Signet
Sign in

Guide

Environment variables

Copy into .env.local or your host secret manager. Required keys boot the admin login; everything else depends on which features you enable.

Required

Core auth

ACCESS_USERNAMErequired

Admin username on the login form

ACCESS_USERNAME=admin
ACCESS_PASSWORDrequired

Strong password for that account

ACCESS_PASSWORD=your-secure-password
JWT_SECRETrequired

≥32 chars; signs session JWTs

JWT_SECRET=your-super-secret-jwt-key-minimum-32-characters
Generate JWT secret:
node -e "console.log(require('crypto').randomBytes(32).toString('hex'))"

Second factor (one or more)

TOTP or WebAuthn

ACCESS_TOTP_SECREToptional

Base32 string from /totp.

ACCESS_TOTP_SECRET=JBSWY3DPEHPK3PXP
Open TOTP
ACCESS_WEBAUTHN_SECREToptional

JSON from /webauthn (credentialID, Base64 publicKey, rpId, username).

ACCESS_WEBAUTHN_SECRET={"credentialID":"...","publicKey":"...","rpId":"...","username":"..."}
Open WebAuthn

Session & redirects

Optional

JWT_EXPIRES_INoptional

Used when Remember me is checked (e.g. 5m, 12h, 30d; defaults to 30d if unset). If Remember me is unchecked on the login form, the session JWT always expires in one day regardless of this value.

ACCESS_EMAILoptional

Adds email to the JWT for UIs.

[email protected]
ALLOWED_REDIRECT_URLSoptional

Comma-separated callback bases (scheme + host + optional port). Wildcards such as https://*.example.com are supported. The same list is also used to decide which Origin headers may call /api/auth/verify from the browser (HTTPS required in production).

ALLOWED_REDIRECT_URLS=https://app1.test,https://*.dev.local

If omitted, only same-origin relative redirectUrl values are allowed, and verify calls without a matching allowlist may be rejected for cross-site origins.

Integration · verify & redirects

ECDH (encrypted return)

Keys

ECDH_SERVER_PRIVATE_KEYwhen using ECDH

Server PEM for deriving shared secrets.

ECDH_SERVER_PRIVATE_KEY="-----BEGIN PRIVATE KEY-----"…"-----END PRIVATE KEY-----"
Open ECDH
ECDH_SERVER_PUBLIC_KEYdebug

Local PEM convenience only. Production clients should call /api/oauth/public-key.

Advanced · replay protection, issuer, ECDH rotation

These keys are optional. Enable them when you need stricter token hygiene, stable OIDC-style iss / sub, or automated ECDH key rollover backed by Upstash Redis (REST).

Token replay & identity

ENABLE_TOKEN_REPLAY_PROTECTIONoptional

Set to 1 or true to record used JWT jti values in Upstash Redis so the same callback token cannot be posted twice. Requires AUTH_KV_REST_API_URL / AUTH_KV_REST_API_TOKEN (or UPSTASH_REDIS_REST_* / legacy KV_REST_API_* pairs). After verification, the original token is marked used; the new access_token from /api/auth/verify is for your downstream APIs—plan expiry and rotation there separately.

OAUTH_ISSUERoptional

Overrides the iss claim when you want a stable issuer instead of deriving it from the deployment URL.

USER_SUB_SALToptional

Salt for deriving the configured user's sub. If unset, the first 32 characters of JWT_SECRET are used—set an explicit salt when rotating JWT signing keys without changing subject identifiers.

ECDH key rotation (Redis)

ENABLE_KEY_ROTATIONoptional

Set to 1 or true to rotate server ECDH keys using the same Redis credentials as replay protection.

KEY_ROTATION_TTL_SECONDSoptional

Lifetime of a key pair in seconds (default seven days).

KEY_ROTATION_TRANSITION_SECONDSoptional

Overlap window where old and new public keys may both be advertised (default one day).

Ops tips

  • Never commit real env files; use Vercel / platform env UI or sealed CI secrets
  • Rotate JWT_SECRET and all derived sessions when you suspect compromise
  • Separate secrets per environment (preview vs production)
  • Store TOTP Base32 and WebAuthn JSON exports in a password manager, not tickets or chat
  • After changing ACCESS_TOTP_SECRET or WebAuthn JSON, confirm login once on a staging URL before promoting
Environment Variables - Getting Started