# Basic NEXT_PUBLIC_HEXCLAVE_API_URL=# the base URL of Stack's backend/API. For local development, this is `http://localhost:8102`; for the managed service, this is `https://api.hexclave.com`. NEXT_PUBLIC_HEXCLAVE_DASHBOARD_URL=# the URL of Stack's dashboard. For local development, this is `http://localhost:8101`; for the managed service, this is `https://app.hexclave.com`. NEXT_PUBLIC_HEXCLAVE_IS_LOCAL_EMULATOR=# set to true to enable local emulator-only behaviors (internal local emulator endpoints, read-only environment config overrides, and local emulator auth UX) HEXCLAVE_SECRET_SERVER_KEY=# a random, unguessable secret key generated by `pnpm generate-keys` # seed script settings HEXCLAVE_SEED_INTERNAL_PROJECT_SIGN_UP_ENABLED=# true to enable user sign up to the dashboard when seeding HEXCLAVE_SEED_INTERNAL_PROJECT_OTP_ENABLED=# true to add OTP auth to the dashboard when seeding HEXCLAVE_SEED_INTERNAL_PROJECT_ALLOW_LOCALHOST=# true to allow running dashboard on the localhost, set this to true only in development HEXCLAVE_SEED_INTERNAL_PROJECT_OAUTH_PROVIDERS=# list of oauth providers to add to the dashboard when seeding, separated by comma, for example "github,google,facebook" HEXCLAVE_SEED_INTERNAL_PROJECT_USER_EMAIL=# default user added to the dashboard HEXCLAVE_SEED_INTERNAL_PROJECT_USER_PASSWORD=# default user's password, paired with HEXCLAVE_SEED_INTERNAL_PROJECT_USER_EMAIL HEXCLAVE_SEED_INTERNAL_PROJECT_USER_INTERNAL_ACCESS=# if the default user has access to the internal dashboard project HEXCLAVE_SEED_INTERNAL_PROJECT_USER_GITHUB_ID=# add github oauth id to the default user HEXCLAVE_INTERNAL_PROJECT_PUBLISHABLE_CLIENT_KEY=# default publishable client key for the internal project HEXCLAVE_INTERNAL_PROJECT_SECRET_SERVER_KEY=# default secret server key for the internal project HEXCLAVE_SEED_INTERNAL_PROJECT_SUPER_SECRET_ADMIN_KEY=# default super secret admin key for the internal project # OAuth mock provider settings HEXCLAVE_OAUTH_MOCK_URL=# enter the URL of the mock OAuth provider here. For local development, use `http://localhost:8114`. # OAuth shared keys # Can be set to MOCK to use mock OAuth providers HEXCLAVE_GITHUB_CLIENT_ID=# client HEXCLAVE_GITHUB_CLIENT_SECRET=# client secret HEXCLAVE_GOOGLE_CLIENT_ID=# client id HEXCLAVE_GOOGLE_CLIENT_SECRET=# client secret HEXCLAVE_MICROSOFT_CLIENT_ID=# client id HEXCLAVE_MICROSOFT_CLIENT_SECRET=# client secret HEXCLAVE_SPOTIFY_CLIENT_ID=# client id HEXCLAVE_SPOTIFY_CLIENT_SECRET=# client secret HEXCLAVE_ALLOW_SHARED_OAUTH_ACCESS_TOKENS=# allow shared oauth provider to also use connected account access token, this should only be used for development and testing HEXCLAVE_DISABLE_PLAN_LIMITS=# set to "true" to bypass enforcement of Hexclave's own internal-tenancy plan limits (analytics_events, session_replays, emails_per_month, dashboard_admins seat cap, auth_users soft cap, analytics_timeout_seconds). Default unset/false preserves enforcement. Intended as a temporary cutover safety net while the plan-limits infrastructure rolls out — customer projects' own item APIs are unaffected by this flag. # Email # For local development, you can spin up a local SMTP server like inbucket HEXCLAVE_EMAIL_HOST=# for local inbucket: 127.0.0.1 HEXCLAVE_EMAIL_PORT=# for local inbucket: 8129 HEXCLAVE_EMAIL_USERNAME=# for local inbucket: test HEXCLAVE_EMAIL_PASSWORD=# for local inbucket: none HEXCLAVE_EMAIL_SENDER=# for local inbucket: noreply@test.com HEXCLAVE_EMAILABLE_API_KEY=# Emailable API key for email validation, see https://emailable.com. Use a test key (starting with "test_") for local dev — it does not consume credits. Set to "disable_email_validation" to disable. HEXCLAVE_DEFAULT_EMAIL_CAPACITY_PER_HOUR=# the number of emails a new project can send. Defaults to 200 # Email branching configuration # If you have multiple deployments of compute accessing the same DB or multiple copies of a DBs connected to compute (as # you would in preview/branching environments), you may want to either disable the auto-triggered email queue steps # (those that trigger whenever an email is sent, besides the cron job), or disable email sending as a whole. HEXCLAVE_EMAIL_BRANCHING_DISABLE_QUEUE_AUTO_TRIGGER=# set to 'true' to disable the automatic triggering of the email queue step. the cron job must call /email-queue-step to run the queue step. Most useful on production domains where you know the cron job will run on the correct deployment and you don't need the auto-trigger (which may be on the wrong deployment) HEXCLAVE_EMAIL_BRANCHING_DISABLE_QUEUE_SENDING=# set to 'true' to throw an error instead of sending emails in the email queue step. Most useful on development branches that have a copy of the production DB, but should not send any emails (as otherwise some emails could be sent twice) # Database # For local development: `docker run -it --rm -e POSTGRES_PASSWORD=password -p "8128:5432" postgres` HEXCLAVE_DATABASE_CONNECTION_STRING=# enter your connection string here. For local development: `postgres://postgres:PASSWORD-PLACEHOLDER--uqfEC1hmmv@localhost:8128/stackframe` # Webhooks HEXCLAVE_SVIX_SERVER_URL=# For prod, leave it empty. For local development, use `http://localhost:8113` HEXCLAVE_SVIX_API_KEY=# enter the API key for the Svix webhook service here. Use `eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpYXQiOjE2NTUxNDA2MzksImV4cCI6MTk3MDUwMDYzOSwibmJmIjoxNjU1MTQwNjM5LCJpc3MiOiJzdml4LXNlcnZlciIsInN1YiI6Im9yZ18yM3JiOFlkR3FNVDBxSXpwZ0d3ZFhmSGlyTXUifQ.En8w77ZJWbd0qrMlHHupHUB-4cx17RfzFykseg95SUk` for local development # S3 HEXCLAVE_S3_PUBLIC_ENDPOINT=# publicly accessible endpoint HEXCLAVE_S3_ENDPOINT=# S3 API endpoint URL (e.g., 'https://s3.amazonaws.com' for AWS or custom endpoint for S3-compatible services) HEXCLAVE_S3_REGION= HEXCLAVE_S3_ACCESS_KEY_ID= HEXCLAVE_S3_SECRET_ACCESS_KEY= HEXCLAVE_S3_BUCKET= HEXCLAVE_S3_PRIVATE_BUCKET= # AWS configuration HEXCLAVE_AWS_REGION= HEXCLAVE_AWS_KMS_ENDPOINT= HEXCLAVE_AWS_ACCESS_KEY_ID= HEXCLAVE_AWS_SECRET_ACCESS_KEY= HEXCLAVE_AWS_VERCEL_OIDC_ROLE_ARN= # Upstash configuration HEXCLAVE_QSTASH_URL= HEXCLAVE_QSTASH_TOKEN= HEXCLAVE_QSTASH_CURRENT_SIGNING_KEY= HEXCLAVE_QSTASH_NEXT_SIGNING_KEY= # Email monitor HEXCLAVE_EMAIL_MONITOR_RESEND_EMAIL_API_KEY=# enter the resend poller api key here HEXCLAVE_EMAIL_MONITOR_RESEND_EMAIL_DOMAIN=# enter the resend domain that should receive the emails HEXCLAVE_EMAIL_MONITOR_PROJECT_ID=# enter the project id for the project that the email monitor will attempt to sign up for HEXCLAVE_EMAIL_MONITOR_PUBLISHABLE_CLIENT_KEY=# enter the publishable client key for email monitor to use when attempting a sign up HEXCLAVE_EMAIL_MONITOR_VERIFICATION_CALLBACK_URL=# enter a valid verification callback url for the project that the email monitor will attempt to sign up for HEXCLAVE_EMAIL_MONITOR_INBUCKET_API_URL=# enter a valid inbucket api url for the email monitor to check emails from in test mode HEXCLAVE_EMAIL_MONITOR_USE_INBUCKET=# enter true/false based on whether the email monitor should use inbucket or resend. Note that if this is set to true in prod, the email monitor will throw an error. HEXCLAVE_EMAIL_MONITOR_SECRET_TOKEN=# enter the secret token value needed for the request to the email monitor to be accepted # Clickhouse HEXCLAVE_CLICKHOUSE_URL=# URL of the Clickhouse instance HEXCLAVE_CLICKHOUSE_ADMIN_USER=# username of the admin account HEXCLAVE_CLICKHOUSE_ADMIN_PASSWORD=# password of the admin account HEXCLAVE_CLICKHOUSE_EXTERNAL_PASSWORD=# a randomly generated secure string. The user account will be created automatically # Misc HEXCLAVE_ACCESS_TOKEN_EXPIRATION_TIME=# enter the expiration time for the access token here. Optional, don't specify it for default value HEXCLAVE_SETUP_ADMIN_GITHUB_ID=# enter the account ID of the admin user here, and after running the seed script they will be able to access the internal project in the Stack dashboard. Optional, don't specify it for default value OTEL_EXPORTER_OTLP_ENDPOINT=# enter the OpenTelemetry endpoint here. Optional, default is `http://localhost:8131` HEXCLAVE_INTEGRATION_CLIENTS_CONFIG=# a list of oidc-provider clients for integrations. If not provided, disables integrations HEXCLAVE_FREESTYLE_API_KEY=# enter your freestyle.sh api key HEXCLAVE_VERCEL_SANDBOX_PROJECT_ID=# enter the project id for the vercel project that the vercel engine will use HEXCLAVE_VERCEL_SANDBOX_TEAM_ID=# enter the team id for the vercel project that the vercel engine will use HEXCLAVE_VERCEL_SANDBOX_TOKEN=# enter the token for the vercel project that the vercel engine will use HEXCLAVE_OPENAI_API_KEY=# enter your openai api key HEXCLAVE_FEATUREBASE_API_KEY=# enter your featurebase api key HEXCLAVE_STRIPE_SECRET_KEY=# enter your stripe api key HEXCLAVE_STRIPE_WEBHOOK_SECRET=# enter your stripe webhook secret HEXCLAVE_TELEGRAM_BOT_TOKEN= # enter you telegram bot token HEXCLAVE_TELEGRAM_CHAT_ID=# enter your telegram chat id # Docs AI tool bundle HEXCLAVE_MINTLIFY_MCP_URL=# override the Mintlify MCP server used by the backend's AI docs tool bundle. Defaults to https://stackauth-e0affa27.mintlify.app/mcp # MCP review tool (SpacetimeDB) HEXCLAVE_SPACETIMEDB_URI=# SpacetimeDB host URI; default empty (logging disabled) HEXCLAVE_SPACETIMEDB_DB_NAME=# SpacetimeDB database name HEXCLAVE_MCP_LOG_TOKEN=# shared secret gating the log_mcp_call reducer; must match EXPECTED_LOG_TOKEN in apps/internal-tool/spacetimedb/src/index.ts