Configuration

All configuration is done via environment variables in .env. Copy .env.example to get started.

Required variables

Variable	Description
`SESSION_SECRET`	Any long random string. Used to sign session cookies. Rotate this to invalidate all active sessions.
`ENCRYPTION_KEY`	Exactly 64 hex characters. Used to encrypt Stripe keys and Square OAuth tokens at rest. Do not change after initial setup — changing it makes existing encrypted credentials unreadable.

Generate both with:

bash

node -e "console.log(require('crypto').randomBytes(32).toString('hex'))"

Optional — AI features

Variable	Description
`ANTHROPIC_API_KEY`	Your Anthropic API key. Without this, the AI Assistant and Dashboard insights are unavailable. Get one at console.anthropic.com.

Optional — Square OAuth

Required to enable Square Sync. Register an app at developer.squareup.com.

Variable	Description
`SQUARE_APP_ID`	Your Square application ID
`SQUARE_APP_SECRET`	Your Square application secret
`SQUARE_ENVIRONMENT`	`sandbox` for testing, `production` for live

Also configure your Square app's OAuth redirect URL: https://your-domain.com/api/square/oauth/callback

Optional — Email (SMTP)

Required for password-reset emails. Without it, the Forgot password? link is hidden on the sign-in page and admins must reset passwords manually. See SMTP & Email for provider examples and per-tenant overrides.

All five SMTP variables must be set together for platform SMTP to activate:

Variable	Example
`APP_URL`	`https://books.geekonomics-app.com` (no trailing slash)
`SMTP_HOST`	`smtp.example.com`
`SMTP_PORT`	`587`
`SMTP_USER`	`noreply@example.com`
`SMTP_PASS`	(your SMTP password)
`SMTP_FROM`	`"Geekonomics <noreply@example.com>"`

Optional — Plaid bank sync

Required to enable automatic bank transaction import. Register at dashboard.plaid.com.

Variable	Description
`PLAID_CLIENT_ID`	Your Plaid client ID
`PLAID_SECRET`	Your Plaid secret
`PLAID_ENV`	`sandbox` for testing, `production` for live

Without Plaid credentials, manual entry and Square/Stripe sync still work fully — Plaid bank linking is simply unavailable.

Stripe (not in .env)

Stripe is configured per-company in the app UI, not in .env. Go to Settings → Stripe Configuration after setup. The key is stored AES-256-GCM encrypted in the database.

Production settings

When NODE_ENV=production, the app enables:

secure flag on session cookies (requires HTTPS)
Same-origin-only API requests (CORS disabled)
Static file serving from ./public (the Vite build)

The Docker container sets NODE_ENV=production automatically via the Dockerfile.

Example .env

env

# Required
SESSION_SECRET=your-long-random-session-secret-here
ENCRYPTION_KEY=64-hex-chars-here

# AI features
ANTHROPIC_API_KEY=sk-ant-...

# Square OAuth
SQUARE_APP_ID=sq0idp-...
SQUARE_APP_SECRET=sq0csp-...
SQUARE_ENVIRONMENT=production

# Plaid
PLAID_CLIENT_ID=your-client-id
PLAID_SECRET=your-secret
PLAID_ENV=production

# Email (SMTP) — required for password reset emails
APP_URL=https://books.example.com
SMTP_HOST=smtp.example.com
SMTP_PORT=587
SMTP_USER=noreply@example.com
SMTP_PASS=your-smtp-password
SMTP_FROM="Geekonomics <noreply@example.com>"

Configuration ​

Required variables ​

Optional — AI features ​

Optional — Square OAuth ​

Optional — Email (SMTP) ​

Optional — Plaid bank sync ​

Stripe (not in .env) ​

Production settings ​

Example .env ​