Skip to Content
Environment Variables

Environment Variables Reference

All env vars across every app and server. Variables marked Required will cause startup failures or silent broken behaviour if missing.

Shared Infrastructure

These are needed by every service that touches a database or queue.

VariableRequiredExampleDescription
DATABASE_URLYespostgresql://leadmetrics:leadmetrics@localhost:5434/leadmetricsPrimary PostgreSQL connection string
MONGO_URLAPI + Agentsmongodb://localhost:27017/leadmetricsMongoDB for audit logs and agent outputs
REDIS_URLYesredis://localhost:6379Redis (ragmanager-redis container — exposed on 6379)

API (apps/api/.env)

Auth

VariableRequiredDescription
JWT_SECRETYesHS256 signing secret for all portal access tokens
REFRESH_TOKEN_SECRETYesSigning secret for refresh tokens
INTERNAL_API_SECRETYesShared secret for inter-service API calls (worker → API callbacks)

App URLs

VariableRequiredDescription
NEXT_PUBLIC_APP_URLYesDashboard URL; used in email links
APP_URLYesSame as above; used in newsletter unsubscribe links
CORS_ORIGINSNoComma-separated allowed origins. Defaults to localhost:3000,3001,3002 in dev
TRUST_PROXYNotrue when behind Docker/nginx. Use CIDR in production

Storage (DigitalOcean Spaces)

All 6 required — missing DO_SPACES_ENDPOINT silently breaks the social post image designer.

VariableDescription
DO_SPACES_KEYSpaces access key
DO_SPACES_SECRETSpaces secret key
DO_SPACES_REGIONRegion slug (e.g. sgp1)
DO_SPACES_ENDPOINTFull endpoint URL (e.g. https://sgp1.digitaloceanspaces.com)
DO_SPACES_BUCKETBucket name
DO_SPACES_CDN_URLCDN base URL (e.g. https://your-bucket.sgp1.cdn.digitaloceanspaces.com)

LLM Providers

VariableRequiredDescription
OPENAI_API_KEYFor OpenAI agentsOpenAI API key
ANTHROPIC_API_KEYFor Claude agentsAnthropic API key
GOOGLE_GENERATIVE_AI_KEYFor Gemini agentsGoogle Generative AI key
PERPLEXITY_API_KEYFor AI visibilityPerplexity API key

Azure (Image Generation)

VariableRequiredDescription
AZURE_IMAGE_API_KEYSocial post imagesAzure Cognitive Services key
AZURE_IMAGE_ENDPOINTSocial post imagesFull Azure endpoint URL for GPT Image 1.5

Google OAuth Channels

VariableChannel
GOOGLE_ADS_APP_ID + GOOGLE_ADS_APP_SECRET + GOOGLE_ADS_DEVELOPER_TOKENGoogle Ads connect + insights
GOOGLE_SEARCH_CONSOLE_APP_ID + GOOGLE_SEARCH_CONSOLE_APP_SECRETGSC connect
GOOGLE_ANALYTICS_APP_ID + GOOGLE_ANALYTICS_APP_SECRETGA4 connect
GOOGLE_BUSINESS_PROFILE_APP_ID + GOOGLE_BUSINESS_PROFILE_APP_SECRETGBP connect + post publishing

GitHub OAuth

VariableDescription
GITHUB_CLIENT_IDGitHub OAuth App client ID
GITHUB_CLIENT_SECRETGitHub OAuth App secret

Newsletter Sending (Resend)

VariableRequiredDescription
RESEND_API_KEYYes (if using newsletters)Resend API key
NEWSLETTER_FROM_EMAILYesDefault from address
NEWSLETTER_FROM_NAMEYesDefault sender name

Email (Notifications)

VariableRequiredDescription
SENDGRID_API_KEYPlatform notificationsSendGrid API key
DEV_ALLOWED_EMAIL_DOMAINSDev onlyOnly send to these domains in dev (e.g. leadmetrics.ai)
DEV_CC_EMAILDev onlyBCC this address on all dev emails

Payments (Razorpay)

VariableRequiredDescription
RAZORPAY_KEY_IDBillingRazorpay key ID
RAZORPAY_KEY_SECRETBillingRazorpay key secret

Encryption

VariableRequiredDescription
PROVIDER_CONFIG_ENCRYPTION_KEYYesAES key for encrypting OAuth tokens at rest in the DB

Dashboard (apps/dashboard/.env.local)

VariableRequiredDescription
NEXT_PUBLIC_APP_URLYeshttp://localhost:3000
NEXT_PUBLIC_API_URLYeshttp://localhost:3003
API_URLYeshttp://localhost:3003 — used by middleware for silent token refresh
JWT_SECRETYesSame value as API — used by middleware to verify access tokens
REFRESH_TOKEN_SECRETYesSame value as API — used to verify refresh tokens

Manage (apps/manage/.env.local)

VariableRequiredDescription
NEXT_PUBLIC_API_URLYeshttp://localhost:3003
JWT_SECRETYesSecret for manage portal JWT tokens
REFRESH_TOKEN_SECRETYesSecret for refresh tokens

DM Portal (apps/dm/.env.local)

VariableRequiredDescription
NEXT_PUBLIC_API_URLYeshttp://localhost:3003
JWT_SECRETYesSame as Manage (shared JWT signing)
REFRESH_TOKEN_SECRETYesSame as Manage

Agents Server (apps/servers/agents/.env)

Needs everything the API needs for provider calls, plus:

VariableRequiredDescription
DATABASE_URLYes
REDIS_URLYes
DASHBOARD_URLYeshttp://localhost:3000 — used in notification links
PROVIDER_CONFIG_ENCRYPTION_KEYYesSame value as API — used to decrypt OAuth tokens when insight workers call provider APIs
OPENAI_API_KEYAgent-dependentRequired if using OpenAI provider
ANTHROPIC_API_KEYYesRequired — seo-optimizer, brand-narrative-analyst, ai-visibility-monitor all throw without it
All DO_SPACES_*YesAll 6 required for social post image designer
AZURE_IMAGE_API_KEYSocial images
AZURE_IMAGE_ENDPOINTSocial images
PIXABAY_API_KEYStock images
UNSPLASH_ACCESS_KEYStock images

Billing Server (apps/servers/billing/.env)

VariableRequiredDescription
DATABASE_URLYes
REDIS_URLYes
BILLING_CRON_SCHEDULENoDefaults to 5 0 1 * * (1st of month, 00:05 UTC)
OVERDUE_CRON_SCHEDULENoDefaults to 0 1 * * * (01:00 daily)
REMINDER_CRON_SCHEDULENoDefaults to 0 * * * * (hourly)
CREDITS_RESET_CRON_SCHEDULENoDefaults to 10 0 1 * * (1st of month, 00:10 UTC)

Notifications Server (apps/servers/notifications/.env)

VariableRequiredDescription
DATABASE_URLYes
REDIS_URLYes
SENDGRID_API_KEYYesPlatform email sender
DEV_ALLOWED_EMAIL_DOMAINSDevleadmetrics.ai — only send to these domains
DEV_CC_EMAILDevmoble@leadmetrics.ai — BCC on all dev emails

Reporting Server (apps/servers/reporting/.env)

VariableRequiredDescription
DATABASE_URLYes
REDIS_URLYes
ADMIN_REPORT_EMAILYesEmail address for the nightly admin summary
ADMIN_REPORT_NAMEYesDisplay name for the admin report recipient

RAG Engine Server (apps/servers/ragengine/.env)

VariableRequiredDescription
DATABASE_URLYesUsed to provision tenant datasets on registration
REDIS_URLYes
QDRANT_URLYeshttp://localhost:6333 (or ragmanager-qdrant endpoint)

Search Indexer Server (apps/servers/search-indexer/.env)

VariableRequiredDescription
DATABASE_URLYesUsed to fetch full records for indexing
REDIS_URLYesBullMQ search__sync queue
TYPESENSE_URLYeshttp://localhost:8108 (or Docker leadmetrics-typesense:8108)
TYPESENSE_ADMIN_API_KEYYesMust match --api-key in the Typesense Docker command
NODE_ENVNodevelopment | production

Typesense env vars used at query time (API, Dashboard)

These are also needed by any service that calls Typesense directly (the API, Next.js API routes, or the provider-typesense package):

VariableDescription
TYPESENSE_URLSame value as above
TYPESENSE_ADMIN_API_KEYSame value as above

Dev default: http://localhost:8108 and key leadmetrics-dev-key (matches the docker-compose.yml service).

Notes

  • None of these files are committed. Keep them out of git.
  • In production, secrets are injected by Doppler per environment and service — never hardcoded.
  • PROVIDER_CONFIG_ENCRYPTION_KEY must be identical in both apps/api and apps/servers/agents — the API encrypts OAuth tokens when stored; agents decrypt them when calling provider APIs.
  • JWT_SECRET and REFRESH_TOKEN_SECRET must be identical across apps/api, apps/dashboard, apps/manage, and apps/dm — all portals share the same JWT signing keys.
Local SetupCI/CD Pipeline

© 2026 Leadmetrics — Internal use only