Environment Variables
Never commit .env files to source control. Only commit .env.example templates.
Backend — apps/backend/.env
| Variable | Required | Description |
|---|---|---|
NODE_ENV | ✅ | development or production |
PORT | ✅ | Server port. Default: 3000. Production: 3500 |
MONGODB_URI | ✅ | Full MongoDB connection string |
JWT_SECRET | ✅ | Secret for signing JWT tokens. Must be strong in prod |
JWT_REFRESH_SECRET | Refresh token secret (reserved for refresh token flow) | |
A_ACCESS_KEY_ID | ✅ | AWS Access Key ID for SES |
A_SECRET_ACCESS_KEY | ✅ | AWS Secret Access Key for SES |
SOURCE_EMAIL | ✅ | Verified SES sender email address |
Example .env
bash
NODE_ENV=development
PORT=3500
MONGODB_URI=mongodb://localhost:27017/myapp
JWT_SECRET=replace-with-a-long-random-string
JWT_REFRESH_SECRET=replace-with-another-long-random-string
A_ACCESS_KEY_ID=AKIAIOSFODNN7EXAMPLE
A_SECRET_ACCESS_KEY=wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
SOURCE_EMAIL=noreply@intecoglogistech.comFrontend — apps/frontend/.env
| Variable | Required | Description |
|---|---|---|
VITE_API_BASE_URL | ✅ | Base URL for all Axios requests |
VITE_APP_ENV | development or production |
Example .env
bash
VITE_API_BASE_URL=http://localhost:3500
VITE_APP_ENV=developmentProduction .env.production
bash
VITE_API_BASE_URL=https://app.intecoglogistech.com
VITE_APP_ENV=productionWARNING
VITE_ vars are embedded at build time into the JavaScript bundle. They are visible to anyone who views the page source. Never put secrets, keys, or tokens here.
Variable Resolution Order (Vite)
Vite resolves .env files in this priority order (highest wins):
.env.{mode}.local (e.g. .env.production.local — not committed)
.env.{mode} (e.g. .env.production)
.env.local (not committed)
.env (fallback)AWS Region for SES
The email.service.js hardcodes region: 'ap-south-1' for the AWS SES client. If you need to change the region, update this in apps/backend/src/services/aws/email.service.js.
Security Notes
DANGER
- Never hardcode secrets in source code
- The
deviceAuthCheckstatic token should be moved to an environment variable (DEVICE_AUTH_TOKEN) - Always use a strong, random string for
JWT_SECRET(≥ 32 characters) - AWS credentials in
.envshould be scoped to the minimum required permissions (SESSendEmailonly)