your GitHub settings.
GITHUB_CLIENT_SECRET Optional GitHub OAuth app client secret. Required alongside GITHUB_CLIENT_ID.

Email (Resend)

Variable Required Description
RESEND_API_KEY Yes API key from your Resend account. Required for magic link login and email verification to work.
RESEND_FROM Yes Sender address for all transactional emails. Example: OpenCan <noreply@opencan.dev>. The domain must be verified in Resend.

Object Storage (MinIO / S3-compatible)

MinIO is bundled in the Docker Compose stack but is not yet used by the application (file upload is a planned feature). The Docker Compose defaults work out of the box — you only need to set these variables if you replace MinIO with external S3-compatible storage.

Variable Required Description
MINIO_ENDPOINT Optional MinIO host. Defaults to minio (the Docker service name). Override to point at an external S3-compatible endpoint.
MINIO_PORT Optional MinIO port. Default is 9000.
MINIO_ACCESS_KEY Optional MinIO access key. Defaults to minioadmin in the bundled stack.
MINIO_SECRET_KEY Optional MinIO secret key. Defaults to minioadmin in the bundled stack. Change for production.
MINIO_BUCKET_NAME Optional Name of the bucket. Defaults to opencan.
MINIO_USE_SSL Optional Set to true when pointing at an external S3 provider with TLS. Leave unset for the bundled MinIO container.

Webhooks

Variable Required Description
WEBHOOK_MAX Optional Maximum number of webhook endpoints per instance. Defaults to 10. Increase for multi-team deployments.

Embeddable Widget

Variable Required Description
WIDGET_JWT_SECRET Optional Shared secret (minimum 32 characters) used to verify HMAC HS256 tokens issued by your host app for widget JWT auto-login. Generate with: openssl rand -hex 32. If unset, the widget works in guest mode only.
WIDGET_ALLOWED_ORIGINS Optional Space-separated list of origins allowed to embed OpenCan in an iframe, set as the frame-ancestors CSP directive on embed routes. Example: https://app.example.com https://staging.example.com. Defaults to 'none' (no embedding allowed) when unset.

Playwright (E2E testing only)

Variable Required Description
PLAYWRIGHT_BASE_URL Dev only Base URL for E2E tests. Defaults to http://localhost:3000. Only needed when running npm run test:e2e.