Lewati ke konten utama

Environment Variables

All environment variables required to run Seken locally and in production. For developers setting up the project or deploying updates.

Values Are Secrets

This page lists variable names only: never values. Get actual values from the team's shared secrets manager. Never commit values to git. If a secret is exposed, rotate it immediately, see Maintenance Guide →.


Web App (React / Vite)​

Set in .env (local) or Dokploy frontend container environment (production).

Variables prefixed with VITE_ are embedded into the browser bundle at build time. All others are build-time only and not exposed to browsers.

VariableRequiredDescription
VITE_API_BASE_URL✅Base URL for backend API calls (NestJS service)
VITE_VAPID_PUBLIC_KEY✅VAPID public key for Web Push subscriptions
VITE_SENTRY_DSN✅Sentry DSN for web error tracking. Public DSN, safe to expose to the browser bundle. See Observability

Backend (NestJS)​

Set in .env (local) or Dokploy backend container environment (production).

VariableRequiredServiceDescription
DATABASE_URL✅PostgreSQLFull connection string (Supavisor session pooler URL in production; local Postgres in dev). Never mix staging and production values.
JWT_SECRET✅AuthSecret for signing and verifying SEKEN JWTs (X-User-Token). Generate a distinct value per environment.
XENDIT_SECRET_KEY✅XenditSecret key for payment API calls
XENDIT_WEBHOOK_VERIFICATION_TOKEN✅XenditWebhook token, used in timing-safe comparison
OPENAI_API_KEY✅OpenAIAPI key for GPT-4o mini, AI listing categorization, KTP OCR, customer assistant, ops assistant
RESEND_API_KEY✅ResendAPI key for transactional email
BITESHIP_API_KEY✅BiteshipAPI key for shipping rates and booking
SENTRY_DSN_SERVER✅SentryDSN for backend error tracking. If unset, error reporting is a no-op. See Observability
VAPID_PRIVATE_KEY✅Web PushVAPID private key for push notifications
VAPID_SUBJECT✅Web PushVAPID subject (typically mailto:...)
SHIPPING_QUOTE_SIGNING_KEY✅ShippingHMAC signing key for shipping quote tokens. Minimum 32 chars. Generate a distinct value per environment.
FRONTEND_URL✅InternalBase frontend URL used in the Xendit payment retry path and OAuth callbacks. Do not hardcode subdomains in retry URLs.
LOG_LEVELoptionalInternalBackend log verbosity: debug / info / warn / error. Defaults sensibly if unset.
OPENAI_VISION_MODELoptionalOpenAIOverrides the OpenAI model used for vision / OCR calls. Defaults to gpt-4o-mini when unset.
CRON_SECRET✅CronShared secret protecting the in-process scheduled job endpoints (escrow-check, disbursement-send, strikes-expire, cache-warm). Self-generated secure random string.
S3_ACCESS_KEY✅StorageDigitalOcean Spaces access key ID for file uploads
S3_SECRET_KEY✅StorageDigitalOcean Spaces secret access key
S3_ENDPOINT✅StorageSpaces endpoint URL (e.g. https://sgp1.digitaloceanspaces.com)
S3_BUCKET✅StorageDefault bucket name for listing photos and uploads
SEKEN_EXTRA_CORSoptionalInternalComma-separated list of extra allowed CORS origins, appended at runtime to the hardcoded allowlist for time-bound additions (e.g. a preview domain).

Flutter Mobile App​

Set in a local .env file or injected at build time via --dart-define.

VariableRequiredDescription
APP_ENVoptionaldevelopment / staging / production (defaults to development)
API_BASE_URL✅NestJS backend base URL (e.g. https://api.pasarseken.id). No default for production; must be passed explicitly.
SENTRY_DSN_MOBILEreleaseSentry DSN for mobile crash reporting. No dev default: passed via --dart-define at release build time. The SDK no-ops silently if absent. See Observability

All values are injected via --dart-define at build time. Always pass APP_ENV=production and the correct API_BASE_URL in release builds. The mobile app does not use VAPID keys; push subscriptions are handled via the web frontend.


Where Each Variable Is Set​

EnvironmentWhere to Set
Local development.env in project root (gitignored)
Staging / Production webDokploy → frontend application → Environment tab
Staging / Production backendDokploy → backend application → Environment tab
Mobile CI/CDGitHub Actions secrets (if automated) or local signing config

Note: docs.pasarseken.id (this site) still deploys via Vercel and has its own separate env configuration there.


Adding a New Variable​

  1. Add to .env.example with a placeholder value and comment
  2. Add to this page with description
  3. Set the value in all environments (Dokploy frontend/backend env tabs as appropriate)
  4. Update Deployment → if the deploy process changes

After adding new env vars to production, update this log entry in Changelog →.


Key Rotation​

Rotate all API keys:

When rotating:

  1. Generate new key in the service dashboard
  2. Update in all environments before revoking the old key
  3. Verify health checks pass after rotation
  4. Document the rotation date