Inventario uses environment variables for configuration. Variables are loaded from a .env file in development or set directly in your hosting platform for production.
Required Variables
These variables must be set for production deployments.
SECRET_KEY
Type: String
Required: Yes
Django’s secret key for cryptographic signing. Used for sessions, CSRF tokens, password reset tokens, etc.
SECRET_KEY=your-secret-key-here
Generate a strong random key for production:python -c 'from django.core.management.utils import get_random_secret_key; print(get_random_secret_key())'
django-insecure-641xw29uuar#$5&nj!kxjozc+#2#=f6s+4lmziq&_8hnh$#@6$ (insecure, development only)
DATABASE_URL
Type: Database URL
Required: Yes (for production)
PostgreSQL database connection string in URL format.
DATABASE_URL=postgresql://user:password@host:port/dbname
db.sqlite3 (development only)
Parsed by dj-database-url with connection pooling (conn_max_age=600).
ALLOWED_HOSTS
Type: Comma-separated list
Required: Yes (for production)
Domains that Django will serve.
ALLOWED_HOSTS=myapp.railway.app,www.example.com
The default * (all hosts) is insecure for production. Always specify exact domains.
*
CSRF_TRUSTED_ORIGINS
Type: Comma-separated URLs
Required: Yes (for production with HTTPS)
Trusted origins for CSRF protection.
CSRF_TRUSTED_ORIGINS=https://myapp.railway.app,https://www.example.com
https://)
Default: http://127.0.0.1:8000
Authentication Variables
Google OAuth
Required for Google Sign-In functionality.
GOOGLE_CLIENT_ID
Type: String
Required: If using Google OAuth
Google OAuth 2.0 client ID from Google Cloud Console.
GOOGLE_CLIENT_ID=123456789-abcdefg.apps.googleusercontent.com
GOOGLE_CLIENT_SECRET
Type: String
Required: If using Google OAuth
Google OAuth 2.0 client secret.
GOOGLE_CLIENT_SECRET=your-client-secret
Keep this secret secure. Never commit to version control.
SOCIALACCOUNT_PROVIDERS = {
'google': {
'SCOPE': ['profile', 'email'],
'AUTH_PARAMS': {'access_type': 'online'},
'VERIFIED_EMAIL': True,
'APP': {
'client_id': os.environ.get('GOOGLE_CLIENT_ID', ''),
'secret': os.environ.get('GOOGLE_CLIENT_SECRET', ''),
'key': ''
}
}
}
Email Configuration
RESEND_API_KEY
Type: String
Required: If sending emails
API key for Resend email service.
RESEND_API_KEY=re_1234567890abcdef
DEFAULT_FROM_EMAIL
Type: Email address
Required: If sending emails
Default sender email address.
Default: None
Inventario previously used SMTP (Gmail) but has migrated to Resend. The SMTP configuration is commented out in settings.py:
EMAIL_HOST_USEREMAIL_HOST_PASSWORD
AI Integration
OPENAI_API_KEY
Type: String
Required: If using AI features
OpenAI API key for AI-powered features (likely used in reporting or analytics).
OPENAI_API_KEY=sk-proj-...
Secure this key carefully. OpenAI API usage incurs costs based on usage.
SMS Integration (Twilio)
Required for SMS notifications or two-factor authentication.
TWILIO_ACCOUNT_SID
Type: String
Required: If using Twilio SMS
Twilio account identifier.
TWILIO_ACCOUNT_SID=AC1234567890abcdef
TWILIO_AUTH_TOKEN
Type: String
Required: If using Twilio SMS
Twilio authentication token.
TWILIO_AUTH_TOKEN=your-auth-token
Keep this token secure. It provides full access to your Twilio account.
TWILIO_PHONE_NUMBER
Type: Phone number
Required: If using Twilio SMS
Twilio phone number for sending SMS (E.164 format).
TWILIO_PHONE_NUMBER=+18646688262
Application Behavior
DEBUG
Type: Boolean string
Required: No
Enables Django debug mode.
Values:
True - Enable debug mode (development)False - Disable debug mode (production)
Always set DEBUG=False in production. Debug mode exposes sensitive information and disables security features.
False
Side effects when DEBUG=True:
SESSION_COOKIE_SECURE is disabledCSRF_COOKIE_SECURE is disabled- Detailed error pages are shown
- Static files are served by Django (not WhiteNoise)
Development vs Production
Development .env Example
# Development configuration
DEBUG=True
SECRET_KEY=django-insecure-641xw29uuar#$5&nj!kxjozc+#2#=f6s+4lmziq&_8hnh$#@6$
ALLOWED_HOSTS=*
CSRF_TRUSTED_ORIGINS=http://127.0.0.1:8000
# Database (SQLite default)
# DATABASE_URL not needed for SQLite
# Optional services for testing
GOOGLE_CLIENT_ID=your-dev-client-id
GOOGLE_CLIENT_SECRET=your-dev-client-secret
RESEND_API_KEY=re_dev_key
DEFAULT_FROM_EMAIL=dev@localhost
Production Environment Variables
# Production configuration
DEBUG=False
SECRET_KEY=<generated-secret-key>
ALLOWED_HOSTS=myapp.railway.app
CSRF_TRUSTED_ORIGINS=https://myapp.railway.app
# Database
DATABASE_URL=postgresql://user:pass@host:5432/inventario
# Google OAuth
GOOGLE_CLIENT_ID=123456789-abc.apps.googleusercontent.com
GOOGLE_CLIENT_SECRET=<secret>
# Email
RESEND_API_KEY=re_prod_key
DEFAULT_FROM_EMAIL=[email protected]
# Optional: AI features
OPENAI_API_KEY=sk-proj-...
# Optional: SMS
TWILIO_ACCOUNT_SID=AC...
TWILIO_AUTH_TOKEN=<token>
TWILIO_PHONE_NUMBER=+1234567890
Security Notes
Never commit .env files or expose environment variables containing:
SECRET_KEYDATABASE_URLGOOGLE_CLIENT_SECRETRESEND_API_KEYOPENAI_API_KEYTWILIO_AUTH_TOKENEMAIL_HOST_PASSWORD
Add .env to .gitignore to prevent accidental commits. Loading Environment Variables
Inventario uses python-dotenv to load variables from .env:
from dotenv import load_dotenv
BASE_DIR = Path(__file__).resolve().parent.parent
load_dotenv(BASE_DIR / ".env")
- System environment variables (highest priority)
- Variables from
.env file
- Default values in code (lowest priority)
Verification
To verify environment variables are loaded correctly:
from django.conf import settings
# Check critical settings
print(f"DEBUG: {settings.DEBUG}")
print(f"ALLOWED_HOSTS: {settings.ALLOWED_HOSTS}")
print(f"DATABASE: {settings.DATABASES['default']['ENGINE']}")
print(f"SECRET_KEY set: {bool(settings.SECRET_KEY)}")
