Environment variables

Every variable that configures a Carbon instance, grouped by concern. The source of truth is packages/env.

Carbon reads its configuration from environment variables. The registry lives in packages/env; .env.example is the template; infrastructure-only variables are read by sst.config.ts. A minimal instance needs the Supabase connection, a session secret, and Redis — everything else activates features as you need them.

Core

Platform-wide behavior and edition.

CARBON_EDITIONenumoptional

One of community, cloud, enterprise, or test — gates edition-specific features.

CONTROLLED_ENVIRONMENTbooleanoptional

Enables ITAR / controlled-environment restrictions.

AUTH_PROVIDERSenum[]optional

Allowed sign-in methods: email, google, azure, passkey.

DOMAINstringoptional

Base domain the apps are served from.

ERP_URLurloptional

Public URL of the ERP app.

MES_URLurloptional

Public URL of the MES app.

DEFAULT_LANGUAGEstringoptional

Default UI language.

RATE_LIMITnumberoptional

Requests per window allowed against the API.

Database — Supabase

Carbon's single Postgres database. All five are required.

SUPABASE_URLurlrequired

Supabase project URL.

SUPABASE_ANON_KEYstringrequired

Public anon key — browser-safe.

SUPABASE_SERVICE_ROLE_KEYstringrequired

Service-role key — server only, never exposed to the client.

SUPABASE_DB_URLurlrequired

Direct Postgres connection string.

SUPABASE_JWT_SECRETstringrequired

Secret used to sign and verify session JWTs.

Auth & sessions

SESSION_SECRETstringrequired

Signs the session cookie.

SUPABASE_AUTH_EXTERNAL_GOOGLE_CLIENT_IDstringoptional

Google OAuth client id, when google is in AUTH_PROVIDERS.

SUPABASE_AUTH_EXTERNAL_GOOGLE_CLIENT_SECRETstringoptional

Google OAuth client secret.

SUPABASE_AUTH_EXTERNAL_AZURE_CLIENT_IDstringoptional

Azure OAuth client id, when azure is enabled.

SUPABASE_AUTH_EXTERNAL_AZURE_CLIENT_SECRETstringoptional

Azure OAuth client secret.

DEV_BYPASS_EMAILstringoptional

Local only — sign in as this email without a magic link.

Sign-in bot protection uses Cloudflare Turnstile: CLOUDFLARE_TURNSTILE_SITE_KEY and CLOUDFLARE_TURNSTILE_SECRET_KEY.

Jobs & cache

REDIS_URLurlrequired

Redis connection (ioredis URL) for the permission cache and queues.

INNGEST_SIGNING_KEYstringoptional

Signs requests to the Inngest jobs runner.

INNGEST_EVENT_KEYstringoptional

Key for sending events to Inngest.

INNGEST_BASE_URLurloptional

Override the Inngest endpoint (self-hosted or dev).

Email & billing

RESEND_API_KEYstringoptional

Resend API key for transactional email.

RESEND_DOMAINstringoptional

Verified sending domain.

STRIPE_SECRET_KEYstringoptional

Stripe secret key — Cloud / Enterprise billing.

STRIPE_WEBHOOK_SECRETstringoptional

Verifies inbound Stripe webhooks.

AI & analytics

OPENAI_API_KEYstringoptional

Powers AI features (embeddings, assist).

ANTHROPIC_API_KEYstringoptional

Anthropic key for Claude-backed features.

POSTHOG_API_HOSTurloptional

PostHog host for product analytics.

POSTHOG_PROJECT_PUBLIC_KEYstringoptional

PostHog project key.

Integrations

OAuth credentials for each connector — all optional, set only the ones you use.

XERO_CLIENT_IDstringoptional

Xero OAuth client id.

XERO_CLIENT_SECRETstringoptional

Xero OAuth client secret.

XERO_WEBHOOK_SECRETstringoptional

Verifies inbound Xero webhooks.

QUICKBOOKS_CLIENT_IDstringoptional

QuickBooks OAuth client id.

QUICKBOOKS_CLIENT_SECRETstringoptional

QuickBooks OAuth client secret.

JIRA_CLIENT_IDstringoptional

Jira OAuth client id.

JIRA_CLIENT_SECRETstringoptional

Jira OAuth client secret.

SLACK_CLIENT_IDstringoptional

Slack OAuth client id.

SLACK_CLIENT_SECRETstringoptional

Slack OAuth client secret.

ONSHAPE_CLIENT_IDstringoptional

Onshape OAuth client id.

ONSHAPE_CLIENT_SECRETstringoptional

Onshape OAuth client secret.

EXCHANGE_RATES_API_KEYstringoptional

Currency exchange-rate feed.

GOOGLE_PLACES_API_KEYstringoptional

Address autocomplete.

Infrastructure — SST

Read by sst.config.ts at deploy time, not by the app.

AWS_REGIONstringrequired

Region to deploy into.

AWS_ACCOUNT_IDstringrequired

Target AWS account.

IMAGE_TAGstringrequired

ECR image tag to deploy.

CERT_ARN_ERPstringoptional

ACM certificate ARN for the ERP domain.

CERT_ARN_MESstringoptional

ACM certificate ARN for the MES domain.

URL_ERPurloptional

Custom ERP domain — overrides the default.

URL_MESurloptional

Custom MES domain — overrides the default.

HEADS UP

Older notes list TRIGGER_* (Trigger.dev) and UPSTASH_REDIS_* variables — those are gone. Jobs run on Inngest and the cache uses a plain REDIS_URL.