Certiva validates all environment variables at startup using a Zod schema. A missing or invalid value causes an immediate hard failure with a descriptive error. Several rules are only enforced when APP_ENV=staging or APP_ENV=production.
Root-level variables
Used by Docker Compose and Turborepo. Set in the root .env.
API variables
Set in apps/api/.env.
Database and cache
Auth and server
Public URLs
Storage
Cloudflare R2
Required when STORAGE_DRIVER=r2.
Blockchain
Rate limiting
Redis-backed rate limiting is strongly recommended in staging and production.
Web variables
Set in apps/web/.env.
NEXT_PUBLIC_ variables are embedded into the browser bundle at build time. Never put secrets, internal URLs, or API keys in them.
Worker variables
Set in apps/worker/.env.
Startup validation rules
These rules are enforced in apps/api/src/config/env.schema.ts at startup:
JWT_SECRET must be at least 64 characters and must not be a known placeholder value in staging/prod.
CORS_ORIGINS must not be empty or contain * in staging/prod.
STORAGE_DRIVER must be r2 in staging/prod — local is rejected.
- When
BLOCKCHAIN_ENABLED=true: POLYGON_AMOY_RPC_URL, PRIVATE_KEY, and CONTRACT_ADDRESS are all required.
- When
STORAGE_DRIVER=r2: all R2_* variables are required.
PRIVATE_KEY must not match known development test keys in staging/prod.