Skip to main content
Version: 1.2.0
Last Updated: 2026-03-12
Target Audience: Developers
This guide documents all environment variables used in the Encore OS Platform, including required variables, optional variables, and security best practices.

Quick Start

  1. Copy .env.example to .env.local
  2. Fill in your Supabase credentials
  3. Never commit .env.local to version control

Required Variables

Supabase Configuration

VITE_SUPABASE_URL (Required)
  • Description: Your Supabase project URL
  • Format: https://{project-ref}.supabase.co
  • Example: https://abcdefghijklmnop.supabase.co
  • Where to get: Supabase Dashboard → Settings → API → Project URL
  • Client Access: ✅ Exposed to client (VITE_ prefix)
  • Security: Safe to expose (public URL)
VITE_SUPABASE_PUBLISHABLE_KEY (Required)
  • Description: Supabase anon/public key for client-side access
  • Format: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...
  • Where to get: Supabase Dashboard → Settings → API → anon public key
  • Client Access: ✅ Exposed to client (VITE_ prefix)
  • Security: Safe to expose (public key, RLS enforced)
  • Note: This is the “anon” key, not the service role key

Development/Testing Variables

Service Role Key (Testing Only)

SUPABASE_SERVICE_ROLE_KEY (Development Only)
  • Description: Supabase service role key - bypasses RLS
  • Format: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...
  • Where to get: Supabase Dashboard → Settings → API → service_role key
  • Client Access: ❌ NEVER use in client code
  • Security: ⚠️ CRITICAL - Bypasses all RLS policies
  • Usage: Only in test files and edge functions
  • Warning: Never commit this value, never use in production client code

Optional Variables (Future)

Feature Flags

VITE_ENABLE_ANALYTICS (Optional)
  • Description: Enable analytics tracking
  • Type: Boolean
  • Default: false
  • Values: true | false
  • Client Access: ✅ Exposed to client
VITE_ENABLE_ERROR_TRACKING (Optional)
  • Description: Enable error tracking (Sentry, LogRocket)
  • Type: Boolean
  • Default: false
  • Values: true | false
  • Client Access: ✅ Exposed to client
VITE_ENABLE_AI_FEATURES (Optional)
  • Description: Enable AI-powered features
  • Type: Boolean
  • Default: true
  • Values: true | false
  • Client Access: ✅ Exposed to client

Edge Function Secrets

Edge function secrets are NOT set in .env.local. They are set via Supabase CLI:

Scheduled Tasks / CRON

CRON_SECRET (Required for cron-triggered edge functions)
  • Functions: gr-coi-attestation-reminders, hr-credential-expiry-check, and other scheduled functions
  • Description: Shared secret used to authenticate cron-triggered edge functions. The function validates Authorization: Bearer <CRON_SECRET> and rejects requests where the header is missing or mismatched.
  • Format: Random string (min 32 characters recommended)
  • Set via: supabase secrets set CRON_SECRET=<random-string>
  • Security: ⚠️ CRITICAL — Must be fail-closed: if CRON_SECRET is not set, the function must throw (not skip auth)

Encryption Keys

BANK_ENCRYPTION_KEY (Required for financial data encryption)
  • Functions: fa-bank-account-encrypt, account verification flows
  • Description: AES-256-GCM key for encrypting sensitive bank account data (routing numbers, account numbers) at rest
  • Format: Base64-encoded 256-bit key
  • Set via: supabase secrets set BANK_ENCRYPTION_KEY=<base64-key>
  • Security: ⚠️ CRITICAL — Loss of this key means encrypted bank data is irrecoverable. Rotate via re-encryption migration.
SSN_ENCRYPTION_KEY (Required for SSN/TIN encryption)
  • Functions: hr-ssn-encrypt, payroll processing, tax form generation
  • Description: AES-256-GCM key for encrypting Social Security Numbers and Tax Identification Numbers
  • Format: Base64-encoded 256-bit key
  • Set via: supabase secrets set SSN_ENCRYPTION_KEY=<base64-key>
  • Security: ⚠️ CRITICAL — PHI/PII protection. Must never appear in logs or error messages.

Portal Authentication

PORTAL_JWT_SECRET (Required for external portal access)
  • Functions: portal-auth, portal-verify-token
  • Description: HMAC-SHA256 secret for signing and verifying JWTs issued to external portal users (e.g., partner portals, resident portals)
  • Format: Random string (min 64 characters recommended)
  • Set via: supabase secrets set PORTAL_JWT_SECRET=<random-string>
  • Security: ⚠️ Separate from Supabase Auth JWT secret; used only for portal-scoped tokens
PORTAL_BASE_URL (Required for portal links)
  • Functions: portal-invite, notification emails containing portal links
  • Description: Base URL for the external-facing portal (used to construct invite/reset links)
  • Format: https://portal.your-domain.com
  • Set via: supabase secrets set PORTAL_BASE_URL=https://portal.your-domain.com

Email Service (Entra ID & Gmail)

Org-level email uses Microsoft Entra ID (Graph API) or Gmail (Google Workspace). Entra ID (optional):
  • ENTRA_CLIENT_SECRET — Client secret for the Entra app registration used for Graph API (e.g. Mail.Send).
  • Set via: supabase secrets set ENTRA_CLIENT_SECRET=xxxxx
  • Per-org: Configure in Settings → Integrations → Microsoft Entra ID (tenant, app, sender email).
Gmail (optional):
  • GMAIL_SERVICE_ACCOUNT_JSON — Full JSON key for the Google Cloud service account (with domain-wide delegation for Gmail API).
  • Set via: supabase secrets set GMAIL_SERVICE_ACCOUNT_JSON='{"type":"service_account",...}'
  • Per-org: Set sender email in Settings → Integrations → Google Workspace (Gmail).

SMS Service (RingCentral)

RINGCENTRAL_CLIENT_ID
  • Function: sms-send, ringcentral-setup
  • Where to get: RingCentral Developer Console → your app → Credentials
  • Format: xxxxx
  • Set via: supabase secrets set RINGCENTRAL_CLIENT_ID=xxxxx
RINGCENTRAL_CLIENT_SECRET
  • Function: sms-send, ringcentral-setup
  • Where to get: RingCentral Developer Console → your app → Credentials
  • Format: xxxxx
  • Set via: supabase secrets set RINGCENTRAL_CLIENT_SECRET=xxxxx
RINGCENTRAL_JWT_TOKEN
  • Function: sms-send, ringcentral-setup
  • Where to get: RingCentral Developer Console → Credentials → JWT
  • Format: JWT string
  • Set via: supabase secrets set RINGCENTRAL_JWT_TOKEN=xxxxx

AI Service (OpenRouter) - PF-59

OPENROUTER_API_KEY (Required for AI features)
  • Functions: ai-assistant, ai-document-analyze, generate-report-narrative
  • Where to get: OpenRouter Dashboard
  • Format: sk-or-v1-xxxxx
  • Set via: supabase secrets set OPENROUTER_API_KEY=sk-or-v1-xxxxx
  • Note: Replaced LOVABLE_API_KEY as of PF-59 migration
APP_URL (Required for AI features)
  • Functions: All AI-related edge functions
  • Description: Application URL for OpenRouter attribution (HTTP-Referer header)
  • Format: https://your-app.lovable.app
  • Set via: supabase secrets set APP_URL=https://data-mover-pal.lovable.app

Model Selection by Module

OpenRouter routes to different models based on module context:

Environment-Specific Configuration

Development

File: .env.local (gitignored)

Staging

Set via: Vercel Environment Variables or Supabase Dashboard

Production

Set via: Vercel Environment Variables or Supabase Dashboard

Security Best Practices

1. Never Commit Secrets

✅ DO:
  • Use .env.local for local development
  • Add .env.local to .gitignore
  • Use .env.example as template (no real values)
❌ DON’T:
  • Commit .env.local with real values
  • Put secrets in .env.example
  • Hardcode secrets in code
  • Share secrets in chat/email

2. VITE_ Prefix Rules

All VITE_* variables are exposed to the client bundle:
  • ✅ Safe: Public URLs, anon keys, feature flags
  • ❌ Never: Service role keys, API secrets, passwords
Example:

3. Edge Function Secrets

Edge function secrets are separate:
  • Set via supabase secrets set KEY=value
  • Never in .env.local or client code
  • Only accessible in edge function runtime

4. Service Role Key

Service role key is CRITICAL:
  • ⚠️ Bypasses all RLS policies
  • ❌ Never use in client code
  • ✅ Only in test files and edge functions
  • ✅ Only in development/staging

Variable Validation

Required Variables Check

The application validates required variables on startup:

Development Warnings

The app will warn if:
  • Required variables are missing
  • Service role key is used in client code (development only)
  • Invalid Supabase URL format

How to Obtain Keys

Supabase Keys

  1. Go to Supabase Dashboard
  2. Select your project
  3. Navigate to SettingsAPI
  4. Copy:
    • Project URLVITE_SUPABASE_URL
    • anon public keyVITE_SUPABASE_PUBLISHABLE_KEY
    • service_role keySUPABASE_SERVICE_ROLE_KEY (testing only)

Email Provider Secrets

All email (notifications, HR, automation, and signature flows) is sent via the shared org-level email-provider (Entra ID or Gmail).
  • Entra: ENTRA_CLIENT_SECRET
  • Gmail: GMAIL_SERVICE_ACCOUNT_JSON

RingCentral Credentials

  1. Go to the RingCentral Developer Console
  2. Open your app → Credentials
  3. Copy:
    • Client IDRINGCENTRAL_CLIENT_ID
    • Client SecretRINGCENTRAL_CLIENT_SECRET
    • JWT credentialRINGCENTRAL_JWT_TOKEN
  4. Set via Supabase CLI:

Troubleshooting

Issue: “Missing required Supabase environment variables”

Solution:
  1. Check .env.local exists
  2. Verify variables are set:
  3. Restart development server
  4. Check for typos in variable names

Issue: “Invalid Supabase URL”

Solution:
  1. Verify URL format: https://{project-ref}.supabase.co
  2. Check for trailing slashes (remove if present)
  3. Ensure HTTPS (not HTTP)

Issue: “Service role key in client code”

Solution:
  1. Remove SUPABASE_SERVICE_ROLE_KEY from .env.local
  2. Only use in test files: tests/**/*.ts
  3. Never import in client code: src/**/*.tsx

Issue: “Edge function can’t access secrets”

Solution:
  1. Verify secrets are set:
  2. Redeploy function after setting secrets:
  3. Check secret names match exactly (case-sensitive)

Issue: “CORS errors in development”

Solution:
  1. Verify VITE_SUPABASE_URL points to correct project
  2. Check Supabase project CORS settings
  3. Ensure edge functions include CORS headers

Production Deployment

Vercel Environment Variables

Vercel project environment variables are intentionally not used for this repo’s frontend build/runtime configuration as of 2026-04-20.
  • Public client config values are defined at build time in vite.config.ts.
  • vercel.json must not contain env or build.env keys.
  • CI enforces this via npm run check:no-vercel-env-config.
Do not reintroduce project-level Vercel env variables without explicit platform approval and an updated migration document.

Supabase Edge Function Secrets

  1. Set secrets via Supabase CLI (e.g. RingCentral, Entra, Gmail):
  2. Or via Supabase Dashboard → Project Settings → Edge Functions → Secrets

  • Edge Functions: docs/integrations/EDGE_FUNCTIONS.md
  • Supabase Setup: docs/integrations/SUPABASE_SETUP.md
  • Secrets Management: docs/security/SECRETS_MANAGEMENT.md
  • .env.example: .env.example (template file)

Setup & Configuration

  • PWA Setup - PWA configuration and environment requirements
  • Setup Quick Start - First-time developer setup including environment variables

Development Guides


Document Owner: Platform Team
Review Frequency: Quarterly