Ops
Environment variables
What every env var does and where it's required.
Secrets live in Doppler (project soma, config prod). The same values are pushed to Vercel via vercel env add. Local dev uses doppler run -- pnpm dev.
Required — app won't start without these
| Var | Purpose |
|---|---|
DATABASE_URL | Supabase Postgres (session pooler URL, IPv4-compatible) |
DATABASE_URL_SERVICE_ROLE | Same pooler URL for backend operations (bypass RLS) |
NEXT_PUBLIC_SUPABASE_URL | Supabase origin (browser client) |
NEXT_PUBLIC_SUPABASE_ANON_KEY | Supabase publishable key |
SUPABASE_SERVICE_ROLE_KEY | Supabase secret key (server-side admin) |
ANTHROPIC_API_KEY | Claude models |
VOYAGE_API_KEY | Voyage embeddings + rerank |
INNGEST_EVENT_KEY | Inngest event signing |
INNGEST_SIGNING_KEY | Inngest webhook signature verification |
OAUTH_ENCRYPTION_KEY | AES-GCM-256 (base64) — encrypts OAuth tokens at rest |
TELEGRAM_BOT_TOKEN | grammY bot token |
TELEGRAM_WEBHOOK_SECRET | Verifies Telegram webhook callers |
GOOGLE_OAUTH_CLIENT_ID | Google OAuth (Gmail + Calendar data access) |
GOOGLE_OAUTH_CLIENT_SECRET | Same |
GMAIL_PUBSUB_TOKEN | Verifies Google Pub/Sub webhook pushes |
Optional — graceful degradation
These enable features. Missing = no-op.
| Var | Enables |
|---|---|
LANGFUSE_PUBLIC_KEY, LANGFUSE_SECRET_KEY, LANGFUSE_BASE_URL | LLM tracing |
SENTRY_DSN, NEXT_PUBLIC_SENTRY_DSN | Error tracking |
SENTRY_ORG, SENTRY_PROJECT, SENTRY_AUTH_TOKEN | Source map upload at build time |
POSTHOG_KEY, NEXT_PUBLIC_POSTHOG_KEY, NEXT_PUBLIC_POSTHOG_HOST | Product analytics |
AXIOM_TOKEN, AXIOM_DATASET | Log shipping |
OPENAI_API_KEY | Whisper voice transcription |
SLACK_OAUTH_CLIENT_ID, SLACK_OAUTH_CLIENT_SECRET | Slack integration |
DEV_USER_ID | local only — bypass auth during dev. Ignored when NODE_ENV=production. |
Non-secret config
| Var | Default |
|---|---|
SOMA_SERVICE | soma |
LOG_LEVEL | info prod, debug dev |
PORT | 3000 |
GIT_SHA | (CI-set for Sentry release tagging) |
:::caution
Do not set NODE_ENV in Doppler. Next.js requires development for next dev and production for next build. Letting Next manage it avoids a prerender crash (<Html> should not be imported outside of pages/_document) on /_error fallback pages.
:::
Local development
doppler setup # pick project=soma, config=prod (for MVP we share prod secrets)
doppler run -- pnpm devOptionally set DEV_USER_ID=<uuid> to bypass Supabase auth locally. Generate one via pnpm db:seed-dev-user after running pnpm db:setup.