Environment Variables

All configuration is done via environment variables in server/.env. Copy server/.env.example to get started.

Core variables

| Variable | Required | Default | Description | |---|---|---|---| | PORT | Yes | 3001 | Port the Express server listens on | | NODE_ENV | Yes | development | Set to production in production | | VITE_API_URL | Yes | — | Public URL of the API server, used by client at build time | | BETTER_AUTH_SECRET | Yes | — | Random secret for session signing. Generate: openssl rand -base64 32 |

Stripe variables

| Variable | Required | Description | |---|---|---| | STRIPE_SECRET_KEY | No* | Stripe secret key. Required if using payment question type. | | STRIPE_WEBHOOK_SECRET | No* | Webhook signing secret. Required for payment confirmations. |

*Required if any forms use the Payment question type.

Email variables

| Variable | Required | Description | |---|---|---| | RESEND_API_KEY | No | Resend API key for email notifications | | EMAIL_FROM | No | From address for notification emails |

Example production .env

``bash

`Core`


PORT=3001
NODE_ENV=production
VITE_API_URL=https://lygo.yourdomain.com
Auth
BETTER_AUTH_SECRET=your-64-char-random-string-here
Stripe (optional)
STRIPE_SECRET_KEY=sk_live_...
STRIPE_WEBHOOK_SECRET=whsec_...
Email (optional)
RESEND_API_KEY=re_...
EMAIL_FROM=noreply@yourdomain.com


Security notes

Never commit .env to version control

Rotate BETTER_AUTH_SECRET` if it's ever exposed — all active sessions will be invalidated
Stripe secret keys are stored encrypted at rest and never returned in API responses
Use environment secrets in your CI/CD pipeline for deployments