Skip to main content
Certiva validates all environment variables at startup using a Zod schema. A missing or invalid value causes an immediate hard failure with a descriptive error. Several rules are only enforced when APP_ENV=staging or APP_ENV=production.

Root-level variables

Used by Docker Compose and Turborepo. Set in the root .env.

API variables

Set in apps/api/.env.

Database and cache

Auth and server

Public URLs

Storage

Cloudflare R2

Required when STORAGE_DRIVER=r2.

Blockchain

Rate limiting

Redis-backed rate limiting is strongly recommended in staging and production.

Web variables

Set in apps/web/.env.
NEXT_PUBLIC_ variables are embedded into the browser bundle at build time. Never put secrets, internal URLs, or API keys in them.

Worker variables

Set in apps/worker/.env.

Startup validation rules

These rules are enforced in apps/api/src/config/env.schema.ts at startup:
  • JWT_SECRET must be at least 64 characters and must not be a known placeholder value in staging/prod.
  • CORS_ORIGINS must not be empty or contain * in staging/prod.
  • STORAGE_DRIVER must be r2 in staging/prod — local is rejected.
  • When BLOCKCHAIN_ENABLED=true: POLYGON_AMOY_RPC_URL, PRIVATE_KEY, and CONTRACT_ADDRESS are all required.
  • When STORAGE_DRIVER=r2: all R2_* variables are required.
  • PRIVATE_KEY must not match known development test keys in staging/prod.