Environment variables
The Wasp app reads its configuration from app/.env.server (server-side) and app/.env.client (client-side). Both files are git-ignored. Copy the templates and fill in the values:
cd appcp .env.server.example .env.servercp .env.client.example .env.clientWasp validates every variable below at server startup using the schemas in app/src/env.ts and the per-feature app/src/**/env.ts files. If a required variable is missing or empty, the server refuses to boot — there is no silent fallback.
Server (app/.env.server)
Auth
| Variable | Required | Default | Notes |
|---|---|---|---|
DATABASE_URL | Optional in dev | unset | If you run wasp start db you don’t need to set this — Wasp wires up a local Postgres for you. Set it explicitly when pointing at a managed Postgres. Secret. |
ADMIN_EMAILS | No | "" | Comma-separated emails granted admin on signup. Empty string disables admin grants. |
GOOGLE_CLIENT_ID | If Google auth enabled | — | From Google Cloud OAuth credentials. Currently disabled in main.wasp — uncomment the google: {} block to enable. |
GOOGLE_CLIENT_SECRET | If Google auth enabled | — | Pair with GOOGLE_CLIENT_ID. Secret. |
Email sending
Trademark Sentinel uses Brevo for transactional email in production, plumbed through Wasp’s SMTP provider — Wasp 0.23 has no native Brevo provider, so Brevo’s transactional SMTP relay (smtp-relay.brevo.com:587) is the supported path. The default Dummy provider doesn’t send real email — it logs links to the server console — and ignores the SMTP_* vars below.
| Variable | Required | Default | Notes |
|---|---|---|---|
SMTP_HOST | Production | — | Brevo: smtp-relay.brevo.com. Only required when app/main.wasp’s emailSender.provider is set to SMTP. |
SMTP_PORT | Production | — | Brevo: 587 (STARTTLS). |
SMTP_USERNAME | Production | — | Brevo SMTP login (the email shown in Senders, Domains & Dedicated IPs → SMTP & API → SMTP). |
SMTP_PASSWORD | Production | — | Brevo SMTP key (xkeysib-...) generated alongside the login. Secret. |
Payments — Stripe (default provider)
| Variable | Required | Default | Notes |
|---|---|---|---|
STRIPE_API_KEY | Yes | — | Secret API key (sk_test_... for dev, sk_live_... for prod). Secret. |
STRIPE_WEBHOOK_SECRET | Yes | — | From stripe listen output (dev) or the dashboard webhook config (prod). Secret. |
STRIPE_PRICE_ID_SOLO | Yes | — | Stripe recurring price ID for the Solo tier. Free tier has no price ID — it’s the default for new signups. |
STRIPE_PRICE_ID_TEAM | Yes | — | Stripe recurring price ID for the Team tier. |
STRIPE_PRICE_ID_ENTERPRISE | Yes | — | Stripe recurring price ID for the Enterprise tier. |
Payments — Lemon Squeezy (alternative)
These are validated by lemonSqueezyEnvSchema in app/src/payment/lemonSqueezy/env.ts. Trademark Sentinel ships with Stripe wired in paymentsWebhook; switch only if you remove the Stripe schema import from app/src/env.ts first.
| Variable | Required | Notes |
|---|---|---|
LEMONSQUEEZY_API_KEY | If using Lemon Squeezy | Secret. |
LEMONSQUEEZY_WEBHOOK_SECRET | If using Lemon Squeezy | Secret. |
LEMONSQUEEZY_STORE_ID | If using Lemon Squeezy | Find in Lemon Squeezy store settings. |
Payments — Polar (alternative)
Validated by polarEnvSchema. Same caveat as Lemon Squeezy — exclusive of Stripe.
| Variable | Required | Notes |
|---|---|---|
POLAR_ORGANIZATION_ACCESS_TOKEN | If using Polar | Secret. |
POLAR_WEBHOOK_SECRET | If using Polar | Secret. |
POLAR_SANDBOX_MODE | If using Polar | true for sandbox, false for live. |
File uploads (AWS S3)
Required only if you keep the file-upload feature. Remove the fileUploadEnvSchema import from app/src/env.ts to drop these.
| Variable | Required | Notes |
|---|---|---|
AWS_S3_IAM_ACCESS_KEY | If file uploads enabled | Secret. |
AWS_S3_IAM_SECRET_KEY | If file uploads enabled | Secret. |
AWS_S3_FILES_BUCKET | If file uploads enabled | Bucket name. |
AWS_S3_REGION | If file uploads enabled | e.g. eu-west-2. |
AI demo
Required by demoAiAppEnvSchema. Remove the import from app/src/env.ts if you delete the demo AI app.
| Variable | Required | Notes |
|---|---|---|
OPENAI_API_KEY | If demo AI app kept | OpenAI API key. Secret. |
Analytics (optional)
The Plausible and Google Analytics schemas are imported in app/src/env.ts by default. Drop the imports if you don’t want either backend.
| Variable | Required | Notes |
|---|---|---|
PLAUSIBLE_API_KEY | If using Plausible | Secret. |
PLAUSIBLE_SITE_ID | If using Plausible | e.g. yoursite.com. |
PLAUSIBLE_BASE_URL | If using Plausible | https://plausible.io/api for hosted, your URL for self-hosted. |
GOOGLE_ANALYTICS_CLIENT_EMAIL | If using GA | Service account email. |
GOOGLE_ANALYTICS_PRIVATE_KEY | If using GA | Base64-encoded JSON key. Secret. |
GOOGLE_ANALYTICS_PROPERTY_ID | If using GA | GA4 property ID. |
Client (app/.env.client)
Wasp exposes only variables prefixed with REACT_APP_ to client code (see the Wasp env-vars docs).
| Variable | Required | Notes |
|---|---|---|
REACT_APP_GOOGLE_ANALYTICS_ID | If using GA on the client | e.g. G-XXXXXXX. |
Security notes
- Anything marked Secret must never be committed to git. The
.env.serverfile is in.gitignore; double-check before staging. - For Fly.io, set production secrets with
fly secrets set KEY=valuerather than baking them into a Dockerfile orfly.toml. - The
Dummyemail provider prints verification URLs to the server log — fine for dev, never enable in production. - Rotate Stripe and Brevo keys if a
.env.serverfile is ever leaked.
Out of date?
This table is derived from app/.env.server.example, app/.env.client.example, and the schemas under app/src/**/env.ts. If you add or remove a feature in app/src/env.ts, please update this page in the same PR.