Environment variables
Set production values, secrets, defaults, consumers, and change effects.
Store production values in an uncommitted deployment secret source. Validate interpolation without printing the resolved configuration:
docker compose -f docker-compose.prod.yaml config --quiet
Access
Reading or changing these values requires deployment-secret and Compose administration.
Required values
| Value | Consumers and effect |
|---|---|
POSTGRES_PASSWORD |
Initializes Postgres and derives the default connection URL for migration, Core API, Delivery API, and Worker |
REDIS_PASSWORD |
Redis, Core API, Delivery API, and Worker must change together |
BETTER_AUTH_SECRET |
Core API and Delivery API must share it; a change can invalidate authentication material |
IMAGOR_SECRET |
Core API, Delivery API, and Image service must share it; old signed image URLs stop validating |
MINIO_ROOT_USER, MINIO_ROOT_PASSWORD |
Object-store administrator credentials shared by object setup, Core API, Worker, and Image service |
CORE_API_PUBLIC_URL |
Core API runtime value and Admin build input |
DELIVERY_API_PUBLIC_URL |
Admin build input |
ADMIN_APP_PUBLIC_URL |
Core trusted origin and auth/preview Admin origin |
IMAGOR_PUBLIC_URL |
Core API and Delivery API signed-image base URL |
S3_PUBLIC_URL |
Core API and Worker object endpoint; must also be reachable from their containers |
GOOGLE_CLIENT_ID, GOOGLE_CLIENT_SECRET |
Core Google OAuth configuration |
GOOGLE_ALLOWED_DOMAIN |
Core Google Workspace domain policy |
The supported Compose stack does not issue least-privilege S3 credentials per service: Core API, Worker, and Image service receive the MinIO root credentials. Isolate those consumers and rotate all of them with object storage and setup.
All five public URLs must be final HTTPS origins. Changing Core or Delivery URLs requires rebuilding the Admin image. Other consumer changes require recreating or restarting every named consumer.
POSTGRES_PASSWORD remains required for the Postgres container even when DATABASE_URL is explicit.
Optional values
| Value | Default and consumers |
|---|---|
DATABASE_URL |
Derived from POSTGRES_PASSWORD; explicit value is used by migration, Core API, Delivery API, and Worker |
BUCKET_NAME |
jetrepo; used by Core API, Worker, object setup, and Image service |
WEBHOOK_SECRET |
Empty; used by Core for external-user webhook verification when configured |
AUTH_COOKIE_DOMAIN |
Empty, which keeps cookies host-only; used by Core |
RESPONSE_CACHE_TTL |
60000 milliseconds; used by Delivery API |
Database URLs
The default URL inserts POSTGRES_PASSWORD directly into the URL. If a password contains reserved URL characters, set an explicit DATABASE_URL with the password percent-encoded. Also account for shell and Compose interpolation when placing values in your secret source; validate the final configuration locally without publishing it.
Updating POSTGRES_PASSWORD in Compose does not change the password stored for an existing Postgres role in pgdata. A real rotation must coordinate the database role change, the percent-encoded DATABASE_URL, POSTGRES_PASSWORD, and all four connection consumers.
No database credential rotation has been drilled by the project. Test the exact sequence, outage boundary, and return path with restored data before production. If the role password has already changed, rollback means changing it back through Postgres administration or deploying the matching URL—never deleting pgdata.
Rotation limits
No credential rotation in this stack has a repository-backed production drill. Before rotating database, Redis, object-storage, auth, image, Google, or webhook credentials:
- Inventory every consumer in the tables above.
- Prove the service-specific sequence and rollback in an isolated environment.
- Plan for coordinated recreation and downtime where one-value sharing prevents overlap.
- After the change, test sign-in, delivery authorization, queues, uploads, and signed images as applicable.
If no durable service credential changed, restore the prior environment and recreate all affected consumers. Do not restore a known-exposed secret as rollback.