Skip to content

Environment variables

Everything FlowRunner reads from the environment, split into the variables it cannot start without and the optional ones that each switch on a feature. Set these in your host's environment settings (Vercel project settings, a .env file, container secrets — wherever your platform reads them).

How validation works

src/lib/env.ts is the single source of truth. At boot the app calls assertEnv(), which:

  • throws — refusing to start — if any required variable is missing, naming exactly which ones;
  • warns to the log for each missing optional variable, then keeps running with that feature disabled.

So a misconfigured deploy fails fast and loud on the essentials, and never crashes over an optional feature you chose not to use.

Required

The app will not run without these.

VariablePurposeHow to generate
AUTH_SECRETSigns the Auth.js session JWTs.openssl rand -base64 32
MONGODB_URIThe MongoDB connection string — the app's only datastore.From Atlas or your Mongo host
AUTH_URLThe public base URL of the deploy, e.g. https://app.example.com.Your deployed URL
AUTH_TRUST_HOSTSet to true when running behind a proxy or a hosted platform (Vercel, most containers).true

NOTE

assertEnv() hard-fails specifically on AUTH_SECRET and MONGODB_URI. AUTH_URL and AUTH_TRUST_HOST are required by Auth.js for correct sign-in behaviour behind a proxy — set all four for any real deploy, or authentication will misbehave even though the process starts.

Optional

Each of these enables one feature. Leave it unset and that feature is simply off — the app logs a one-line warning ([env] <VAR> not set — <feature> disabled) and continues.

VariableEnablesHow to generate
SECRETS_KEYThe encrypted per-workspace secrets vault. Must be 32 bytes.openssl rand -base64 32
CRON_SECRETScheduled flow triggers (the /api/cron/tick endpoint).openssl rand -hex 32
RESEND_API_KEY + EMAIL_FROMOutbound email — the Email node and workspace invites.RESEND_API_KEY from the Resend dashboard; EMAIL_FROM is a verified sender like FlowRunner <hello@yourdomain.com>

Notes on the optional trio

  • SECRETS_KEY encrypts the secrets vault at rest. Without it, workspace secrets can't be stored. Treat this key like a database password — and back it up separately from the database, because rotating or losing it strands every existing secret. See Backup & restore.
  • CRON_SECRET guards the scheduler's tick endpoint. Without it, the endpoint is fail-closed (returns 401) and no schedule ever fires. See Scheduled triggers wiring.
  • RESEND_API_KEY turns on email delivery via Resend. If EMAIL_FROM is omitted, the app falls back to a default Resend onboarding sender, which is fine for testing but not for production. See Email node.

Generating secrets

bash
# 32-byte base64 — use for AUTH_SECRET and SECRETS_KEY
openssl rand -base64 32

# 64-char hex — use for CRON_SECRET
openssl rand -hex 32

TIP

Generate a fresh value for each secret rather than reusing one across variables. They protect different things: session signing, the secrets vault, and the cron endpoint.

See also

FlowRunner — the no-code platform for small businesses.