Platform Operators
Environment Variables
Complete reference for every environment variable you need when self-hosting Banata Auth with Convex and Next.js.
Self-hosted deployments only. This page covers the environment variables required when you run your own Convex + Next.js stack. If you use Banata as a managed service, you can skip this page entirely. Hosted app integrations usually only need
BANATA_API_KEYand, optionally,BANATA_AUTH_URLif you use a custom Banata auth domain.
Banata Auth reads environment variables from two separate runtimes: the Convex backend (server-side) and the Next.js frontend. Setting each variable in the right place is essential for everything to work correctly.
Quick Reference
| Variable | Where to Set | Required | Description |
|---|---|---|---|
BETTER_AUTH_SECRET | Convex | Yes | Signs sessions, tokens, and webhooks |
SITE_URL | Convex | Yes | Your app's public URL |
CONVEX_DEPLOYMENT | .env.local | Yes | Convex deployment name |
NEXT_PUBLIC_CONVEX_URL | .env.local | Yes | Convex client URL |
NEXT_PUBLIC_CONVEX_SITE_URL | .env.local | Yes | Convex HTTP actions URL |
NEXT_PUBLIC_SITE_URL | .env.local | Recommended | App URL for build-time prerendering |
| OAuth credentials | Convex | If using social auth | Provider-specific client ID and secret |
RESEND_API_KEY | Convex | If sending emails | Resend API key |
Convex Environment Variables
You set these on your Convex deployment with npx convex env set. They're available to your Convex functions via process.env.
Core
| Variable | Required | Default | Description |
|---|---|---|---|
BETTER_AUTH_SECRET | Yes | — | Cryptographic secret for signing sessions, tokens, and webhook payloads. Use a strong random string (32+ bytes). Generate one with openssl rand -base64 32. |
SITE_URL | Yes | — | Your app's public URL (e.g., http://localhost:3000 in dev, https://myapp.com in production). Banata uses this for OAuth callback URLs, email links, and cookie configuration. |
# Set core variables
npx convex env set BETTER_AUTH_SECRET "$(openssl rand -base64 32)"
npx convex env set SITE_URL "http://localhost:3000"Social OAuth Providers
You only need to set credentials for the providers you've enabled in your socialProviders configuration.
For hosted Banata projects, setting environment variables in your own app is not enough to register a provider in the Banata dashboard. The provider must also be saved to the project through the dashboard or saveSocialProviderCredential(...).
| Variable | Provider | Description |
|---|---|---|
GOOGLE_CLIENT_ID | OAuth 2.0 client ID from Google Cloud Console | |
GOOGLE_CLIENT_SECRET | OAuth 2.0 client secret | |
GITHUB_CLIENT_ID | GitHub | OAuth App client ID from GitHub Developer Settings |
GITHUB_CLIENT_SECRET | GitHub | OAuth App client secret |
APPLE_CLIENT_ID | Apple | Services ID from Apple Developer Portal |
APPLE_CLIENT_SECRET | Apple | Generated JWT client secret (expires every 6 months) |
MICROSOFT_CLIENT_ID | Microsoft | Application (client) ID from Azure Portal |
MICROSOFT_CLIENT_SECRET | Microsoft | Client secret value from Azure Portal |
MICROSOFT_TENANT_ID | Microsoft | Directory (tenant) ID, or "common", "organizations", "consumers" |
FACEBOOK_CLIENT_ID | App ID from Meta for Developers | |
FACEBOOK_CLIENT_SECRET | App Secret from Meta for Developers | |
TWITTER_CLIENT_ID | Twitter/X | OAuth 2.0 Client ID |
TWITTER_CLIENT_SECRET | Twitter/X | OAuth 2.0 Client Secret |
DISCORD_CLIENT_ID | Discord | Application Client ID |
DISCORD_CLIENT_SECRET | Discord | Application Client Secret |
SPOTIFY_CLIENT_ID | Spotify | App Client ID |
SPOTIFY_CLIENT_SECRET | Spotify | App Client Secret |
TWITCH_CLIENT_ID | Twitch | Application Client ID |
TWITCH_CLIENT_SECRET | Twitch | Application Client Secret |
LINKEDIN_CLIENT_ID | App Client ID | |
LINKEDIN_CLIENT_SECRET | App Client Secret |
# Example: GitHub OAuth
npx convex env set GITHUB_CLIENT_ID "Ov23li..."
npx convex env set GITHUB_CLIENT_SECRET "your-secret"
# Example: Google OAuth
npx convex env set GOOGLE_CLIENT_ID "123456.apps.googleusercontent.com"
npx convex env set GOOGLE_CLIENT_SECRET "GOCSPX-..."Email Provider
| Variable | Required | Description |
|---|---|---|
RESEND_API_KEY | If sending emails | API key from Resend. Used for verification emails, password resets, magic links, OTP codes, and invitations. |
npx convex env set RESEND_API_KEY "re_..."Tip: Resend is the default, but you can swap in any email provider (SendGrid, Postmark, Mailgun, etc.) by changing the
fetch()call in your email callbacks.
Passkeys (WebAuthn)
| Variable | Required | Description |
|---|---|---|
PASSKEY_RP_ID | If using passkeys | Relying Party ID (e.g., "localhost" in dev, "myapp.com" in production) |
PASSKEY_ORIGIN | If using passkeys | Origin URL (e.g., "http://localhost:3000" in dev) |
npx convex env set PASSKEY_RP_ID "myapp.com"
npx convex env set PASSKEY_ORIGIN "https://myapp.com"Managing Convex Variables
# List all variables on your deployment
npx convex env list
# Remove a variable
npx convex env unset GITHUB_CLIENT_IDNext.js Environment Variables (.env.local)
These live in your .env.local file and are available to your Next.js application at build and runtime.
| Variable | Required | Public? | Description |
|---|---|---|---|
CONVEX_DEPLOYMENT | Yes | No | Convex deployment identifier (e.g., dev:your-project-name) |
NEXT_PUBLIC_CONVEX_URL | Yes | Yes | Convex client URL (e.g., https://your-project.convex.cloud) |
NEXT_PUBLIC_CONVEX_SITE_URL | Yes | Yes | Convex HTTP actions URL (e.g., https://your-project.convex.site) |
NEXT_PUBLIC_SITE_URL | Recommended | Yes | Your app's URL. Used for building absolute URLs during SSR and prerendering. |
Example .env.local
# Convex deployment
CONVEX_DEPLOYMENT=dev:your-deployment-name
NEXT_PUBLIC_CONVEX_URL=https://your-deployment.convex.cloud
NEXT_PUBLIC_CONVEX_SITE_URL=https://your-deployment.convex.site
# App URL
NEXT_PUBLIC_SITE_URL=http://localhost:3000Local Development
When you run Convex locally with npx convex dev, your .env.local should point to the local endpoints:
CONVEX_DEPLOYMENT=local:local-your-project-name
NEXT_PUBLIC_CONVEX_URL=http://127.0.0.1:3210
NEXT_PUBLIC_CONVEX_SITE_URL=http://127.0.0.1:3211
NEXT_PUBLIC_SITE_URL=http://localhost:3000NEXT_PUBLIC_ Safety Reminder
Any variable prefixed with NEXT_PUBLIC_ gets embedded in your client-side JavaScript bundle and is visible to every user. Never put secrets in NEXT_PUBLIC_ variables.
Safe for NEXT_PUBLIC_ | Never use NEXT_PUBLIC_ for |
|---|---|
| Convex URL | BETTER_AUTH_SECRET |
| Site URL | API keys |
| Feature flags | OAuth secrets |
Production Checklist
Before you go live, walk through each item:
-
BETTER_AUTH_SECRETis a unique, strong random value (different from development) -
SITE_URLpoints to your production domain (e.g.,https://myapp.com) -
NEXT_PUBLIC_CONVEX_URLpoints to your production Convex deployment -
NEXT_PUBLIC_CONVEX_SITE_URLpoints to your production Convex site URL - OAuth callback URLs in each provider's dashboard are updated to production URLs
-
PASSKEY_RP_IDis your production domain (notlocalhost) -
PASSKEY_ORIGINis your production origin (withhttps://) - Email provider API key is set and verified
- No development secrets are reused in production
-
.env.localis listed in.gitignore(never commit secrets)
Template .env.local
Copy this into your project as a starting point:
# Convex deployment (filled automatically by `npx convex dev`)
CONVEX_DEPLOYMENT=dev:your-deployment-name
NEXT_PUBLIC_CONVEX_URL=https://your-deployment.convex.cloud
NEXT_PUBLIC_CONVEX_SITE_URL=https://your-deployment.convex.site
# App URL
NEXT_PUBLIC_SITE_URL=http://localhost:3000Then set your Convex-side variables:
npx convex env set BETTER_AUTH_SECRET "$(openssl rand -base64 32)"
npx convex env set SITE_URL "http://localhost:3000"
# Add OAuth and email provider secrets as neededNext Steps
- Convex Integration — Deep dive into the Convex backend configuration
- Deploy — Ship your self-hosted instance to production
- Quick Start — Set up a new project from scratch
- Auth Configuration — Configure authentication methods and plugins