Skip to main content

Overview

Money Tracker requires environment variables in two locations:
  1. packages/frontend/.env - Frontend application configuration
  2. supabase/functions/.env - Edge Functions configuration
Create these files from the provided examples: 
cp packages/frontend/.env.example packages/frontend/.env
cp supabase/functions/.env.example supabase/functions/.env

Frontend variables

Location: packages/frontend/.env
SUPABASE_URL
string
required
The Supabase project URL.
  • Local: http://127.0.0.1:54321
  • Production: https://your-project-ref.supabase.co
SUPABASE_ANON_KEY
string
required
The Supabase anonymous (public) API key. This key is safe to use in browser code.
  • Local: Displayed in terminal after running supabase start
  • Production: Found in Supabase Dashboard under Settings > API
PORT
number
default:"3000"
The port where the frontend development server runs.
XAI_API_KEY
string
Optional xAI API key for running E2E tests that involve AI extraction.

Example frontend .env

# Local development
SUPABASE_URL=http://127.0.0.1:54321
SUPABASE_ANON_KEY=your_supabase_anon_key_here
PORT=3000
XAI_API_KEY=

Edge Functions variables

Location: supabase/functions/.env

Supabase configuration

SUPABASE_URL
string
required
The Supabase project URL. Must match the frontend value.
  • Local: http://127.0.0.1:54321
  • Production: https://your-project-ref.supabase.co
SUPABASE_ANON_KEY
string
required
The Supabase anonymous API key.
SUPABASE_SERVICE_ROLE_KEY
string
required
The Supabase service role key with elevated privileges. Bypass RLS policies and manage users.
Never expose this key in client-side code or commit it to version control.
FRONTEND_URL
string
required
The URL of your frontend application for OAuth redirects.
  • Local: http://localhost:3000
  • Production: https://your-domain.com

Google OAuth configuration

GOOGLE_CLIENT_ID
string
required
OAuth 2.0 client ID from Google Cloud Console. Required for Gmail integration.
GOOGLE_CLIENT_SECRET
string
required
OAuth 2.0 client secret from Google Cloud Console.
Keep this secret secure. Never commit to version control.
OAUTH_REDIRECT_URI
string
required
The OAuth callback URL. Must match the authorized redirect URI in Google Cloud Console.
  • Local: http://localhost:3000/auth/callback
  • Production: https://your-domain.com/auth/callback
GOOGLE_PROJECT_ID
string
required
Your Google Cloud project ID. Required for Pub/Sub integration.
PUBSUB_TOPIC
string
required
The Google Cloud Pub/Sub topic name for Gmail push notifications.Example: gmail-notifications

AI configuration

XAI_API_KEY
string
required
API key for xAI Grok model. Used for extracting transaction data from emails and documents.Get your key from x.ai.

Langfuse configuration

Langfuse provides observability for AI operations.
LANGFUSE_SECRET_KEY
string
Langfuse secret key for authentication.
LANGFUSE_PUBLIC_KEY
string
Langfuse public key for authentication.
LANGFUSE_BASE_URL
string
default:"https://cloud.langfuse.com"
Langfuse API base URL. Use default for cloud hosting or your self-hosted URL.

CORS configuration

CORS_ALLOWED_ORIGINS
string
required
Comma-separated list of allowed origins for CORS.Example: http://localhost:3000,http://127.0.0.1:3000
CORS_ALLOW_CREDENTIALS
boolean
default:"false"
Whether to allow credentials in CORS requests.

Internal authentication

INTERNAL_FUNCTIONS_SECRET
string
required
Internal secret token for edge function authentication. Used by the renew-watches cron job.
  • Local: local-dev-internal-secret (matches seed data)
  • Production: Generate a secure random string
This value must also be stored in the Supabase Vault. See Database Setup for instructions.
ENVIRONMENT
string
default:"development"
Optional runtime environment identifier for logging and debugging.

Example Edge Functions .env

# Supabase
SUPABASE_URL=https://your-project-ref.supabase.co
SUPABASE_ANON_KEY=your_supabase_anon_key_here
SUPABASE_SERVICE_ROLE_KEY=your_supabase_service_role_key_here
FRONTEND_URL=http://localhost:3000

# Google OAuth
GOOGLE_CLIENT_ID=your_google_client_id
GOOGLE_CLIENT_SECRET=your_google_client_secret
OAUTH_REDIRECT_URI=http://localhost:3000/auth/callback
GOOGLE_PROJECT_ID=your_google_project_id
PUBSUB_TOPIC=gmail-notifications

# AI
XAI_API_KEY=your_xai_api_key_here

# Langfuse (Optional)
LANGFUSE_SECRET_KEY=your_langfuse_secret_key
LANGFUSE_PUBLIC_KEY=your_langfuse_public_key
LANGFUSE_BASE_URL=https://cloud.langfuse.com

# CORS
CORS_ALLOWED_ORIGINS=http://localhost:3000,http://127.0.0.1:3000
CORS_ALLOW_CREDENTIALS=false

# Internal
INTERNAL_FUNCTIONS_SECRET=local-dev-internal-secret
ENVIRONMENT=development

Production deployment

For production deployments, set Edge Functions secrets using the Supabase CLI or Dashboard.

Using the CLI

supabase secrets set \
  SUPABASE_URL=... \
  SUPABASE_ANON_KEY=... \
  SUPABASE_SERVICE_ROLE_KEY=... \
  FRONTEND_URL=... \
  GOOGLE_CLIENT_ID=... \
  GOOGLE_CLIENT_SECRET=... \
  OAUTH_REDIRECT_URI=... \
  GOOGLE_PROJECT_ID=... \
  PUBSUB_TOPIC=... \
  XAI_API_KEY=... \
  LANGFUSE_SECRET_KEY=... \
  LANGFUSE_PUBLIC_KEY=... \
  LANGFUSE_BASE_URL=... \
  CORS_ALLOWED_ORIGINS=https://your-domain.com \
  CORS_ALLOW_CREDENTIALS=false \
  INTERNAL_FUNCTIONS_SECRET=...
Generate a cryptographically secure value for INTERNAL_FUNCTIONS_SECRET in production:
openssl rand -base64 32

Using the Dashboard

  1. Navigate to your project in the Supabase Dashboard
  2. Go to Settings > Edge Functions
  3. Click “Add secret”
  4. Enter each key-value pair
After setting secrets, you must redeploy your Edge Functions for the new values to take effect.

Security best practices

Never commit .env files to version control. The .env.example files are for reference only.
  • Add .env to your .gitignore file
  • Use different values for local and production environments
  • Rotate secrets regularly, especially after team member departures
  • Use environment-specific service accounts for Google Cloud integration
  • Monitor API usage for unusual patterns
  • Enable Google Cloud audit logging for OAuth and Pub/Sub access

Build docs developers (and LLMs) love

Get started for freeTalk to us