Environment Variables

CareNova uses environment variables to configure all external services, database connections, and application behavior.

This page is a complete reference for every variable used by the application.

Creating the Environment File

Inside the root of carenova-app/, create a new file named .env.local:

touch .env.local

The file must be placed at the project root:

carenova-app/
├── app/
├── components/
├── lib/
├── public/
├── .env.local        ← create this file here
├── package.json
└── next.config.js

.env.local is already included in .gitignore and will never be committed to version control. Never rename it to .env as that file can be accidentally committed.

Complete Variable Reference

Supabase — Authentication & Database

These variables connect CareNova to your Supabase project. Found in Supabase Dashboard → Settings → API.

NEXT_PUBLIC_SUPABASE_URLRequired · Public

Your Supabase project URL. Used by both the frontend and backend to communicate with Supabase services.

NEXT_PUBLIC_SUPABASE_URL=https://your-project-ref.supabase.co

Where to find it: Settings → API → Project URL

NEXT_PUBLIC_SUPABASE_ANON_KEYRequired · Public

The public anonymous API key. Used for authentication and client-side Supabase requests. Safe to expose in the browser — Supabase enforces security at the database level.

NEXT_PUBLIC_SUPABASE_ANON_KEY=your-anon-key

Where to find it: Settings → API → Project API Keys → anon public

SUPABASE_SERVICE_ROLE_KEYRequired · Server only

The service role key. Used for admin operations, storage bucket management, and seed scripts. Bypasses Row Level Security — never expose this publicly.

SUPABASE_SERVICE_ROLE_KEY=your-service-role-key

Where to find it: Settings → API → Project API Keys → service_role

This key has full database access. Keep it server-side only and never commit it to a public repository.

Database — Drizzle ORM Connection

DATABASE_URLRequired · Server only

The PostgreSQL connection string used by Drizzle ORM for all database queries. Must use the Transaction pooler on port 6543 with ?pgbouncer=true appended.

DATABASE_URL=postgresql://postgres.[ref]:[YOUR-PASSWORD]@aws-0-[region].pooler.supabase.com:6543/postgres?pgbouncer=true

Where to find it: Settings → Database → Connection String → Transaction mode

⚠️ Port 6543 and ?pgbouncer=true are both required. Using port 5432 without pgBouncer will cause connection failures under load. CareNova uses prepare: false in Drizzle config for pgBouncer transaction mode compatibility.

DIRECT_DATABASE_URLOptional · Server only

A direct session-mode connection string used only when running npm run db:migrate. Not required for normal development or production operation.

DIRECT_DATABASE_URL=postgresql://postgres.[ref]:[YOUR-PASSWORD]@aws-0-[region].pooler.supabase.com:5432/postgres

Where to find it: Settings → Database → Connection String → Session mode

Application Configuration

NEXT_PUBLIC_SITE_URLRequired · Public

The base URL of your application. Used for authentication redirects and email confirmation links.

# Local development
NEXT_PUBLIC_SITE_URL=http://localhost:3000

# Production
NEXT_PUBLIC_SITE_URL=https://yourdomain.com

This value must match the Site URL configured in Supabase → Authentication → URL Configuration. If they do not match, email confirmation links will not work.

CRON_SECRETRequired · Server only

A secret string that protects the cleanup cron endpoint at /api/cron/cleanup-auth. Any request to this endpoint without the correct secret returns a 401 error.

CRON_SECRET=your-random-secret-string

Generate a secure value using:

openssl rand -base64 32

CARENOVA_DEBUGOptional · Server only

Enables verbose [CareNova] debug logs in the terminal. Useful for tracing auth flows, DB queries, and layout performance during development.

# Enable debug logs
CARENOVA_DEBUG=1

# Disable (default)
# CARENOVA_DEBUG=0

Set to 1 for local development only. Remove or set to 0 for production — leaving it enabled in production will output excessive logs.

When enabled, the following are activated:

• Verbose auth and layout trace logs

• Drizzle SQL query logger (prints every query)

• Extra dashboard performance timing

• Background task failure warnings

Email — Resend

RESEND_API_KEYRequired for email · Server only

API key for sending transactional emails via Resend — signup confirmation, password reset, and email verification.

RESEND_API_KEY=re_xxxxxxxxxx

Where to find it: resend.com → API Keys → Create API Key

Without this key, email confirmation will not work in production. During local development, a mock log is shown in the terminal instead of sending a real email.

Envato License

ENVATO_PERSONAL_TOKENRequired for production · Server only

Your Envato personal token. Used to verify Envato purchase codes submitted on the /setup activation screen.

ENVATO_PERSONAL_TOKEN=your-envato-personal-token

Where to find it: build.envato.com/api/ → Create a new token with Purchase permission

ENVATO_ITEM_IDRequired for production · Server only

The CodeCanyon item ID for CareNova. Used to verify that a submitted purchase code belongs to CareNova and not another product.

ENVATO_ITEM_ID=your-codecanyon-item-id

Where to find it: Your CodeCanyon listing URL — the number at the end is your item ID.

Demo Data

DEMO_PASSWORDOptional · Server only

The password assigned to all demo accounts created by npm run db:seed. If not set, defaults to Demo123!.

DEMO_PASSWORD=Demo123!

Demo accounts created by the seed script:

• admin@carenova.demo

• doctor@carenova.demo

• receptionist@carenova.demo

• nurse@carenova.demo

Change this value before seeding if you want custom demo account passwords. The value must meet the password policy — minimum 8 characters, uppercase, lowercase, number, and special character.

Optional Configuration

DIRECT_DATABASE_URLOptional · Server only

Already covered in the Database section above. Only needed for npm run db:migrate.

TEETH_IMAGES_BASE_URLOptional · Server only

Base URL for teeth images used in the Odontogram module. If not set, a default external URL is used.

TEETH_IMAGES_BASE_URL=https://your-domain.com/teeth

Only required if you want to self-host the odontogram tooth images.

Complete .env.local Template

Copy this template into your .env.local file and replace all placeholder values:

# ─── Supabase (Auth + Database) ─────────────────────────────
# Get these from: Supabase Dashboard → Settings → API
NEXT_PUBLIC_SUPABASE_URL=https://your-project-ref.supabase.co
NEXT_PUBLIC_SUPABASE_ANON_KEY=your-anon-key

# ─── Database (Drizzle ORM) ──────────────────────────────────
# Use Transaction pooler (port 6543) — add ?pgbouncer=true
# Get from: Settings → Database → Connection String → Transaction mode
DATABASE_URL=postgresql://postgres.[ref]:[PASSWORD]@aws-0-[region].pooler.supabase.com:6543/postgres?pgbouncer=true

# Optional: Session mode (port 5432) for migrations only
# Get from: Settings → Database → Connection String → Session mode
# DIRECT_DATABASE_URL=postgresql://postgres.[ref]:[PASSWORD]@aws-0-[region].pooler.supabase.com:5432/postgres

# ─── Supabase Service Role ───────────────────────────────────
# Required for storage and admin operations — never expose publicly
# Get from: Settings → API → service_role key
SUPABASE_SERVICE_ROLE_KEY=your-service-role-key

# ─── Site URL ────────────────────────────────────────────────
# Must match Site URL in Supabase Auth → URL Configuration
# Local: http://localhost:3000 | Production: https://yourdomain.com
NEXT_PUBLIC_SITE_URL=http://localhost:3000

# ─── Resend (Transactional Email) ────────────────────────────
# Required for email confirmation and password reset
# Get from: https://resend.com/api-keys
RESEND_API_KEY=re_xxxxxxxxxx

# ─── Cron Job Protection ─────────────────────────────────────
# Protects /api/cron/cleanup-auth — generate with: openssl rand -base64 32
CRON_SECRET=your-random-secret-string

# ─── Envato License Verification ─────────────────────────────
# Required for purchase code activation on first launch
# Get from: https://build.envato.com/api/
ENVATO_PERSONAL_TOKEN=your-envato-personal-token
ENVATO_ITEM_ID=your-codecanyon-item-id

# ─── Demo Data (optional) ────────────────────────────────────
# Password for demo accounts created by npm run db:seed
# Default: Demo123! — must meet password policy requirements
# DEMO_PASSWORD=Demo123!

# ─── Debug Logs (development only) ──────────────────────────
# Set to 1 to enable verbose [CareNova] logs — remove for production
# CARENOVA_DEBUG=1

# ─── Teeth Images (optional) ─────────────────────────────────
# Base URL for odontogram tooth images — uses default if not set
# TEETH_IMAGES_BASE_URL=https://your-domain.com/teeth

Variable Summary Table

Security Best Practices

• Never commit .env.local to any repository — it is already in .gitignore

• Never expose SUPABASE_SERVICE_ROLE_KEY in client-side code or browser-accessible files

• Use strong values for CRON_SECRET — generate with openssl rand -base64 32

• Use different values for development and production environments

• Store production secrets in your hosting platform's environment variable settings — never in files

Setting Variables in Production (Vercel)

For production deployments on Vercel:

1. Go to your Vercel project dashboard

2. Navigate to Settings → Environment Variables

3. Add each variable with its production value

4. Set the environment scope — Production, Preview, or Development

5. Redeploy your application after adding variables

NEXT_PUBLIC_SITE_URL must be set to your actual production domain in Vercel — for example https://app.yourdomain.com. The localhost value from .env.local must not be used in production.

Helpful resources:

• Vercel environment variables guide

• Supabase API keys guide

• Resend API keys

Next Step

Environment variables are now configured. Continue to the Deployment guide to take CareNova to production, or return to the Installation Guide to complete your local setup.