Skip to main content
Hayon reads its configuration from environment variables at startup. The backend validates all required variables immediately — if any are missing, the process throws an error and exits. This page documents every variable, grouped by category.
Frontend variables use the NEXT_PUBLIC_ prefix and are the only variables that are sent to the browser. All other variables are backend-only and must never be exposed to the client.

Backend environment variables

Create a .env file at backend/.env. All variables in this section are required unless marked as optional.

Application

Core settings that control the server’s runtime behaviour.
VariableDescriptionRequiredExample
NODE_ENVRuntime environment. Controls HTTPS setup and trust proxy settings.Requireddevelopment or production
PORTPort the Express server listens on. Defaults to 5000 if not set.Optional5000
FRONTEND_URLFull URL of the frontend application. Used for CORS and Socket.IO origin validation.Requiredhttp://localhost:3000
BACKEND_URLFull URL of the backend itself. Used to construct callback URLs in development.Requiredhttps://dev.hayon.site:5000
When NODE_ENV=production, the server:
  • Enables Express trust proxy
  • Creates a plain HTTP server (HTTPS is terminated at Nginx)
When NODE_ENV=development, the server creates an HTTPS server directly using local SSL certificates (dev.hayon.site+2-key.pem and dev.hayon.site+2.pem).
This value is used in two places:
  1. The CORS middleware — only requests from this origin are allowed.
  2. The Socket.IO server — only connections from this origin are accepted.
In production, set this to your Vercel deployment URL (e.g., https://app.yourdomain.com).

Database (MongoDB)

VariableDescriptionRequiredExampleWhere to get it
MONGODB_URIMongoDB connection string. Supports both local and Atlas connections.Requiredmongodb://localhost:27017/hayonYour local MongoDB instance or the Connect dialog in MongoDB Atlas
For MongoDB Atlas, your connection string will look like: mongodb+srv://username:[email protected]/hayonInclude the database name (/hayon) at the end of the URI to ensure Mongoose connects to the correct database.

Authentication (JWT)

Hayon uses separate access and refresh token secrets for enhanced security.
VariableDescriptionRequiredExampleWhere to get it
ACCESS_TOKEN_SECRETSecret used to sign short-lived access JWTs.Requireda-long-random-stringGenerate with openssl rand -hex 64
REFRESH_TOKEN_SECRETSecret used to sign long-lived refresh JWTs. Must differ from ACCESS_TOKEN_SECRET.Requiredanother-long-random-stringGenerate with openssl rand -hex 64
JWT_EXPIRES_INAccess token expiry duration. Accepts any value accepted by the jsonwebtoken library.Optional7dSet to your preference (e.g., 15m, 1h, 7d)
Use a different secret for ACCESS_TOKEN_SECRET and REFRESH_TOKEN_SECRET. Both must be long, random strings. Never use the same value for both.

Google OAuth

Used for Google Sign-In (Passport.js strategy) and the Gemini AI integration.
VariableDescriptionRequiredExampleWhere to get it
GOOGLE_CLIENT_IDOAuth 2.0 client ID from Google Cloud.Required123456789-xxxx.apps.googleusercontent.comAPIs & Services > Credentials in the Google Cloud Console
GOOGLE_CLIENT_SECRETOAuth 2.0 client secret.RequiredGOCSPX-xxxxSame location as the client ID
GOOGLE_CALLBACK_URLRedirect URI registered in the Google Cloud Console. Must match exactly.Requiredhttp://localhost:5000/api/auth/google/callbackSet in Authorised redirect URIs when creating the OAuth client

Cache (Redis)

Hayon uses Redis for caching and session data. The client is configured using host and port separately.
VariableDescriptionRequiredExampleWhere to get it
REDIS_HOSTHostname or IP address of the Redis server.RequiredlocalhostYour local Redis instance or hosted Redis provider
REDIS_PORTPort the Redis server is listening on.Required6379Default Redis port is 6379
REDIS_PASSWORDPassword for Redis authentication. Leave empty for unauthenticated local instances.Optionalyour-redis-passwordSet in redis.conf or your hosted Redis provider dashboard

Message queue (RabbitMQ)

RabbitMQ is used as the message broker for scheduling and processing posts in background workers.
VariableDescriptionRequiredExampleWhere to get it
RABBITMQ_URLAMQP connection URL for RabbitMQ.Requiredamqp://localhost:5672Your local RabbitMQ instance. For hosted services (e.g., CloudAMQP), copy the connection URL from the dashboard.
If RABBITMQ_URL points to an unavailable broker, the backend will fail to start and post publishing will not work. Ensure RabbitMQ is running before starting the backend.

Storage (AWS S3)

All media uploads (post images, profile photos) are stored in an S3 bucket.
VariableDescriptionRequiredExampleWhere to get it
AWS_ACCESS_KEY_IDAWS IAM access key ID with S3 permissions.RequiredAKIAIOSFODNN7EXAMPLEIAM > Users > Security credentials in the AWS Console
AWS_SECRET_ACCESS_KEYAWS IAM secret access key.RequiredwJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEYShown once when you create the access key in IAM
AWS_REGIONAWS region where your S3 bucket is located.Requiredus-east-1The region shown in the S3 bucket details
AWS_S3_BUCKET_NAMEName of the S3 bucket where media files are stored.Requiredhayon-media-prodThe bucket name in S3 > Buckets
For production, use an IAM policy scoped to only the specific S3 bucket rather than AmazonS3FullAccess. This limits the blast radius if the credentials are ever compromised.

Payments (Stripe)

Hayon uses Stripe for subscription management. The platform supports free and pro plans.
VariableDescriptionRequiredExampleWhere to get it
STRIPE_SECRET_KEYStripe API secret key. Use sk_test_... in development and sk_live_... in production.Requiredsk_test_51xxxDevelopers > API keys in the Stripe Dashboard
STRIPE_PUBLISHABLE_KEYStripe publishable key. Sent to the frontend for client-side Stripe.js initialisation.Requiredpk_test_51xxxSame location as the secret key
STRIPE_WEBHOOK_SECRETSigning secret for validating incoming Stripe webhook events.Requiredwhsec_xxxDevelopers > Webhooks — shown when you create or view a webhook endpoint
STRIPE_PRO_PRICE_IDStripe Price ID for the Pro subscription plan.Requiredprice_1xxxProducts > [Your product] > Pricing in the Stripe Dashboard
  1. In the Stripe Dashboard, go to Developers > Webhooks.
  2. Click Add endpoint.
  3. Set the endpoint URL to https://your-backend-domain/api/payments/webhook.
  4. Select the events you want to receive: customer.subscription.created, customer.subscription.updated, customer.subscription.deleted, invoice.payment_succeeded, invoice.payment_failed.
  5. Click Add endpoint and copy the signing secret.
  6. Set STRIPE_WEBHOOK_SECRET to this value.
For local testing, use the Stripe CLI to forward webhook events:
stripe listen --forward-to localhost:5000/api/payments/webhook

AI (Gemini)

Hayon uses Google Gemini to generate platform-specific captions for posts.
VariableDescriptionRequiredExampleWhere to get it
GEMINI_API_KEYAPI key for the Google Gemini Generative Language API.RequiredAIzaSyXxxxAPIs & Services > Credentials in the Google Cloud Console — create an API key with the Generative Language API enabled

Email

Hayon sends transactional emails (e.g., OTP codes) via Gmail using Nodemailer.
VariableDescriptionRequiredExampleWhere to get it
EMAIL_USERGmail address used to send transactional emails.Required[email protected]Your Gmail account
EMAIL_PASSGmail App Password (not your Google account password). Required when 2FA is enabled.Requiredabcd efgh ijkl mnopGoogle Account > Security > App passwords
You must enable 2-Step Verification on your Google account before you can create an App Password. Standard Gmail passwords will not work with Nodemailer.

Social platform integrations

Hayon supports connecting multiple social platforms. Each requires its own OAuth credentials.
VariableDescriptionRequiredExample
META_APP_IDMeta developer app IDRequired1234567890
META_APP_SECRETMeta developer app secretRequiredabc123def456
META_REDIRECT_URIOAuth callback URL registered in the Meta appRequiredhttp://localhost:5000/api/platform/meta/callback
Obtain credentials from the Meta for Developers portal.
VariableDescriptionRequiredExample
THREADS_APP_IDThreads app ID from Meta’s developer portalRequired1234567890
THREADS_APP_SECRETThreads app secretRequiredabc123def456
THREADS_REDIRECT_URIOAuth callback URLRequiredhttp://localhost:5000/api/platform/threads/callback
Threads uses Meta’s developer platform. Configure in the Meta for Developers portal.
VariableDescriptionRequiredExample
TUMBLR_CONSUMER_KEYTumblr OAuth 1.0a consumer keyRequiredabcdefghijklmnopqrstuvwxyz
TUMBLR_CONSUMER_SECRETTumblr OAuth 1.0a consumer secretRequiredabcdefghijklmnopqrstuvwxyz
Obtain from the Tumblr Developer Apps page.
VariableDescriptionRequiredExample
MASTODON_CLIENT_KEYMastodon OAuth client keyRequiredabc123...
MASTODON_CLIENT_SECRETMastodon OAuth client secretRequiredxyz789...
MASTODON_CALLBACK_URLOAuth callback URLRequiredhttp://localhost:5000/api/platform/mastodon/callback
MASTODON_INSTANCE_URLThe Mastodon instance to connect toRequiredhttps://mastodon.social
Register your application at https://mastodon.social/settings/applications (or your chosen instance).

Monitoring

VariableDescriptionRequiredExampleWhere to get it
BETTER_STACK_TOKENBetter Stack (Logtail) ingestion token for structured log shipping.Requiredyour-logtail-tokenSources in the Better Stack Dashboard

Frontend environment variables

Create a .env.local file at frontend/.env.local. Next.js reads this file automatically.
VariableDescriptionRequiredExampleWhere to get it
NEXT_PUBLIC_API_BASE_URLBase URL of the running Hayon backend API. All HTTP and WebSocket requests are sent to this URL.Requiredhttp://localhost:5000The host and port where your backend is running
NEXT_PUBLIC_GOOGLE_CLIENT_IDGoogle OAuth 2.0 client ID used to initialise the Google Sign-In button in the browser. Must match the backend GOOGLE_CLIENT_ID.Required123456789-xxxx.apps.googleusercontent.comAPIs & Services > Credentials in the Google Cloud Console
NEXT_PUBLIC_ variables are embedded into the browser bundle at build time. Never prefix sensitive secrets (private keys, webhook secrets) with NEXT_PUBLIC_.

Quick reference: all variables

# Application
NODE_ENV=development
PORT=5000
FRONTEND_URL=http://localhost:3000
BACKEND_URL=https://dev.hayon.site:5000

# Database
MONGODB_URI=mongodb://localhost:27017/hayon

# Authentication
ACCESS_TOKEN_SECRET=
REFRESH_TOKEN_SECRET=
JWT_EXPIRES_IN=7d

# Google OAuth
GOOGLE_CLIENT_ID=
GOOGLE_CLIENT_SECRET=
GOOGLE_CALLBACK_URL=http://localhost:5000/api/auth/google/callback

# Redis
REDIS_HOST=localhost
REDIS_PORT=6379
REDIS_PASSWORD=

# RabbitMQ
RABBITMQ_URL=amqp://localhost:5672

# AWS S3
AWS_ACCESS_KEY_ID=
AWS_SECRET_ACCESS_KEY=
AWS_REGION=us-east-1
AWS_S3_BUCKET_NAME=

# Stripe
STRIPE_SECRET_KEY=sk_test_
STRIPE_PUBLISHABLE_KEY=pk_test_
STRIPE_WEBHOOK_SECRET=whsec_
STRIPE_PRO_PRICE_ID=price_

# Email
EMAIL_USER=
EMAIL_PASS=

# AI
GEMINI_API_KEY=

# Meta
META_APP_ID=
META_APP_SECRET=
META_REDIRECT_URI=http://localhost:5000/api/platform/meta/callback

# Threads
THREADS_APP_ID=
THREADS_APP_SECRET=
THREADS_REDIRECT_URI=http://localhost:5000/api/platform/threads/callback

# Tumblr
TUMBLR_CONSUMER_KEY=
TUMBLR_CONSUMER_SECRET=

# Mastodon
MASTODON_CLIENT_KEY=
MASTODON_CLIENT_SECRET=
MASTODON_CALLBACK_URL=http://localhost:5000/api/platform/mastodon/callback
MASTODON_INSTANCE_URL=https://mastodon.social

# Monitoring
BETTER_STACK_TOKEN=

NEXT_PUBLIC_API_BASE_URL=http://localhost:5000
NEXT_PUBLIC_GOOGLE_CLIENT_ID=

Build docs developers (and LLMs) love

Get started for freeTalk to us