Skip to main content

Overview

Nexus Access Vault uses environment variables for configuration. All variables are defined in the .env file at the root of your project. Copy .env.example to .env and configure the values for your deployment. 
cp .env.example .env

Variable Categories

Supabase

Database and authentication backend

Zitadel

OIDC authentication provider

Network

Network access and isolation

Supabase Configuration

These variables configure the connection to your Supabase backend.

VITE_SUPABASE_PROJECT_ID

VITE_SUPABASE_PROJECT_ID
string
required
Your Supabase project ID. Find this in your Supabase project settings.Example:
VITE_SUPABASE_PROJECT_ID="vbuwctubivhffkvhqwpp"
The project ID is visible in your Supabase project URL: https://app.supabase.com/project/[PROJECT_ID]

VITE_SUPABASE_PUBLISHABLE_KEY

VITE_SUPABASE_PUBLISHABLE_KEY
string
required
Your Supabase anon/public API key. This key is safe to use in a browser.Example:
VITE_SUPABASE_PUBLISHABLE_KEY="eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9..."
Find this in your Supabase project settings under APIProject API keysanon public

VITE_SUPABASE_URL

VITE_SUPABASE_URL
string
required
The full URL to your Supabase project API endpoint.Example:
VITE_SUPABASE_URL="https://vbuwctubivhffkvhqwpp.supabase.co"
Find this in your Supabase project settings under APIProject URL

Zitadel OIDC Configuration

These variables configure authentication using Zitadel as the OIDC provider.
Before configuring these variables, you must create an OIDC application in your Zitadel instance. See Zitadel OIDC Setup for detailed instructions.

VITE_ZITADEL_ISSUER_URL

VITE_ZITADEL_ISSUER_URL
string
required
The base URL of your Zitadel instance. This is used for OIDC discovery.Example:
VITE_ZITADEL_ISSUER_URL="https://manager.kappa4.com"
The issuer URL must be accessible from both the server and client browsers. Do not include trailing slashes.

VITE_ZITADEL_CLIENT_ID

VITE_ZITADEL_CLIENT_ID
string
required
The client ID of your OIDC application in Zitadel.Example:
VITE_ZITADEL_CLIENT_ID="123456789@nexus-vault"
This is generated when you create an OIDC application in Zitadel. Find it in your Zitadel project under the application settings.

VITE_ZITADEL_REDIRECT_URI

VITE_ZITADEL_REDIRECT_URI
string
required
The redirect URI where users will be sent after authentication. This must match the redirect URI configured in your Zitadel application.Examples:Development:
VITE_ZITADEL_REDIRECT_URI="http://localhost:8080/auth/callback"
Production (VPN):
VITE_ZITADEL_REDIRECT_URI="http://100.64.1.10:8080/auth/callback"
Production (Domain):
VITE_ZITADEL_REDIRECT_URI="https://vault.internal.company.com/auth/callback"
The redirect URI must be added to the allowed redirect URIs in your Zitadel application configuration. Mismatched URIs will cause authentication to fail.

Network Configuration

These variables control network access and isolation for your deployment.

VITE_NETWORK_MODE

VITE_NETWORK_MODE
string
default:"internal"
Controls the network access mode for the application.Values:
  • internal: Restricts access to internal network only (VPN required)
  • public: Allows public internet access
Example:
VITE_NETWORK_MODE="internal"
When set to internal, the application will enforce VPN-only access. Users must be connected to your Netbird network or VPN to access the portal.

VITE_INTERNAL_HOST

VITE_INTERNAL_HOST
string
required
The internal IP address or DNS name where the application is accessible on your VPN network.Examples:Using Netbird IP:
VITE_INTERNAL_HOST="100.64.1.10"
Using internal DNS:
VITE_INTERNAL_HOST="vault.internal.company.com"
This should be the IP or hostname assigned by your VPN solution (Netbird, Tailscale, WireGuard, etc.)

Complete Configuration Example

Here’s a complete example .env file with all variables configured:
.env
# Supabase Configuration
VITE_SUPABASE_PROJECT_ID="vbuwctubivhffkvhqwpp"
VITE_SUPABASE_PUBLISHABLE_KEY="eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJzdXBhYmFzZSIsInJlZiI6InZidXdjdHViaXZoZmZrdmhxd3BwIiwicm9sZSI6ImFub24iLCJpYXQiOjE2OTk1NTU1NTUsImV4cCI6MjAxNTEzMTU1NX0.example"
VITE_SUPABASE_URL="https://vbuwctubivhffkvhqwpp.supabase.co"

# Zitadel OIDC Configuration
VITE_ZITADEL_ISSUER_URL="https://manager.kappa4.com"
VITE_ZITADEL_CLIENT_ID="123456789@nexus-vault"
VITE_ZITADEL_REDIRECT_URI="http://100.64.1.10:8080/auth/callback"

# Network Configuration
VITE_NETWORK_MODE="internal"
VITE_INTERNAL_HOST="100.64.1.10"

Environment-Specific Configurations

Development Environment

.env.development
# Supabase - use your dev project
VITE_SUPABASE_PROJECT_ID="dev-project-id"
VITE_SUPABASE_PUBLISHABLE_KEY="dev-anon-key"
VITE_SUPABASE_URL="https://dev-project.supabase.co"

# Zitadel - use localhost redirect
VITE_ZITADEL_ISSUER_URL="https://manager.kappa4.com"
VITE_ZITADEL_CLIENT_ID="dev-client-id"
VITE_ZITADEL_REDIRECT_URI="http://localhost:8080/auth/callback"

# Network - public access for development
VITE_NETWORK_MODE="public"
VITE_INTERNAL_HOST="localhost"

Production Environment

.env.production
# Supabase - use your production project
VITE_SUPABASE_PROJECT_ID="prod-project-id"
VITE_SUPABASE_PUBLISHABLE_KEY="prod-anon-key"
VITE_SUPABASE_URL="https://prod-project.supabase.co"

# Zitadel - use VPN IP redirect
VITE_ZITADEL_ISSUER_URL="https://manager.kappa4.com"
VITE_ZITADEL_CLIENT_ID="prod-client-id"
VITE_ZITADEL_REDIRECT_URI="http://100.64.1.10:8080/auth/callback"

# Network - internal only for production
VITE_NETWORK_MODE="internal"
VITE_INTERNAL_HOST="100.64.1.10"

Validation

You can validate your environment configuration by running the development server: 
npm run dev
The application will fail to start if required variables are missing or invalid.
Never commit .env files to version control! Always use .env.example as a template and add .env to your .gitignore file.

Build-Time vs Runtime

All environment variables prefixed with VITE_ are embedded into the application at build time. This means:
Important: If you change any VITE_* variable, you must rebuild the application:
npm run build

Security Considerations

The following variables contain sensitive information:
  • VITE_SUPABASE_PUBLISHABLE_KEY (safe to expose in browser)
  • Zitadel client secrets (if using confidential clients)
Never commit these values to version control. Use .env.example with placeholder values instead.
All variables prefixed with VITE_ are exposed in the browser bundle. This is intentional and safe for:
  • Public API keys (like Supabase anon key)
  • OIDC configuration (client ID, issuer URL)
  • Network configuration
Never use VITE_ prefix for truly secret values like service account tokens or private keys.
The redirect URI must be an exact match in Zitadel. This prevents authorization code interception attacks.Always use:
  • https:// in production (except for internal VPN addresses)
  • Exact protocol, host, port, and path matches
  • No wildcards in redirect URIs

Troubleshooting

If your environment variables aren’t being applied:
  1. Ensure you’ve created .env file (not just .env.example)
  2. Rebuild the application: npm run build
  3. Restart the development server: npm run dev
  4. Check that variables are prefixed with VITE_
  5. Verify no syntax errors in .env file
If you can’t connect to Supabase:
  1. Verify project ID matches your Supabase project
  2. Check that the anon key hasn’t been rotated
  3. Ensure the URL includes https:// and .supabase.co
  4. Test the URL in your browser to verify it’s accessible
  5. Check Supabase project status in the dashboard
If authentication with Zitadel doesn’t work:
  1. Verify issuer URL is accessible from your browser
  2. Check that client ID exactly matches Zitadel application
  3. Ensure redirect URI is added to allowed URIs in Zitadel
  4. Verify redirect URI matches exactly (protocol, host, port, path)
  5. Check browser console for OIDC error messages
If network isolation isn’t working:
  1. Verify VITE_NETWORK_MODE is set to internal
  2. Check that VITE_INTERNAL_HOST matches your VPN IP
  3. Ensure you’re connected to the VPN: netbird status
  4. Rebuild the application after changing variables
  5. Test access from both inside and outside VPN

Next Steps

Database Setup

Configure and migrate your Supabase database

Network Configuration

Set up VPN-only access with Netbird

Zitadel OIDC

Configure Zitadel authentication

Self-Hosted Deployment

Complete deployment guide

Build docs developers (and LLMs) love

Get started for freeTalk to us