Configuration

Configuration layers

Classify variables by the first runtime that reads them. Keep Docker build, container runtime, and Trigger.dev cloud task runtime separate.

1. Docker build: only GIT_COMMIT_SHA, VERCEL_ENV, PUBLIC_AUTH_PROVIDER, and the optional Infisical BuildKit secret file.
2. Web/API container runtime: site, database, auth, OAuth, email, billing, storage, and public runtime config.
3. Trigger deploy CI: only TRIGGER_ACCESS_TOKEN, TRIGGER_PROJECT_ID, and variables that need to be synced to Trigger.
4. Trigger.dev cloud task runtime: database, S3, AI provider keys, and AI tuning variables.
5. BullMQ runtime: REDIS_URL for a self-hosted persistent worker.

Critical variables

• Docker build: GIT_COMMIT_SHA, VERCEL_ENV, PUBLIC_AUTH_PROVIDER, optional infisical_env BuildKit secret file for build-time/public config only
• Web/API auth: AUTH_SECRET, BETTER_AUTH_SECRET, PUBLIC_CLERK_PUBLISHABLE_KEY, CLERK_SECRET_KEY
• Web/API OAuth: OAUTH_GITHUB_CLIENT_ID, OAUTH_GITHUB_CLIENT_SECRET, OAUTH_GOOGLE_CLIENT_ID, OAUTH_GOOGLE_CLIENT_SECRET, PUBLIC_OAUTH_GOOGLE_CLIENT_ID
• Data: DATABASE_URL
• Queues: TRIGGER_SECRET_KEY for Web/API dispatch to Trigger.dev, TRIGGER_ACCESS_TOKEN for CI task deploy, and REDIS_URL for BullMQ
• Billing: STRIPE_SECRET_KEY, STRIPE_WEBHOOK_SECRET, CREEM_API_KEY, CREEM_WEBHOOK_SECRET, PAYMENT_PROVIDER_DEFAULT
• Stripe prices: STRIPE_PRICE_SUB_*, STRIPE_PRICE_CREDITS_* (or use lookup-key fallback via seeded lookup:xxx refs)
• Storage: S3_*, PUBLIC_S3_URL_BASE, BETTER_UPLOAD_PROVIDER
• Site URL and allowed origins: SITE_URL, TRUSTED_ORIGINS

Safety checklist

• Do not store production secrets in plain text files.
• Keep callback URLs aligned with the deployment domain.
• Verify staging and production webhook secrets are isolated.