Environment Variables
Backend Environment Variables
Create backend/.env file:
# Server Configuration
PORT=8080
# Database Configuration
DATABASE_URL=postgres://username:password@localhost:5432/filesharing?sslmode=disable
# JWT Authentication (must be 32+ characters in production)
JWT_SECRET=your-super-secret-jwt-key-at-least-32-characters-long
# CORS (required in production; comma-separated origins, no *)
# Development: leave unset for localhost defaults
ALLOWED_ORIGINS=https://yourapp.vercel.app,https://admin.yourapp.vercel.app
# Payment Gateway (Razorpay)
RAZORPAY_KEY_ID=rzp_test_xxxxxxxxxxxxx
RAZORPAY_KEY_SECRET=your_razorpay_secret_here
RAZORPAY_WEBHOOK_SECRET=your_webhook_secret_here
RAZORPAY_ENV=test # 'test' or 'live'
# Email Service (Resend API - Recommended)
RESEND_API_KEY=re_xxxxxxxxxxxxx
FROM_EMAIL=noreply@yourdomain.com
FROM_NAME=Qprint
FRONTEND_URL=http://localhost:3000
# Email Service (SMTP - Alternative)
# SMTP_HOST=smtp.resend.com
# SMTP_PORT=587
# SMTP_USER=your_smtp_user
# SMTP_PASSWORD=your_smtp_password
# File Storage
# Option 1: Local Storage (Default)
USE_LOCAL_STORAGE=true
UPLOADS_DIR=uploads
# Option 2: AWS S3 (Production)
# AWS_S3_BUCKET=your-bucket-name
# AWS_REGION=us-east-1
# AWS_ACCESS_KEY_ID=your_access_key
# AWS_SECRET_ACCESS_KEY=your_secret_key
# Production: set so test mode is disabled
ENVIRONMENT=development # 'development' or 'production'
TEST_MODE=false # Do not set true in production
# Optional: Restrict admin panel to specific IPs (comma-separated). Leave unset to allow all IPs.
# ALLOWED_ADMIN_IPS=1.2.3.4,5.6.7.8
# Optional: HTTPS directly on server (cert and key paths)
# TLS_CERT_FILE=/path/to/fullchain.pem
# TLS_KEY_FILE=/path/to/privkey.pem
# Optional: Shop auto-close sweeper (heartbeat + web activity)
# SHOP_SWEEPER_INTERVAL_SECONDS=60 # How often to run (default: 60)
# SHOP_APP_HEARTBEAT_TIMEOUT_MINUTES=12 # Close if app heartbeat older than this (default: 12)
# SHOP_WEB_ACTIVITY_TIMEOUT_MINUTES=25 # Close if web activity older than this (default: 25)
# Optional: Debug/Logging
# LOG_LEVEL=debug # Set to 'debug' for verbose logging
# DEBUG=true # Alternative to LOG_LEVEL
# PAYMENT_LINK_EXPIRY_MINUTES=30 # Payment link expiry (default: 30)
Frontend Environment Variables
Create frontend/.env.local (optional, defaults to localhost:8080):
NEXT_PUBLIC_API_URL=http://localhost:8080
Note: Razorpay key is fetched from the backend during payment order creation, so no frontend Razorpay key is needed.
Admin Frontend Environment Variables
Create admin_frontend/.env.local:
NEXT_PUBLIC_API_URL=http://localhost:8080
# Optional: Main site URL for "Preview download page" link on App Download Links page
# NEXT_PUBLIC_MAIN_APP_URL=https://yourapp.vercel.app
Mobile Apps Configuration
Customer App (customer_app/)
- Update
lib/services/api_service.dartwith backend URL - Configure Google Maps API key in
android/app/src/main/AndroidManifest.xml
Shopkeeper App (shopkeeper_app/)
- Update
lib/services/api_service.dartwith backend URL
Environment Variable Reference
Required Variables
| Variable | Description | Example / Notes |
|---|---|---|
DATABASE_URL | PostgreSQL connection string | postgres://user:pass@localhost:5432/db |
JWT_SECRET | Secret key for JWT tokens; must be 32+ characters | openssl rand -base64 32 |
PORT | Backend server port | 8080 (local), 10000 (Render) |
ALLOWED_ORIGINS | CORS allowed origins (production); comma-separated | https://yourapp.vercel.app (no * in production) |
Optional Variables
| Variable | Description | Default |
|---|---|---|
ENVIRONMENT | development or production; production disables test mode | - |
TEST_MODE | Bypass payment validation (do not use in production) | false |
RAZORPAY_KEY_ID | Razorpay API key ID | - |
RAZORPAY_KEY_SECRET | Razorpay API secret | - |
RAZORPAY_WEBHOOK_SECRET | Required for payment webhooks | - |
RESEND_API_KEY | Resend API key for emails | - |
FRONTEND_URL | Base URL for password-reset links | - |
USE_LOCAL_STORAGE | Use local file storage | true |
AWS_S3_BUCKET, AWS_REGION, AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY | S3 file storage | - |
TLS_CERT_FILE, TLS_KEY_FILE | Paths to TLS cert and key for HTTPS on server | - |
SHOP_SWEEPER_INTERVAL_SECONDS | Interval (seconds) for shop auto-close sweeper | 60 |
SHOP_APP_HEARTBEAT_TIMEOUT_MINUTES | Auto-close shop if app heartbeat older than this | 12 |
SHOP_WEB_ACTIVITY_TIMEOUT_MINUTES | Auto-close shop if web activity older than this | 25 |
Security Notes
- Never commit
.envfiles to version control - JWT_SECRET must be at least 32 characters in production (server will not start otherwise)
- ALLOWED_ORIGINS must be set in production to your real frontend URL(s); no default
* - Set ENVIRONMENT=production on production hosts (e.g. Render)
- Keep API keys and secrets secure; use different values for development and production
- Consider using secret management services in production