Skip to main content
Highway requires several environment variables for both backend and frontend to function properly.

Backend Environment Variables

Create a .env file in the highway-backend directory:

Required Variables

OPENAI_API_KEY
string
required
Your OpenAI API key for accessing the Realtime API.Get your key from: OpenAI API Keys
PORT
number
required
Port number for the Express server.Default: 3000Example: PORT=3000
TWILIO_ACCOUNT_SID
string
required
Your Twilio Account SID for making phone calls.Find this in: Twilio Console
TWILIO_AUTH_TOKEN
string
required
Your Twilio Auth Token for authenticating API requests.Find this in: Twilio Console
TWILIO_PHONE_NUMBER
string
required
Your Twilio phone number in E.164 format (e.g., +1234567890).Must be a verified Twilio number that can make outbound calls.

Backend .env Example

.env
# OpenAI Configuration
OPENAI_API_KEY=sk-proj-xxxxxxxxxxxxxxxxxxxxxxxxxxxxx

# Server Configuration
PORT=3000

# Twilio Configuration
TWILIO_ACCOUNT_SID=ACxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
TWILIO_AUTH_TOKEN=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
TWILIO_PHONE_NUMBER=+1234567890

Frontend Environment Variables

Create a .env.local file in the highway-frontend directory:

Required Variables

NEXT_PUBLIC_SUPABASE_URL
string
required
Your Supabase project URL.Find this in: Supabase Dashboard → Project Settings → APIFormat: https://your-project.supabase.co
NEXT_PUBLIC_SUPABASE_ANON_KEY
string
required
Your Supabase anonymous (public) key.Find this in: Supabase Dashboard → Project Settings → APIThis key is safe to use in the browser.

Frontend .env.local Example

.env.local
# Supabase Configuration
NEXT_PUBLIC_SUPABASE_URL=https://your-project.supabase.co
NEXT_PUBLIC_SUPABASE_ANON_KEY=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...
Next.js requires environment variables used in the browser to be prefixed with NEXT_PUBLIC_.

Configuration File Reference

The backend config.js loads and exports environment variables:
config.js
const dotenv = require("dotenv");
dotenv.config();

module.exports = {
  OPENAI_API_KEY: process.env.OPENAI_API_KEY,
  PORT: process.env.PORT,
  VOICE: "shimmer",
  SYSTEM_MESSAGE: "You are a cheerful phone assistant...",
  TWILIO_ACCOUNT_SID: process.env.TWILIO_ACCOUNT_SID,
  TWILIO_AUTH_TOKEN: process.env.TWILIO_AUTH_TOKEN,
  TWILIO_PHONE_NUMBER: process.env.TWILIO_PHONE_NUMBER,
};

Additional Configuration Options

These are hardcoded in config.js but can be customized: VOICE: OpenAI voice model
  • Options: alloy, echo, fable, onyx, nova, shimmer
  • Default: shimmer
SYSTEM_MESSAGE: AI assistant instructions
  • Customize the behavior of the voice assistant
  • Default: Cheerful phone assistant for Olive Financial
LOG_EVENT_TYPES: WebSocket events to log
  • Controls which OpenAI Realtime API events are logged
  • See Backend Setup for full list

Security Best Practices

Never commit .env files to version control. Add them to .gitignore.

.gitignore Setup

Ensure your .gitignore includes:
.gitignore
# Environment variables
.env
.env.local
.env.*.local
.env.production
.env.development

Key Security Guidelines

1

Keep secrets secret

  • Never expose API keys in client-side code
  • Don’t log sensitive environment variables
  • Use different keys for development and production
2

Use appropriate key types

  • Backend: Use secret keys (never exposed to browser)
  • Frontend: Only use public/anonymous keys with proper Row Level Security (RLS)
3

Rotate keys regularly

  • Change API keys periodically
  • Immediately rotate if keys are compromised
  • Keep backup keys ready for seamless rotation
4

Limit key permissions

  • Use API keys with minimal required permissions
  • Enable Supabase RLS policies
  • Restrict Twilio number capabilities

Environment-Specific Configuration

Development

# Use localhost URLs
PORT=3000
NEXT_PUBLIC_BACKEND_URL=http://localhost:3000

# Use test/development API keys
OPENAI_API_KEY=sk-proj-test-...
TWILIO_PHONE_NUMBER=+15005550006  # Twilio test number

Production

# Use production URLs
PORT=8080
NEXT_PUBLIC_BACKEND_URL=https://api.yourdomain.com

# Use production API keys
OPENAI_API_KEY=sk-proj-prod-...
TWILIO_PHONE_NUMBER=+1234567890  # Real Twilio number

Supabase Setup

Highway uses Supabase for storing call logs:
1

Create Supabase project

  1. Go to Supabase Dashboard
  2. Click “New Project”
  3. Choose organization and name your project
  4. Save your database password securely
2

Get API credentials

  1. Go to Project Settings → API
  2. Copy the Project URL
  3. Copy the anon public key
  4. Add both to your .env.local file
3

Create calls table

Run this SQL in the Supabase SQL Editor:
CREATE TABLE calls (
  id BIGSERIAL PRIMARY KEY,
  verification INTEGER NOT NULL,
  status TEXT NOT NULL,
  created_at TIMESTAMP WITH TIME ZONE DEFAULT NOW()
);

-- Enable Row Level Security
ALTER TABLE calls ENABLE ROW LEVEL SECURITY;

-- Create policy for anonymous access (adjust as needed)
CREATE POLICY "Enable read access for all users" ON calls
  FOR SELECT USING (true);

CREATE POLICY "Enable insert access for all users" ON calls
  FOR INSERT WITH CHECK (true);
4

Configure RLS policies

Adjust the policies above based on your security requirements.For production, consider adding authentication and restricting access.
The example Supabase credentials in the source code are for demonstration only. Always use your own Supabase project.

Verification

Verify your environment variables are loaded correctly:

Backend Verification

cd highway-backend
node -e "require('dotenv').config(); console.log('PORT:', process.env.PORT);"

Frontend Verification

cd highway-frontend
echo $NEXT_PUBLIC_SUPABASE_URL

Runtime Verification

Add temporary logging to check variables are loaded: 
// Backend (index.js)
console.log('Loaded PORT:', PORT);

// Frontend (browser console)
console.log('Backend URL:', process.env.NEXT_PUBLIC_BACKEND_URL);
Remove debug logging before deploying to production to avoid exposing sensitive data.

Troubleshooting

Variables not loading?
  • Check file name is exactly .env (backend) or .env.local (frontend)
  • Ensure file is in the correct directory
  • Restart your dev server after changing .env files
  • Verify no typos in variable names
Supabase connection issues?
  • Verify URL and key are correct
  • Check Supabase project is not paused
  • Ensure RLS policies allow your operations
  • Test connection in Supabase SQL editor
Twilio errors?
  • Verify Account SID and Auth Token are correct
  • Ensure phone number is in E.164 format
  • Check Twilio number is capable of making voice calls
  • Verify you have sufficient Twilio credits

Next Steps

Backend Setup

Complete backend server setup

Deployment

Deploy to production with environment variables

Build docs developers (and LLMs) love

Get started for freeTalk to us