Skip to main content
VulnTrack uses environment variables to configure core services and integrations. Create a .env file in the root directory with the following variables.

Required Variables

These variables must be set for VulnTrack to function properly.
DATABASE_URL
string
required
PostgreSQL database connection string.Format: postgresql://USER:PASSWORD@HOST:PORT/DATABASEExample: postgresql://postgres:password@localhost:5432/vulntrack
NEXTAUTH_URL
string
required
The canonical URL of your VulnTrack deployment. Used by NextAuth.js for redirects and callbacks.Development: http://localhost:3000Production: https://vulntrack.yourdomain.com
NEXTAUTH_SECRET
string
required
Secret key used to encrypt JWT tokens and session cookies.Generate using: openssl rand -base64 32
Keep this secret secure. Changing it will invalidate all existing user sessions.
NEXT_PUBLIC_APP_URL
string
required
Public-facing URL used in email templates and client-side redirects.Development: http://localhost:3000Production: https://vulntrack.yourdomain.com
Must match NEXTAUTH_URL in most cases.

Email Configuration

Required for sending invitations, password resets, and notifications.
RESEND_API_KEY
string
API key from Resend for email delivery.Location: Get from Resend Dashboard > API KeysIf not set, emails will be logged to console instead of sent (mock mode).
EMAIL_FROM
string
default:"VulnTrack System <[email protected]>"
Sender email address and display name for outgoing emails.Format: Display Name <[email protected]>Example: VulnTrack Security <[email protected]>
The domain must be verified in your Resend account before emails can be sent.

External API Integrations

Optional integrations for CVE data enrichment.
NIST_API_KEY
string
API key for NIST National Vulnerability Database.Used to fetch CVE data from the official NVD API. Rate limits are higher with an API key.Register: https://nvd.nist.gov/developers/request-an-api-key
VULNCHECK_API_KEY
string
API key for VulnCheck vulnerability intelligence.Provides enhanced CVE data, exploitability indicators, and real-time threat intelligence.Get Started: https://vulncheck.com

Internal Configuration

NODE_ENV
string
default:"development"
Node.js environment mode.Values:
  • development - Enables debug logging and hot reload
  • production - Optimized build with caching
  • test - For automated testing

Example Configuration

Create a .env file in the root directory:
.env
# Database
DATABASE_URL="postgresql://vulntrack_user:secure_password@localhost:5432/vulntrack"

# NextAuth
NEXTAUTH_URL="http://localhost:3000"
NEXTAUTH_SECRET="your-generated-secret-key-here"

# Application
NEXT_PUBLIC_APP_URL="http://localhost:3000"

# Email (Optional)
RESEND_API_KEY="re_your_api_key_here"
EMAIL_FROM="VulnTrack <[email protected]>"

# External APIs (Optional)
NIST_API_KEY="your-nist-api-key"
VULNCHECK_API_KEY="your-vulncheck-api-key"

Production Checklist

Before deploying to production:
1

Generate secure secrets

Use openssl rand -base64 32 to generate a strong NEXTAUTH_SECRET.
2

Update URLs

Set NEXTAUTH_URL and NEXT_PUBLIC_APP_URL to your production domain.
3

Configure email

Add RESEND_API_KEY and verify your sender domain in Resend.
4

Secure database

Use a managed PostgreSQL instance with SSL enabled and strong credentials.
5

Environment isolation

Never commit .env files to version control. Use platform-specific secret management.
Security Note: Never expose NEXTAUTH_SECRET, RESEND_API_KEY, or database credentials in client-side code or public repositories.

Build docs developers (and LLMs) love

Get started for freeTalk to us