Update environment configurations and remove internal secret validation for docs tools

- Added `STACK_DOCS_INTERNAL_BASE_URL` to backend `.env` and `.env.development` files for AI tool bundle configuration.
- Removed references to `STACK_INTERNAL_DOCS_TOOLS_SECRET` from backend and docs environment files and validation logic from the docs tools API route.
- Introduced a new `.env` file for the docs app with essential configuration variables.

apps/backend/.env

@@ -115,3 +115,6 @@ STACK_STRIPE_SECRET_KEY=# enter your stripe api key
 STACK_STRIPE_WEBHOOK_SECRET=# enter your stripe webhook secret
 STACK_TELEGRAM_BOT_TOKEN= # enter you telegram bot token
 STACK_TELEGRAM_CHAT_ID=# enter your telegram chat id
+
+# Docs AI tool bundle
+STACK_DOCS_INTERNAL_BASE_URL=# override the docs origin used by the backend's AI tool bundle to call the docs app's `/api/internal/docs-tools` endpoint. Defaults to http://localhost:${NEXT_PUBLIC_STACK_PORT_PREFIX:-81}04 in dev, https://mcp.stack-auth.com in prod

apps/backend/.env.development

@@ -77,10 +77,7 @@ STACK_OPENAI_API_KEY=mock_openai_api_key
 STACK_STRIPE_SECRET_KEY=sk_test_mockstripekey
 STACK_STRIPE_WEBHOOK_SECRET=mock_stripe_webhook_secret
 STACK_OPENROUTER_API_KEY=FORWARD_TO_PRODUCTION
-# Optional: override docs origin for the `docs` AI tool bundle (defaults to http://localhost:${NEXT_PUBLIC_STACK_PORT_PREFIX:-81}04 in dev, https://mcp.stack-auth.com in prod)
 # STACK_DOCS_INTERNAL_BASE_URL=http://localhost:8104
-# Optional: shared secret; when set, backend sends it and docs `/api/internal/docs-tools` requires it
-# STACK_INTERNAL_DOCS_TOOLS_SECRET=
 # Email monitor configuration for tests
 STACK_EMAIL_MONITOR_VERIFICATION_CALLBACK_URL=http://localhost:8101/handler/email-verification
 STACK_EMAIL_MONITOR_PROJECT_ID=internal

apps/backend/src/lib/ai/tools/docs.ts

@@ -22,15 +22,10 @@ function getDocsToolsBaseUrl(): string {
 
 async function postDocsToolAction(action: Record<string, unknown>): Promise<string> {
   const base = getDocsToolsBaseUrl();
-  const secret = getEnvVariable("STACK_INTERNAL_DOCS_TOOLS_SECRET", "");
-  const headers = new Headers({ "Content-Type": "application/json" });
-  if (secret !== "") {
-    headers.set("x-stack-internal-docs-tools-secret", secret);
-  }
 
   const res = await fetch(`${base}/api/internal/docs-tools`, {
     method: "POST",
-    headers,
+    headers: { "Content-Type": "application/json" },
     body: JSON.stringify(action),
   });
 

docs/.env

@@ -0,0 +1,6 @@
+# Basic
+NEXT_PUBLIC_STACK_API_URL=# the base URL of Stack's backend/API
+NEXT_PUBLIC_STACK_PROJECT_ID=# the project ID to use
+NEXT_PUBLIC_STACK_PUBLISHABLE_CLIENT_KEY=# publishable client key for the project
+STACK_SECRET_SERVER_KEY=# secret server key for the project
+STACK_OPENROUTER_API_KEY=# OpenRouter API key for AI-enabled chat

docs/.env.development

@@ -5,5 +5,3 @@ NEXT_PUBLIC_STACK_PROJECT_ID=internal
 NEXT_PUBLIC_STACK_PUBLISHABLE_CLIENT_KEY=this-publishable-client-key-is-for-local-development-only
 STACK_SECRET_SERVER_KEY=this-secret-server-key-is-for-local-development-only
 STACK_OPENROUTER_API_KEY=your-open-router-api-key-for-ai-enabled-chat
-# Optional: require this header value for POST /api/internal/docs-tools (must match backend STACK_INTERNAL_DOCS_TOOLS_SECRET)
-# STACK_INTERNAL_DOCS_TOOLS_SECRET=

docs/src/app/api/internal/docs-tools/route.ts

@@ -15,19 +15,7 @@ const bodySchema: z.ZodType<DocsToolAction> = z.discriminatedUnion("action", [
   z.object({ action: z.literal("fetch"), id: z.string() }),
 ]);
 
-function validateInternalSecret(req: NextRequest): boolean {
-  const secret = process.env.STACK_INTERNAL_DOCS_TOOLS_SECRET;
-  if (secret == null || secret === "") {
-    return true;
-  }
-  return req.headers.get("x-stack-internal-docs-tools-secret") === secret;
-}
-
 export async function POST(req: NextRequest) {
-  if (!validateInternalSecret(req)) {
-    return NextResponse.json({ error: "Unauthorized" }, { status: 401 });
-  }
-
   let json: unknown;
   try {
     json = await req.json();