Skip to main content

Configuration

Environment Variables

API (apps/api/.env)

# Application
NODE_ENV=development
PORT=3001
TZ=Asia/Kolkata

# Database
DATABASE_URL=postgresql://postgres:password@localhost:5432/syncad_central

# JWT
JWT_SECRET=your-256-bit-secret-here
JWT_ACCESS_EXPIRES_IN=15m
JWT_REFRESH_EXPIRES_IN=7d

# Redis
REDIS_URL=redis://localhost:6379

# AWS
AWS_ACCESS_KEY_ID=AKIA...
AWS_SECRET_ACCESS_KEY=...
AWS_REGION=ap-south-1
AWS_DEFAULT_REGION=ap-south-1

# S3
S3_BUCKET=syncad-assets
S3_CDN_URL=https://cdn.syncad.in

# SES
SES_FROM_EMAIL=noreply@syncad.in
SES_FROM_NAME=SyncAD

# SNS (for SMS + Push)
SNS_TOPIC_ARN=arn:aws:sns:ap-south-1:123456:SyncADNotifications

# FCM (Push Notifications)
FCM_PROJECT_ID=syncad-prod
FCM_PRIVATE_KEY=...
FCM_CLIENT_EMAIL=...

# OTP
OTP_EXPIRY_SECONDS=300
OTP_LENGTH=6

# SCS Service (School Provisioning)
SCS_BASE_URL=http://localhost:8080
SCS_API_KEY=...

School Admin UI

NEXT_PUBLIC_API_URL=https://dev-api.metaonus.in
NEXT_PUBLIC_APP_NAME=School Admin
NEXT_PUBLIC_SCHOOL_ID=   # filled at runtime from JWT

Super Admin UI

NEXT_PUBLIC_API_URL=https://dev-api.metaonus.in
NEXT_PUBLIC_APP_NAME=Super Admin

SCS Service

PORT=8080
DATABASE_URL=postgresql://postgres:password@localhost:5432/syncad_central
AWS_ACCESS_KEY_ID=...
AWS_SECRET_ACCESS_KEY=...
AWS_REGION=ap-south-1
ROUTE53_HOSTED_ZONE_ID=Z...  # route53 zone for syncad.in
SCS_API_KEY=...              # shared secret with super-admin UI
SES_FROM_EMAIL=noreply@syncad.in

Validation

All environment variables are validated at startup using apps/api/src/env.validation.ts (NestJS ConfigModule with class-validator):

// apps/api/src/env.validation.ts
export class EnvSchema {
  @IsString()
  @IsNotEmpty()
  DATABASE_URL: string;

  @IsString()
  @MinLength(32)
  JWT_SECRET: string;

  @IsEnum(['development', 'staging', 'production'])
  NODE_ENV: string;

  @IsOptional()
  @IsInt()
  @Min(0)
  OTP_EXPIRY_SECONDS: number;
}

If any required variable is missing or invalid, the API fails to start with a descriptive error.

Secret Management

In production, secrets are stored in AWS Secrets Manager and injected into ECS task definitions at runtime. Never commit real secrets to .env files — use .env.example as a template:

# .env.example (committed to git)
DATABASE_URL=
JWT_SECRET=
AWS_ACCESS_KEY_ID=
# ...