Appearance
Environment variables
Everything FlowRunner reads from the environment, split into the variables it cannot start without and the optional ones that each switch on a feature. Set these in your host's environment settings (Vercel project settings, a .env file, container secrets — wherever your platform reads them).
How validation works
src/lib/env.ts is the single source of truth. At boot the app calls assertEnv(), which:
- throws — refusing to start — if any required variable is missing, naming exactly which ones;
- warns to the log for each missing optional variable, then keeps running with that feature disabled.
So a misconfigured deploy fails fast and loud on the essentials, and never crashes over an optional feature you chose not to use.
Required
The app will not run without these.
| Variable | Purpose | How to generate |
|---|---|---|
AUTH_SECRET | Signs the Auth.js session JWTs. | openssl rand -base64 32 |
MONGODB_URI | The MongoDB connection string — the app's only datastore. | From Atlas or your Mongo host |
AUTH_URL | The public base URL of the deploy, e.g. https://app.example.com. | Your deployed URL |
AUTH_TRUST_HOST | Set to true when running behind a proxy or a hosted platform (Vercel, most containers). | true |
NOTE
assertEnv() hard-fails specifically on AUTH_SECRET and MONGODB_URI. AUTH_URL and AUTH_TRUST_HOST are required by Auth.js for correct sign-in behaviour behind a proxy — set all four for any real deploy, or authentication will misbehave even though the process starts.
Optional
Each of these enables one feature. Leave it unset and that feature is simply off — the app logs a one-line warning ([env] <VAR> not set — <feature> disabled) and continues.
| Variable | Enables | How to generate |
|---|---|---|
SECRETS_KEY | The encrypted per-workspace secrets vault. Must be 32 bytes. | openssl rand -base64 32 |
CRON_SECRET | Scheduled flow triggers (the /api/cron/tick endpoint). | openssl rand -hex 32 |
RESEND_API_KEY + EMAIL_FROM | Outbound email — the Email node and workspace invites. | RESEND_API_KEY from the Resend dashboard; EMAIL_FROM is a verified sender like FlowRunner <hello@yourdomain.com> |
Notes on the optional trio
SECRETS_KEYencrypts the secrets vault at rest. Without it, workspace secrets can't be stored. Treat this key like a database password — and back it up separately from the database, because rotating or losing it strands every existing secret. See Backup & restore.CRON_SECRETguards the scheduler's tick endpoint. Without it, the endpoint is fail-closed (returns401) and no schedule ever fires. See Scheduled triggers wiring.RESEND_API_KEYturns on email delivery via Resend. IfEMAIL_FROMis omitted, the app falls back to a default Resend onboarding sender, which is fine for testing but not for production. See Email node.
Generating secrets
bash
# 32-byte base64 — use for AUTH_SECRET and SECRETS_KEY
openssl rand -base64 32
# 64-char hex — use for CRON_SECRET
openssl rand -hex 32TIP
Generate a fresh value for each secret rather than reusing one across variables. They protect different things: session signing, the secrets vault, and the cron endpoint.