> ## Documentation Index
> Fetch the complete documentation index at: https://docs.nudgra.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Environment variables

> Configure Nudgra OSS environment variables for local development and production.

Nudgra OSS reads environment variables from `.env` locally and from the `app.environment` section in `docker-compose.yml` in the recommended production setup.

## Local baseline

Copy `.env.example` to `.env`, then start from this local shape:

```env theme={null}
DATABASE_URL=postgres://nudgra:nudgra@localhost:5432/nudgra
DATABASE_POOL_MAX=10
DATABASE_SSL=false

SITE_URL=http://localhost:3000
BETTER_AUTH_URL=http://localhost:3000
BETTER_AUTH_SECRET=replace-with-a-random-secret
TOKEN_ENCRYPTION_KEY=replace-with-another-random-secret
TRUSTED_ORIGINS=http://localhost:3000,http://127.0.0.1:3000

OPERATOR_EMAIL_ALLOWLIST=you@example.com
DEFAULT_WORKSPACE_TIMEZONE=UTC

GOOGLE_CLIENT_ID=
GOOGLE_CLIENT_SECRET=

META_APP_ID=
META_APP_SECRET=
META_VERIFY_TOKEN=
META_GRAPH_API_VERSION=v23.0
```

## Production baseline

In production, these values must match your public domain:

```env theme={null}
SITE_URL=https://your-domain.com
BETTER_AUTH_URL=https://your-domain.com
TRUSTED_ORIGINS=https://your-domain.com
OPERATOR_EMAIL_ALLOWLIST=you@example.com
```

Set the Google and Meta values after you configure [Google OAuth](/shared/google-oauth) and [Meta / Instagram setup](/shared/meta-instagram-setup).

```env theme={null}
GOOGLE_CLIENT_ID=your-google-client-id
GOOGLE_CLIENT_SECRET=your-google-client-secret
META_APP_ID=your-instagram-app-id
META_APP_SECRET=your-instagram-app-secret
META_VERIFY_TOKEN=your-generated-webhook-verify-token
```

## Secret values

Generate `BETTER_AUTH_SECRET`, `TOKEN_ENCRYPTION_KEY`, and `META_VERIFY_TOKEN` with OpenSSL:

```bash theme={null}
openssl rand -base64 32
openssl rand -hex 32
```

Or generate them with Node:

```bash theme={null}
node -e "console.log(require('crypto').randomBytes(32).toString('base64url'))"
node -e "console.log(require('crypto').randomBytes(32).toString('hex'))"
```

<Warning>
  Do not rotate `BETTER_AUTH_SECRET` or `TOKEN_ENCRYPTION_KEY` after real users or Instagram accounts are connected. Stored OAuth and Instagram tokens depend on those secrets.
</Warning>

## Operator access

Use `OPERATOR_EMAIL_ALLOWLIST` to limit who can sign in to the dashboard:

```env theme={null}
OPERATOR_EMAIL_ALLOWLIST=operator@example.com,backup@example.com
```

The source app also supports `NUDGRA_ALLOWED_EMAILS` as a backwards-compatible alias. Prefer `OPERATOR_EMAIL_ALLOWLIST` in new deployments.

## Postgres and jobs

The recommended Docker Compose deployment sets the app database URL to the internal Postgres service:

```env theme={null}
DATABASE_URL=postgres://nudgra:nudgra@postgres:5432/nudgra
```

For production, change the Postgres password in `docker-compose.yml` and update `DATABASE_URL` to match.

pg-boss uses the `PG_BOSS_SCHEMA` schema, which defaults to `pgboss`.
