Environment Variables
All environment variables required to run Seken locally and in production. For developers setting up the project or deploying updates.
This page lists variable names only: never values. Get actual values from the team's shared secrets manager. Never commit values to git. If a secret is exposed, rotate it immediately, see Maintenance Guide →.
Web App (React / Vite)​
Set in .env (local) or Dokploy frontend container environment (production).
Variables prefixed with VITE_ are embedded into the browser bundle at build time. All others are build-time only and not exposed to browsers.
| Variable | Required | Description |
|---|---|---|
VITE_API_BASE_URL | ✅ | Base URL for backend API calls (NestJS service) |
VITE_VAPID_PUBLIC_KEY | ✅ | VAPID public key for Web Push subscriptions |
VITE_SENTRY_DSN | ✅ | Sentry DSN for web error tracking. Public DSN, safe to expose to the browser bundle. See Observability |
Backend (NestJS)​
Set in .env (local) or Dokploy backend container environment (production).
| Variable | Required | Service | Description |
|---|---|---|---|
DATABASE_URL | ✅ | PostgreSQL | Full connection string (Supavisor session pooler URL in production; local Postgres in dev). Never mix staging and production values. |
JWT_SECRET | ✅ | Auth | Secret for signing and verifying SEKEN JWTs (X-User-Token). Generate a distinct value per environment. |
XENDIT_SECRET_KEY | ✅ | Xendit | Secret key for payment API calls |
XENDIT_WEBHOOK_VERIFICATION_TOKEN | ✅ | Xendit | Webhook token, used in timing-safe comparison |
OPENAI_API_KEY | ✅ | OpenAI | API key for GPT-4o mini, AI listing categorization, KTP OCR, customer assistant, ops assistant |
RESEND_API_KEY | ✅ | Resend | API key for transactional email |
BITESHIP_API_KEY | ✅ | Biteship | API key for shipping rates and booking |
SENTRY_DSN_SERVER | ✅ | Sentry | DSN for backend error tracking. If unset, error reporting is a no-op. See Observability |
VAPID_PRIVATE_KEY | ✅ | Web Push | VAPID private key for push notifications |
VAPID_SUBJECT | ✅ | Web Push | VAPID subject (typically mailto:...) |
SHIPPING_QUOTE_SIGNING_KEY | ✅ | Shipping | HMAC signing key for shipping quote tokens. Minimum 32 chars. Generate a distinct value per environment. |
FRONTEND_URL | ✅ | Internal | Base frontend URL used in the Xendit payment retry path and OAuth callbacks. Do not hardcode subdomains in retry URLs. |
LOG_LEVEL | optional | Internal | Backend log verbosity: debug / info / warn / error. Defaults sensibly if unset. |
OPENAI_VISION_MODEL | optional | OpenAI | Overrides the OpenAI model used for vision / OCR calls. Defaults to gpt-4o-mini when unset. |
CRON_SECRET | ✅ | Cron | Shared secret protecting the in-process scheduled job endpoints (escrow-check, disbursement-send, strikes-expire, cache-warm). Self-generated secure random string. |
S3_ACCESS_KEY | ✅ | Storage | DigitalOcean Spaces access key ID for file uploads |
S3_SECRET_KEY | ✅ | Storage | DigitalOcean Spaces secret access key |
S3_ENDPOINT | ✅ | Storage | Spaces endpoint URL (e.g. https://sgp1.digitaloceanspaces.com) |
S3_BUCKET | ✅ | Storage | Default bucket name for listing photos and uploads |
SEKEN_EXTRA_CORS | optional | Internal | Comma-separated list of extra allowed CORS origins, appended at runtime to the hardcoded allowlist for time-bound additions (e.g. a preview domain). |
Flutter Mobile App​
Set in a local .env file or injected at build time via --dart-define.
| Variable | Required | Description |
|---|---|---|
APP_ENV | optional | development / staging / production (defaults to development) |
API_BASE_URL | ✅ | NestJS backend base URL (e.g. https://api.pasarseken.id). No default for production; must be passed explicitly. |
SENTRY_DSN_MOBILE | release | Sentry DSN for mobile crash reporting. No dev default: passed via --dart-define at release build time. The SDK no-ops silently if absent. See Observability |
All values are injected via --dart-define at build time. Always pass APP_ENV=production and the correct API_BASE_URL in release builds. The mobile app does not use VAPID keys; push subscriptions are handled via the web frontend.
Where Each Variable Is Set​
| Environment | Where to Set |
|---|---|
| Local development | .env in project root (gitignored) |
| Staging / Production web | Dokploy → frontend application → Environment tab |
| Staging / Production backend | Dokploy → backend application → Environment tab |
| Mobile CI/CD | GitHub Actions secrets (if automated) or local signing config |
Note: docs.pasarseken.id (this site) still deploys via Vercel and has its own separate env configuration there.
Adding a New Variable​
- Add to
.env.examplewith a placeholder value and comment - Add to this page with description
- Set the value in all environments (Dokploy frontend/backend env tabs as appropriate)
- Update Deployment → if the deploy process changes
After adding new env vars to production, update this log entry in Changelog →.
Key Rotation​
Rotate all API keys:
- On a security incident (see Maintenance Guide →)
- Every 6 months as part of the monthly maintenance cycle (see Maintenance Guide →)
When rotating:
- Generate new key in the service dashboard
- Update in all environments before revoking the old key
- Verify health checks pass after rotation
- Document the rotation date