Environment Variables
Reference for all environment variables.
Database
Supabase
bash
SUPABASE_URL=https://your-project.supabase.co
SUPABASE_ANON_KEY=your-anon-key
SUPABASE_SERVICE_KEY=your-service-keyFirebase
bash
FIREBASE_PROJECT_ID=your-project-id
FIREBASE_CLIENT_EMAIL=firebase-adminsdk@project.iam.gserviceaccount.com
FIREBASE_PRIVATE_KEY="-----BEGIN PRIVATE KEY-----\n...\n-----END PRIVATE KEY-----\n"Authentication
bash
JWT_SECRET=your-secure-secret-key-min-32-chars
API_KEY=optional-api-key-for-header-authCache
bash
REDIS_URL=redis://localhost:6379
REDIS_URL=redis://:password@host:portAI/LLM
bash
OPENAI_API_KEY=sk-...
ANTHROPIC_API_KEY=sk-ant-...
GOOGLE_API_KEY=...Vector Store
bash
QDRANT_URL=https://your-cluster.qdrant.io:6333
QDRANT_API_KEY=your-api-keyIntegrations
JIRA
bash
JIRA_BASE_URL=https://your-org.atlassian.net
JIRA_EMAIL=your-email@example.com
JIRA_API_TOKEN=your-api-tokenGitHub
bash
GITHUB_TOKEN=ghp_...Stripe
bash
STRIPE_SECRET_KEY=sk_live_...
STRIPE_WEBHOOK_SECRET=whsec_...SendGrid
bash
SENDGRID_API_KEY=SG....Slack
bash
SLACK_WEBHOOK_URL=https://hooks.slack.com/services/...
SLACK_BOT_TOKEN=xoxb-...Twilio
bash
TWILIO_ACCOUNT_SID=AC...
TWILIO_AUTH_TOKEN=...
TWILIO_FROM_NUMBER=+1234567890Polar
bash
POLAR_ACCESS_TOKEN=...Storage
R2 (Cloudflare)
bash
R2_ACCOUNT_ID=your-account-id
R2_ACCESS_KEY_ID=your-access-key
R2_SECRET_ACCESS_KEY=your-secret-key
R2_BUCKET=your-bucket-name
R2_PUBLIC_URL=https://your-bucket.r2.devEnvironment Files
Backflow uses environment files in env/:
env/
├── .env.development
└── .env.productionDevelopment
bash
npm run dev # Uses env/.env.developmentProduction
bash
npm start # Uses env/.env.productionUsing in Config
Reference environment variables in config.json:
json
{
"supabase": {
"url": "{{env.SUPABASE_URL}}",
"anonKey": "{{env.SUPABASE_ANON_KEY}}"
},
"jwt": {
"secret": "{{env.JWT_SECRET}}"
},
"credentials": {
"stripe": {
"secretKey": "{{env.STRIPE_SECRET_KEY}}"
}
}
}Secrets vs Environment Variables
| Feature | Environment Variables | Secrets |
|---|---|---|
| Storage | .env files, system env | Database (encrypted) |
| Scope | Application-wide | Per-tenant |
| Syntax | {{env.VAR}} | {{secret:KEY}} |
| Rotation | Manual restart | API-based, no restart |
| Expiration | No | Yes |
| Audit | No | Yes |
When to Use What
Environment Variables - Shared across all tenants:
- Database connection strings
- JWT secrets
- Cache URLs
- Default API keys
Secrets - Tenant-specific:
- OAuth tokens per customer
- Customer API keys
- Stripe keys per merchant
- Integration credentials
Managing Secrets
Set Secret
bash
POST /tenant/secrets
Authorization: Bearer <token>
x-tenant-id: tenant-123
{
"key": "STRIPE_KEY",
"value": "sk_live_...",
"metadata": { "service": "stripe" },
"expiresAt": "2025-12-31T23:59:59Z"
}Get Secret (Metadata Only)
bash
GET /tenant/secrets
Authorization: Bearer <token>
# Returns key names and metadata, not valuesRotate Secret
bash
POST /tenant/secrets/rotate
Authorization: Bearer <token>
{
"key": "API_KEY",
"newValue": "new-secret",
"gracePeriodDays": 30
}Delete Secret
bash
DELETE /tenant/secrets/API_KEY
Authorization: Bearer <token>Best Practices
- Never commit
.envfiles - Use
.env.examplefor documentation - Use different keys per environment
- Rotate secrets regularly
- Use strong JWT secrets (32+ chars)
- Store production secrets in secure vault
- Use secrets for tenant-specific credentials
- Set expiration on temporary tokens
- Use the audit trail to track secret access