Environment variables & secrets

A single reference of every configuration value the platform reads.

Backend (Encore secrets)

Encore separates secrets (sensitive) from runtime config. Both are declared in code via secret("Name") and supplied per-environment.

Name	Where used	Local source	Production source
`ResendAPIKey`	`email/` service — transactional email	`backend/.secrets.local.cue`	`encore secret set --type prod ResendAPIKey`
`AdminEmail`	`seed/seedAdmin` — initial admin	`.secrets.local.cue`	`encore secret set --type prod AdminEmail`
`AdminPassword`	`seed/seedAdmin` — initial admin password	`.secrets.local.cue`	`encore secret set --type prod AdminPassword`
`WebURL`	`email/` templates — base URL in outgoing email links	`.secrets.local.cue`	`encore secret set --type prod WebURL`

Local file format

cue

// backend/.secrets.local.cue (git-ignored)
ResendAPIKey: "re_..."
AdminEmail: "admin@n2e.local"
AdminPassword: "ChangeMe!2026"
WebURL: "http://localhost:3000"

Listing what's set

bash

encore secret list --env=local
encore secret list --env=production

Frontend (Next.js)

Frontend env vars live in monitoring_dashboard/.env.local for local dev and in the Vercel dashboard for hosted deployments.

Name	Required	Description
`NEXT_PUBLIC_ENVIRONMENT`	yes	`local` / `staging` / `production`. Switches which backend URL the client talks to.
`NEXT_PUBLIC_GOOGLE_MAPS_API_KEY`	no	Browser-exposed Google Maps key for the dispatch map. Leave blank for a watermarked dev map.

About NEXT_PUBLIC_ prefixes

Any variable prefixed with NEXT_PUBLIC_ is bundled into the browser. Never put server-side secrets there. The Google Maps key is fine because it should be domain-restricted in the Google Cloud Console.

Per-environment matrix

	Local	Staging	Production
Backend	`encore run` (port 4000)	Encore Cloud `staging` env	Encore Cloud `production` env
Backend URL	`http://localhost:4000`	`https://staging-<app>.encr.app`	Your custom domain or `https://<app>.encr.app`
Frontend	`bun run dev` (port 3000)	Vercel preview	Vercel production
Frontend env	`.env.local`	Vercel Preview	Vercel Production
`NEXT_PUBLIC_ENVIRONMENT`	`local`	`staging`	`production`
Email delivery	Resend test mode	Resend live	Resend live
Telemetry	local Postgres in Docker	Encore-managed Postgres	Encore-managed Postgres

Rotating a secret

bash

# backend
encore secret set --type prod ResendAPIKey
# the previous value is immediately superseded; no redeploy required

# frontend
# Update the value in Vercel → Settings → Environment Variables
# Click "Redeploy" to pick up the new value

Sanity-checking config

Check	Command
Local secrets present	`cat backend/.secrets.local.cue`
Encore environments configured	`encore env list`
Encore secret list for an env	`encore secret list --env=production`
Frontend env at build time	`vercel env pull .env.local`

If you change a secret value while the backend is running locally, restart encore run for the new value to take effect.

Environment variables & secrets ​

Backend (Encore secrets) ​

Local file format ​

Listing what's set ​

Frontend (Next.js) ​

Per-environment matrix ​

Rotating a secret ​

Sanity-checking config ​