Skip to main content
The platform requires environment variables for two external services: Supabase (database and authentication) and Cloudflare R2 (file storage). All variables are defined in a .env.local file at the project root.
Never commit .env.local to version control. The .gitignore already excludes it. Never hardcode secrets in source files.

Create your .env.local file

.env.local
# Supabase — use PUBLISHABLE_KEY (newer) OR ANON_KEY (legacy), not both
NEXT_PUBLIC_SUPABASE_URL=https://your-project-id.supabase.co
NEXT_PUBLIC_SUPABASE_PUBLISHABLE_KEY=your-supabase-publishable-key
# NEXT_PUBLIC_SUPABASE_ANON_KEY=your-supabase-anon-key  # legacy fallback

# Cloudflare R2
R2_ENDPOINT=https://your-account-id.r2.cloudflarestorage.com
R2_ACCESS_KEY_ID=your-r2-access-key-id
R2_SECRET_ACCESS_KEY=your-r2-secret-access-key
R2_BUCKET_NAME=your-bucket-name
R2_BUCKET_PREFIX=uploads/

Supabase variables

NEXT_PUBLIC_SUPABASE_URL
string
required
Your Supabase project URL. Found in the Supabase dashboard under Settings → API → Project URL.Example: https://abcdefghijklmnop.supabase.coThis is a public variable (prefixed NEXT_PUBLIC_) and is safe to expose in the browser.
NEXT_PUBLIC_SUPABASE_PUBLISHABLE_KEY
string
Your Supabase publishable key (the newer variable name introduced in recent Supabase SDK versions). Found in the Supabase dashboard under Settings → API → Project API Keys.The codebase checks for this variable first, falling back to NEXT_PUBLIC_SUPABASE_ANON_KEY if not set. Use whichever key name your Supabase project provides.
NEXT_PUBLIC_SUPABASE_ANON_KEY
string
Your Supabase anonymous (public) key (the legacy variable name, still fully supported). Found in the Supabase dashboard under Settings → API → Project API Keys → anon public.This is a public variable. It is safe to expose in the browser — access is governed by Row Level Security policies. Use this if your project does not have NEXT_PUBLIC_SUPABASE_PUBLISHABLE_KEY.
You only need one of NEXT_PUBLIC_SUPABASE_PUBLISHABLE_KEY or NEXT_PUBLIC_SUPABASE_ANON_KEY. The client checks NEXT_PUBLIC_SUPABASE_PUBLISHABLE_KEY first, then falls back to NEXT_PUBLIC_SUPABASE_ANON_KEY.

Cloudflare R2 variables

All R2 variables are server-only (no NEXT_PUBLIC_ prefix) and are never sent to the browser.
R2_ENDPOINT
string
required
Your Cloudflare R2 bucket endpoint URL. Found in the Cloudflare dashboard under R2 → your bucket → Settings → S3 API.Format: https://<ACCOUNT_ID>.r2.cloudflarestorage.com
R2_ACCESS_KEY_ID
string
required
R2 access key ID. Generate in the Cloudflare dashboard under R2 → Manage R2 API Tokens → Create API Token.Select Object Read & Write permissions scoped to your bucket.
R2_SECRET_ACCESS_KEY
string
required
R2 secret access key. Generated alongside R2_ACCESS_KEY_ID. Only shown once — store it securely.
R2_BUCKET_NAME
string
required
The name of your R2 bucket where uploaded files are stored.Example: rajat-mahotsav-uploads
R2_BUCKET_PREFIX
string
required
A path prefix prepended to all uploaded file keys. Used to organize uploads within the bucket.Example: uploads/ or seva/Include the trailing slash.

How variables are used

VariableUsed inPurpose
NEXT_PUBLIC_SUPABASE_URLClient & ServerSupabase project connection
NEXT_PUBLIC_SUPABASE_ANON_KEYClient & ServerSupabase authentication
R2_ENDPOINTAPI routes onlyR2 S3-compatible endpoint
R2_ACCESS_KEY_IDAPI routes onlyR2 authentication
R2_SECRET_ACCESS_KEYAPI routes onlyR2 authentication
R2_BUCKET_NAMEAPI routes onlyUpload target bucket
R2_BUCKET_PREFIXAPI routes onlyUpload key organization
R2 variables are only accessed in Next.js API routes (app/api/). They are never included in the client-side bundle.

Vercel deployment

When deploying to Vercel, add these variables under Project Settings → Environment Variables. Set them for the Production, Preview, and Development environments as needed.
For preview deployments, you can use a separate Supabase project or a different R2 bucket to avoid polluting production data.

Build docs developers (and LLMs) love

Get started for freeTalk to us