Environment Variables
Environment Variables
This page documents every environment variable used by the eTeamups Platform. A reference file with sensible development defaults is provided at docker.local.env in the repository root. Copy it to .env for local development:
cp docker.local.env .env
Database (MongoDB)
| Variable | Description | Default (local dev) | Required |
|---|---|---|---|
MONGODB_URL |
Full MongoDB connection URI used by the application services. Must include credentials, host, port, database name, and authSource. |
mongodb://admin:password123@localhost:27018/eteamups?authSource=admin |
Yes |
MONGODB_URI |
Alias for MONGODB_URL. The MongooseClient checks MONGODB_URL first, then falls back to DATABASE_URL. Some parts of the codebase reference this alias. |
Same as MONGODB_URL |
No |
MONGO_INITDB_ROOT_USERNAME |
Root username for MongoDB initialisation. Used by the Docker container on first start to create the admin user. | admin |
Yes (Docker) |
MONGO_INITDB_ROOT_PASSWORD |
Root password for MongoDB initialisation. Used by the Docker container on first start. | password123 |
Yes (Docker) |
MONGO_INITDB_DATABASE |
Default database created during MongoDB initialisation. | eteamups |
Yes (Docker) |
Notes:
- The local Docker Compose stack maps MongoDB container port
27017to host port27018. Make sure yourMONGODB_URLuses port27018for local development. - In production, use strong credentials and a connection string pointing to your managed MongoDB instance.
Redis
| Variable | Description | Default (local dev) | Required |
|---|---|---|---|
REDIS_HOST |
Redis server hostname. | localhost |
Yes |
REDIS_PORT |
Redis server port. | 6379 |
Yes |
REDIS_PASSWORD |
Redis authentication password. Leave empty for local development (no auth). | (empty) | No |
Redis is used by BullMQ for the message queue. The MessageQueue singleton reads REDIS_HOST and REDIS_PORT to configure its connection.
JWT / Authentication Tokens
| Variable | Description | Default (local dev) | Required |
|---|---|---|---|
JWT_SECRET |
Secret key used to sign and verify JSON Web Tokens. | your-local-jwt-secret-key-change-this-in-production |
Yes |
JWT_EXPIRY |
Default JWT expiration duration. | 24h |
No |
ACCESS_TOKEN_EXPIRY |
Expiration duration for access tokens. | 15d |
No |
REFRESH_TOKEN_EXPIRY |
Expiration duration for refresh tokens. | 7d |
No |
Notes:
- Always use a strong, unique
JWT_SECRETin production. The local default is intentionally weak and clearly marked. - Token expiry values accept duration strings such as
24h,7d,15m, etc.
Application
| Variable | Description | Default (local dev) | Required |
|---|---|---|---|
NODE_ENV |
Application environment. Set to development for local work. Production scripts set this to production. |
development |
Yes |
LOG_LEVEL |
Winston logger level. Accepts debug, info, warn, error. |
debug |
No |
BASE_URL |
Base URL of the frontend application. Used for generating links in emails and other outbound communications. | https://admin.zeswa.dev |
Yes |
API_BASE_URL |
Base URL of the API gateway (Nginx). Used by services that need to reference the external API endpoint. | https://localhost:18443 |
No |
Service Ports
| Variable | Description | Default (local dev) | Required |
|---|---|---|---|
AUTH_SERVICE_PORT |
TCP port for the Auth service. | 9000 |
Yes |
PROFILE_SERVICE_PORT |
TCP port for the Profile service. | 9100 |
Yes |
ORGANISATION_SERVICE_PORT |
TCP port for the Organisation service. | 9107 |
Yes |
MEDIA_SERVICE_PORT |
TCP port for the Media service. | 9102 |
Yes |
These variables are referenced in production configurations and Docker setups. The development config files (server.config.dev.ts) hardcode the port values directly, so these variables are primarily used in production and Docker contexts.
| Variable | Description | Default (local dev) | Required |
|---|---|---|---|
RESEND_API_KEY |
API key for the Resend email delivery service. | (set in docker.local.env) | Yes (for sending emails) |
EMAIL_FROM |
Default “From” address for outbound emails. | noreply@mail.eteamups.com |
No |
EMAIL_SUBJECT_OTP |
Subject line for OTP emails. | Admin OTP |
No |
EMAIL_HOST |
SMTP host (legacy/alternative email transport). | (empty) | No |
EMAIL_PORT |
SMTP port. | 587 |
No |
EMAIL_USER |
SMTP username. | (empty) | No |
EMAIL_PASS |
SMTP password. | (empty) | No |
Notes:
- The primary email transport uses the Resend API. SMTP variables (
EMAIL_HOST,EMAIL_PORT, etc.) are available for alternative configurations but are not required when using Resend. - For local development, email sending can be skipped or pointed at a service like Mailpit for testing.
CORS
| Variable | Description | Default (local dev) | Required |
|---|---|---|---|
CORS_ORIGIN |
Comma-separated list of allowed origins for CORS. | https://localhost:18443,http://localhost:3000 |
Yes |
Multiple origins are specified as a comma-separated string. The default allows both the local Nginx gateway (https://localhost:18443) and a typical frontend dev server (http://localhost:3000).
OpenTelemetry / Observability
| Variable | Description | Default (local dev) | Required |
|---|---|---|---|
OPEN_TELEMENTRY |
Enable or disable OpenTelemetry instrumentation. Set to true to activate tracing and log export. |
false |
No |
OTEL_SERVICE_NAME |
Service name reported to the OTLP collector. Used as the service metadata in logs and traces. |
eteamsup-platform-env |
No |
OTEL_EXPORTER_OTLP_ENDPOINT |
Base URL of the OTLP HTTP collector for traces. | http://145.223.18.69:4318 |
No (only when OTEL enabled) |
OTEL_EXPORTER_OTLP_LOGS_ENDPOINT |
URL of the OTLP HTTP collector for logs. Typically the base endpoint with /v1/logs appended. |
http://145.223.18.69:4318/v1/logs |
No (only when OTEL enabled) |
Notes:
- OpenTelemetry is disabled by default for local development. Set
OPEN_TELEMENTRY=trueto enable it. - The platform uses the OpenTelemetry Node.js SDK with auto-instrumentation. Traces and logs are exported via OTLP/HTTP.
- The Winston logger includes an
OpenTelemetryTransportV3that forwards log entries to the configured OTLP logs endpoint. - Instrumentation is bootstrapped in
instrumentation.tsat the project root and inlibs/server/src/tracer.ts.
Authorization (Permit.io)
| Variable | Description | Default (local dev) | Required |
|---|---|---|---|
NEXT_PUBLIC_PERMIT_PDP_URL |
URL of the Permit.io Policy Decision Point (PDP). | https://cloudpdp.api.permit.io |
No |
NEXT_PUBLIC_PERMIT_SDK_KEY |
SDK key for authenticating with the Permit.io service. | (set in docker.local.env) | No |
These variables configure Permit.io for fine-grained authorization decisions. They are optional for basic local development but required if you are working on authorization-related features.
Complete Example
Below is a minimal .env file for local development. All values match the defaults in docker.local.env:
# Database
MONGODB_URL=mongodb://admin:password123@localhost:27018/eteamups?authSource=admin
MONGO_INITDB_ROOT_USERNAME=admin
MONGO_INITDB_ROOT_PASSWORD=password123
MONGO_INITDB_DATABASE=eteamups
# Redis
REDIS_HOST=localhost
REDIS_PORT=6379
REDIS_PASSWORD=
# JWT
JWT_SECRET=your-local-jwt-secret-key-change-this-in-production
JWT_EXPIRY=24h
# Application
NODE_ENV=development
LOG_LEVEL=debug
BASE_URL=https://admin.zeswa.dev
API_BASE_URL=https://localhost:18443
# Service Ports
AUTH_SERVICE_PORT=9000
PROFILE_SERVICE_PORT=9100
ORGANISATION_SERVICE_PORT=9107
MEDIA_SERVICE_PORT=9102
# Email
RESEND_API_KEY=your-resend-api-key
EMAIL_FROM=noreply@mail.eteamups.com
# CORS
CORS_ORIGIN=https://localhost:18443,http://localhost:3000
# OpenTelemetry (disabled by default)
OPEN_TELEMENTRY=false
OTEL_SERVICE_NAME=eteamsup-platform-env
Production Considerations
When deploying to production, ensure the following:
JWT_SECRETis a cryptographically strong random string, unique per environment.MONGO_INITDB_ROOT_PASSWORDandMONGODB_URLuse strong, rotated credentials.REDIS_PASSWORDis set if your Redis instance requires authentication.CORS_ORIGINis restricted to your actual frontend domain(s).NODE_ENVis set toproduction.LOG_LEVELis set toinfoorwarnto reduce log volume.OPEN_TELEMENTRYis set totruewithOTEL_EXPORTER_OTLP_ENDPOINTpointing to your observability backend.- Secrets (
JWT_SECRET,RESEND_API_KEY,NEXT_PUBLIC_PERMIT_SDK_KEY, database passwords) are managed through a secrets manager or environment-specific configuration, not committed to version control.