Environment Variables
Copy .env.example to .env and populate each variable before starting the stack. Variables marked Required must be set — the app will fail to start or behave incorrectly without them.
cp .env.example .envApp
| Variable | Required | Description |
|---|---|---|
NODE_ENV | Yes | Set to development or production. Controls Next.js optimizations and error verbosity. |
NEXT_PUBLIC_APP_URL | Yes | Public base URL of your instance, e.g. https://feedback.example.com. Used to generate absolute links in emails and OAuth redirects. |
Database (PostgreSQL)
| Variable | Required | Description |
|---|---|---|
DATABASE_URL | Yes | PostgreSQL connection string. Example: postgresql://user:pass@host:5432/opencan. When using the bundled Docker Compose stack, this is pre-wired to the postgres service. |
Redis
| Variable | Required | Description |
|---|---|---|
REDIS_URL | Yes | Redis connection string. Example: redis://localhost:6379. Used for the session blocklist and rate limiting. |
Security
| Variable | Required | Description |
|---|---|---|
IP_HASH_SECRET | Yes |
32-byte hex string used to HMAC IP addresses for guest vote deduplication. Hashing preserves dedup without storing raw IPs.
Generate with: openssl rand -hex 32. Must be unique per environment.
|
Auth
| Variable | Required | Description |
|---|---|---|
AUTH_SECRET | Yes | NextAuth signing and encryption secret. Generate with: openssl rand -base64 32. Rotating this value invalidates all existing sessions. |
AUTH_URL | Yes | Full URL to your deployment. Should match NEXT_PUBLIC_APP_URL. |
GOOGLE_CLIENT_ID | Optional | Google OAuth app client ID. Only required if you want "Sign in with Google". Create credentials at console.cloud.google.com. |
GOOGLE_CLIENT_SECRET | Optional | Google OAuth app client secret. Required alongside GOOGLE_CLIENT_ID. |
GITHUB_CLIENT_ID | Optional | GitHub OAuth app client ID. Only required if you want "Sign in with GitHub". Create an OAuth app in your GitHub settings. |
GITHUB_CLIENT_SECRET | Optional | GitHub OAuth app client secret. Required alongside GITHUB_CLIENT_ID. |
Email (Resend)
| Variable | Required | Description |
|---|---|---|
RESEND_API_KEY | Yes | API key from your Resend account. Required for magic link login and email verification to work. |
RESEND_FROM | Yes | Sender address for all transactional emails. Example: OpenCan <noreply@opencan.dev>. The domain must be verified in Resend. |
Object Storage (MinIO / S3-compatible)
OpenCan uses MinIO (bundled in Docker Compose) for file uploads. You can substitute any S3-compatible service by pointing these variables at it.
| Variable | Required | Description |
|---|---|---|
MINIO_ENDPOINT | Yes | MinIO host. Use minio (the Docker service name) for the bundled stack, or your S3 endpoint hostname for external storage. |
MINIO_PORT | Yes | MinIO port. Default is 9000. |
MINIO_ACCESS_KEY | Yes | MinIO access key, equivalent to S3 access key ID. |
MINIO_SECRET_KEY | Yes | MinIO secret key, equivalent to S3 secret access key. |
MINIO_BUCKET_NAME | Yes | Name of the bucket to store uploads in. The app will attempt to create this bucket on startup if it does not exist. |
MINIO_USE_SSL | Yes | Set to true in production. Set to false for local MinIO without TLS. |
Playwright (E2E testing only)
| Variable | Required | Description |
|---|---|---|
PLAYWRIGHT_BASE_URL | Dev only | Base URL for E2E tests. Defaults to http://localhost:3000. Only needed when running npm run test:e2e. |