Platform Operators
Environment Variables
Complete reference for every environment variable you need when self-hosting Banata Auth with Convex and Next.js.
Self-hosted deployments only. This page covers the environment variables required when you run your own Convex + Next.js stack. If you use Banata as a managed service, you can skip this page entirely. Hosted app integrations usually only need
BANATA_API_KEYand, optionally,BANATA_AUTH_URLif you use a custom Banata auth domain.
Banata Auth reads environment variables from two separate runtimes: the Convex backend (server-side) and the Next.js frontend. Setting each variable in the right place is essential for everything to work correctly.
Quick Reference
| Variable | Where to Set | Required | Description |
|---|---|---|---|
BETTER_AUTH_SECRET | Convex | Yes | Signs sessions, tokens, and webhooks |
SITE_URL | Convex | Yes | Your app's public URL |
CONVEX_DEPLOYMENT | .env.local | Yes | Convex deployment name |
NEXT_PUBLIC_CONVEX_URL | .env.local | Yes | Convex client URL |
NEXT_PUBLIC_CONVEX_SITE_URL | .env.local | Yes | Convex HTTP actions URL |
NEXT_PUBLIC_SITE_URL | .env.local | Recommended | App URL for build-time prerendering |
| OAuth credentials | Convex | If using social auth | Provider-specific client ID and secret |
RESEND_API_KEY | Convex | If sending emails | Resend API key |
BANATA_JWT_SIGNING_KEY_KMS_ID | Convex/secrets manager | Production | KMS key for JWT signing custody |
BANATA_VAULT_KMS_KEY_ID | Convex/secrets manager | Production | KMS key for vault encryption custody |
| SMS/WhatsApp provider credentials | Convex/secrets manager | If using phone OTP | Provider-specific phone delivery credentials |
Convex Environment Variables
You set these on your Convex deployment with npx convex env set. They're available to your Convex functions via process.env.
Core
| Variable | Required | Default | Description |
|---|---|---|---|
BETTER_AUTH_SECRET | Yes | — | Cryptographic secret for signing sessions, tokens, and webhook payloads. Use a strong random string (32+ bytes). Generate one with openssl rand -base64 32. |
SITE_URL | Yes | — | Your app's public URL (e.g., http://localhost:3000 in dev, https://myapp.com in production). Banata uses this for OAuth callback URLs, email links, and cookie configuration. |
BANATA_AUTH_APP_SECRET | Production | — | App-level secret separated from vault and token signing keys. |
BANATA_JWT_SIGNING_KEY_KMS_ID | Production | — | KMS/HSM key ID used for JWT signing key custody or wrapping. |
BANATA_VAULT_KMS_KEY_ID | Production | — | KMS/HSM key ID used for vault key custody or wrapping. |
BANATA_REFRESH_TOKEN_PEPPER_KMS_ID | Production | — | KMS/HSM key or secret reference used to protect refresh token hashes. |
BANATA_WEBHOOK_SIGNING_PEPPER | Production | — | Server-side pepper used when deriving per-endpoint webhook secrets. |
# Set core variables
npx convex env set BETTER_AUTH_SECRET "$(openssl rand -base64 32)"
npx convex env set SITE_URL "http://localhost:3000"Social OAuth Providers
You only need to set credentials for the providers you've enabled in your socialProviders configuration.
For hosted Banata projects, setting environment variables in your own app is not enough to register a provider in the Banata dashboard. The provider must also be saved to the project through the dashboard or saveSocialProviderCredential(...).
| Variable | Provider | Description |
|---|---|---|
GOOGLE_CLIENT_ID | OAuth 2.0 client ID from Google Cloud Console | |
GOOGLE_CLIENT_SECRET | OAuth 2.0 client secret | |
GITHUB_CLIENT_ID | GitHub | OAuth App client ID from GitHub Developer Settings |
GITHUB_CLIENT_SECRET | GitHub | OAuth App client secret |
APPLE_CLIENT_ID | Apple | Services ID from Apple Developer Portal |
APPLE_CLIENT_SECRET | Apple | Generated JWT client secret (expires every 6 months) |
MICROSOFT_CLIENT_ID | Microsoft | Application (client) ID from Azure Portal |
MICROSOFT_CLIENT_SECRET | Microsoft | Client secret value from Azure Portal |
MICROSOFT_TENANT_ID | Microsoft | Directory (tenant) ID, or "common", "organizations", "consumers" |
FACEBOOK_CLIENT_ID | App ID from Meta for Developers | |
FACEBOOK_CLIENT_SECRET | App Secret from Meta for Developers | |
TWITTER_CLIENT_ID | Twitter/X | OAuth 2.0 Client ID |
TWITTER_CLIENT_SECRET | Twitter/X | OAuth 2.0 Client Secret |
DISCORD_CLIENT_ID | Discord | Application Client ID |
DISCORD_CLIENT_SECRET | Discord | Application Client Secret |
SPOTIFY_CLIENT_ID | Spotify | App Client ID |
SPOTIFY_CLIENT_SECRET | Spotify | App Client Secret |
TWITCH_CLIENT_ID | Twitch | Application Client ID |
TWITCH_CLIENT_SECRET | Twitch | Application Client Secret |
LINKEDIN_CLIENT_ID | App Client ID | |
LINKEDIN_CLIENT_SECRET | App Client Secret |
# Example: GitHub OAuth
npx convex env set GITHUB_CLIENT_ID "Ov23li..."
npx convex env set GITHUB_CLIENT_SECRET "your-secret"
# Example: Google OAuth
npx convex env set GOOGLE_CLIENT_ID "123456.apps.googleusercontent.com"
npx convex env set GOOGLE_CLIENT_SECRET "GOCSPX-..."Email Provider
| Variable | Required | Description |
|---|---|---|
RESEND_API_KEY | If sending emails | API key from Resend. Used for verification emails, password resets, magic links, OTP codes, and invitations. |
CLOUDFLARE_EMAIL_API_TOKEN | If using Cloudflare Email Service | API token with permission to send email. |
CLOUDFLARE_ACCOUNT_ID | If using Cloudflare Email Service | Cloudflare account ID used by the Email Service REST API. |
npx convex env set RESEND_API_KEY "re_..."Tip: You can manage Resend, SendGrid, Amazon SES, Mailgun, Postmark, and Cloudflare Email Service from Emails > Providers.
Phone And WhatsApp OTP Providers
Banata Auth exposes phone OTP state and endpoints. Configure delivery from SMS > Providers, or provide your own delivery function through productionReadiness.sendPhoneOtp.
| Variable | Required | Description |
|---|---|---|
SMS_PROVIDER_API_KEY | If using SMS OTP | API key for your selected SMS provider. |
SMS_PROVIDER_API_SECRET | If required by the provider | Secondary secret for providers such as Vonage. |
SMS_PROVIDER_ACCOUNT_SID | If using Twilio | Twilio account SID. |
SMS_PROVIDER_AUTH_TOKEN | If using Twilio | Twilio auth token. |
SMS_PROVIDER_SENDER_ID | If using SMS OTP | Sender ID or phone number used for SMS delivery. |
SMS_PROVIDER_USERNAME | If required by the provider | Username for providers such as Africa's Talking. |
SMS_PROVIDER_API_BASE_URL | If required by the provider | Optional provider endpoint override, for example a Mobitech tenant or portal API URL. |
WHATSAPP_CLOUD_API_TOKEN | If using WhatsApp OTP | Meta WhatsApp Cloud API token or provider token. |
WHATSAPP_PHONE_NUMBER_ID | If using WhatsApp OTP | WhatsApp sender phone number ID. |
Never log raw OTPs, provider tokens, or full phone numbers in production logs.
Production Inventory Evidence
Use testing/auth-production-env-inventory-template.json when you prepare the managed production launch evidence.
For each required variable, record:
- the runtime that owns the variable
- whether the value is present
- the secret-store or deployment metadata, with the value redacted
- whether the value is scoped to production only
- notes for any missing, blocked, or rotated value
Then run:
bun run verify:auth-env-inventory-templateDo not paste raw API keys, OAuth secrets, OTPs, cookies, session tokens, refresh tokens, KMS plaintext, or provider credentials into the inventory file. The production gate only accepts redacted inventory and log-review evidence.
Passkeys (WebAuthn)
| Variable | Required | Description |
|---|---|---|
PASSKEY_RP_ID | If using passkeys | Relying Party ID (e.g., "localhost" in dev, "myapp.com" in production) |
PASSKEY_ORIGIN | If using passkeys | Origin URL (e.g., "http://localhost:3000" in dev) |
npx convex env set PASSKEY_RP_ID "myapp.com"
npx convex env set PASSKEY_ORIGIN "https://myapp.com"Managing Convex Variables
# List all variables on your deployment
npx convex env list
# Remove a variable
npx convex env unset GITHUB_CLIENT_IDNext.js Environment Variables (.env.local)
These live in your .env.local file and are available to your Next.js application at build and runtime.
| Variable | Required | Public? | Description |
|---|---|---|---|
CONVEX_DEPLOYMENT | Yes | No | Convex deployment identifier (e.g., dev:your-project-name) |
NEXT_PUBLIC_CONVEX_URL | Yes | Yes | Convex client URL (e.g., https://your-project.convex.cloud) |
NEXT_PUBLIC_CONVEX_SITE_URL | Yes | Yes | Convex HTTP actions URL (e.g., https://your-project.convex.site) |
NEXT_PUBLIC_SITE_URL | Recommended | Yes | Your app's URL. Used for building absolute URLs during SSR and prerendering. |
Example .env.local
# Convex deployment
CONVEX_DEPLOYMENT=dev:your-deployment-name
NEXT_PUBLIC_CONVEX_URL=https://your-deployment.convex.cloud
NEXT_PUBLIC_CONVEX_SITE_URL=https://your-deployment.convex.site
# App URL
NEXT_PUBLIC_SITE_URL=http://localhost:3000Local Development
When you run Convex locally with npx convex dev, your .env.local should point to the local endpoints:
CONVEX_DEPLOYMENT=local:local-your-project-name
NEXT_PUBLIC_CONVEX_URL=http://127.0.0.1:3210
NEXT_PUBLIC_CONVEX_SITE_URL=http://127.0.0.1:3211
NEXT_PUBLIC_SITE_URL=http://localhost:3000NEXT_PUBLIC_ Safety Reminder
Any variable prefixed with NEXT_PUBLIC_ gets embedded in your client-side JavaScript bundle and is visible to every user. Never put secrets in NEXT_PUBLIC_ variables.
Safe for NEXT_PUBLIC_ | Never use NEXT_PUBLIC_ for |
|---|---|
| Convex URL | BETTER_AUTH_SECRET |
| Site URL | API keys |
| Feature flags | OAuth secrets |
Production Checklist
Before you go live, walk through each item:
-
BETTER_AUTH_SECRETis a unique, strong random value (different from development) -
SITE_URLpoints to your production domain (e.g.,https://myapp.com) -
NEXT_PUBLIC_CONVEX_URLpoints to your production Convex deployment -
NEXT_PUBLIC_CONVEX_SITE_URLpoints to your production Convex site URL - OAuth callback URLs in each provider's dashboard are updated to production URLs
-
PASSKEY_RP_IDis your production domain (notlocalhost) -
PASSKEY_ORIGINis your production origin (withhttps://) - Email provider API key is set and verified
- No development secrets are reused in production
-
.env.localis listed in.gitignore(never commit secrets)
Template .env.local
Copy this into your project as a starting point:
# Convex deployment (filled automatically by `npx convex dev`)
CONVEX_DEPLOYMENT=dev:your-deployment-name
NEXT_PUBLIC_CONVEX_URL=https://your-deployment.convex.cloud
NEXT_PUBLIC_CONVEX_SITE_URL=https://your-deployment.convex.site
# App URL
NEXT_PUBLIC_SITE_URL=http://localhost:3000Then set your Convex-side variables:
npx convex env set BETTER_AUTH_SECRET "$(openssl rand -base64 32)"
npx convex env set SITE_URL "http://localhost:3000"
# Add OAuth and email provider secrets as neededNext Steps
- Convex Integration — Deep dive into the Convex backend configuration
- Deploy — Ship your self-hosted instance to production
- Quick Start — Set up a new project from scratch
- Auth Configuration — Configure authentication methods and plugins