-
Notifications
You must be signed in to change notification settings - Fork 1
Expand file tree
/
Copy path.env.example
More file actions
66 lines (52 loc) · 2.68 KB
/
.env.example
File metadata and controls
66 lines (52 loc) · 2.68 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
# ============================================================================
# SECURITY: Keep this file private. Never commit a filled-out .env to git.
# ============================================================================
# Session signing secret — REQUIRED, must be unique per instance
# Generate with: node -e "console.log(require('crypto').randomBytes(32).toString('hex'))"
SESSION_SECRET=
# Twilio — credentials for SMS verification and inbound clip sharing
# Keep these secret. Rotate if compromised.
TWILIO_ACCOUNT_SID=
TWILIO_AUTH_TOKEN=
TWILIO_VERIFY_SERVICE_SID=
# Verification channels — comma-separated list of enabled channels (sms, email)
# Requires matching Twilio Verify integration (e.g. SendGrid for email)
VERIFY_CHANNELS=sms
# Set to "true" to bypass Twilio and auto-approve any verification code (dev/testing only)
SMS_DEV_MODE=false
# Web Push VAPID keys — generate a unique pair per instance
# Generate with: npx web-push generate-vapid-keys
VAPID_PUBLIC_KEY=
VAPID_PRIVATE_KEY=
VAPID_SUBJECT=mailto:you@example.com
# App URL (REQUIRED — used for invite links, Twilio webhooks, and internal references)
# Must match the public URL users access (e.g. https://scrolly.example.com)
PUBLIC_APP_URL=http://localhost:3000
# SvelteKit origin (REQUIRED behind a reverse proxy)
# SvelteKit checks the Origin header on form submissions for CSRF protection.
# Behind a reverse proxy, SvelteKit can't determine the correct origin on its own
# and will reject requests with a silent 403 (before app-level logging).
# docker-compose.yml sets this automatically from PUBLIC_APP_URL.
# For manual deployments, set this to your public URL.
# ORIGIN=https://scrolly.example.com
# Data directory (optional — defaults to ./data)
# DATA_DIR=./data
# Giphy API key (optional — enables GIF search in comments)
# Get one at https://developers.giphy.com/
GIPHY_API_KEY=
# Legal pages (optional — shown in SMS consent text on join/onboard screens)
# Self-hosted operators should provide their own Terms and Privacy Policy URLs
# Required by Twilio/CTIA for SMS verification compliance
PUBLIC_TERMS_URL=
PUBLIC_PRIVACY_URL=
# Logging (optional — trace, debug, info, warn, error, fatal. Default: info)
# LOG_LEVEL=info
# Verbose request logging (optional — logs full request/response details per request)
# Includes: IP, user-agent, referer, headers (sensitive values redacted), query params,
# content-type, and content-length. Useful for debugging proxy/network issues.
# Default: false
# VERBOSE_REQUESTS=true
# Database backups (optional — number of daily backups to keep. Default: 7)
# BACKUP_RETENTION_COUNT=7
# Domain for Caddy HTTPS (used with docker-compose.caddy.yml)
# DOMAIN=scrolly.example.com