Environment variables
Every environment variable NextForge uses, with explanations. setup.mjs generates a .env.local.example with only the vars for your chosen database.
Always required
.env.local
# NextAuth secret — generate with: openssl rand -base64 32 AUTH_SECRET= # Google OAuth — remove if not using Google sign-in AUTH_GOOGLE_ID= AUTH_GOOGLE_SECRET= # Resend transactional email RESEND_API_KEY= RESEND_FROM_EMAIL=no-reply@yourdomain.com # Upstash Redis rate limiting UPSTASH_REDIS_REST_URL= UPSTASH_REDIS_REST_TOKEN= # Public app config NEXT_PUBLIC_APP_NAME=MyApp NEXT_PUBLIC_APP_URL=https://yourdomain.com
| Variable | Required | Description |
|---|---|---|
| AUTH_SECRET | Yes | Random secret used to sign JWT tokens. Min 32 chars. |
| AUTH_GOOGLE_ID | If using Google | Google OAuth client ID from Google Cloud Console |
| AUTH_GOOGLE_SECRET | If using Google | Google OAuth client secret |
| RESEND_API_KEY | Yes | API key from resend.com |
| RESEND_FROM_EMAIL | Yes | Verified sender address on your Resend domain |
| UPSTASH_REDIS_REST_URL | Recommended | REST URL from Upstash Redis dashboard |
| UPSTASH_REDIS_REST_TOKEN | Recommended | Auth token from Upstash Redis dashboard |
| NEXT_PUBLIC_APP_NAME | Yes | App name shown in email subjects and page titles |
| NEXT_PUBLIC_APP_URL | Yes | Full URL of your app — used in email links |
MongoDB variant
.env.local
MONGODB_URI=mongodb+srv://username:password@cluster.mongodb.net/mydb?retryWrites=true&w=majority
Supabase variant
.env.local
NEXT_PUBLIC_SUPABASE_URL=https://xxxxxxxxxxxx.supabase.co NEXT_PUBLIC_SUPABASE_PUBLISHABLE_KEY=sb_publishable_xxxxxxxxxxxx SUPABASE_SECRET_KEY=sb_secret_xxxxxxxxxxxx
Firebase variant
.env.local
FIREBASE_PROJECT_ID=my-project-id FIREBASE_CLIENT_EMAIL=firebase-adminsdk-xxxxx@my-project-id.iam.gserviceaccount.com FIREBASE_PRIVATE_KEY="-----BEGIN PRIVATE KEY-----\nMIIEvQIBAD...\n-----END PRIVATE KEY-----\n"
Generating AUTH_SECRET
AUTH_SECRET must be a long random string. Generate it with:
terminal
openssl rand -base64 32
Or using Node.js:
terminal
node -e "console.log(require('crypto').randomBytes(32).toString('base64'))"NEXT_PUBLIC_ prefix
Variables prefixed with NEXT_PUBLIC_ are embedded in the client bundle at build time and are accessible in the browser. All other variables are server-only — they are never sent to the client.
- NEXT_PUBLIC_SUPABASE_URL — safe to expose (points to public endpoint)
- NEXT_PUBLIC_SUPABASE_PUBLISHABLE_KEY — safe to expose (browser key)
- NEXT_PUBLIC_APP_NAME — safe to expose (just a display string)
- NEXT_PUBLIC_APP_URL — safe to expose (just your domain)
- SUPABASE_SECRET_KEY — server only, never NEXT_PUBLIC_
- FIREBASE_PRIVATE_KEY — server only, never NEXT_PUBLIC_
- AUTH_SECRET — server only, never NEXT_PUBLIC_
- RESEND_API_KEY — server only, never NEXT_PUBLIC_