Cascades
Docs
Environment Checklist

Environment Checklist

Required production environment variables for Cascades.

Cascades keeps the template platform foundation, but production configuration should be reviewed as Cascades infrastructure rather than starter-kit scaffolding.

Secret delivery (Doppler)

Development defaults wrap doppler run (npm run dev, workers, Prisma CLI helpers — see scripts/with-doppler.cjs). Use Doppler project cascades with config dev locally; mirror the same injection pattern on a VPS (doppler run -- node …). Other Noir Stack repos should each use their own Doppler project (aitracer, hexarch, ledgerbill, etc.), not one shared project.

After login: npm run doppler:validate. Prefer CASCADES_DOTENV_BOOTSTRAP=false in Doppler so .env* files on disk cannot override injected secrets (see root next.config.js). Escape hatch without the CLI: CASCADES_NO_DOPPLER=1 with env provided another way (CI secrets).

Required groups

Application

  • NEXT_PUBLIC_APP_URL — public application URL.
  • DATABASE_URL — Prisma database connection string.

Identity provider (OIDC — example naming in many builds)

Variable names vary by issuer; Cascades deployments often expose AUTH0_*-style placeholders mapped from any OIDC provider (Okta Entra Azure AD-compatible issuers Keycloak realms etc.).

  • AUTH0_SECRET — application session encryption secret.
  • AUTH0_BASE_URL — canonical Cascades app URL.
  • AUTH0_ISSUER_BASE_URL — OIDC issuer / tenant URL (or set AUTH0_DOMAIN host-style and Cascades derives an issuer URL — see env/server.mjs).
  • AUTH0_CLIENT_ID — OAuth client identifier.
  • AUTH0_CLIENT_SECRET — OAuth client secret.

Treat these values as OIDC_ISSUER / client metadata equivalents when you migrate away from naming that references a single vendor.

Commercial billing (optional — hosted SKU only)

Omit Stripe variables entirely for deployments that skip hosted billing—see Stripe Billing internals when you intentionally enable checkout.

  • STRIPE_SECRET_KEY — server-side Stripe API key.
  • STRIPE_WEBHOOK_SECRET — webhook signing secret.
  • NEXT_PUBLIC_STRIPE_PUBLISHABLE_KEY — publishable key.
  • NEXT_PUBLIC_STRIPE_PRO_MONTHLY_PLAN_ID
  • NEXT_PUBLIC_STRIPE_PRO_YEARLY_PLAN_ID
  • NEXT_PUBLIC_STRIPE_BUSINESS_MONTHLY_PLAN_ID
  • NEXT_PUBLIC_STRIPE_BUSINESS_YEARLY_PLAN_ID

Review checklist

  • No stray NEXTAUTH_* placeholders should linger from abandoned NextAuth scaffolding.
  • STRIPE_API_KEY legacy fallback—prefer STRIPE_SECRET_KEY in production billing stacks.
  • When Stripe is enabled, test/live Stripe keys align with webhook endpoints / price identifiers.
  • Production values belong in encrypted environment storage, not committed files.
  • Rotate any key that was exposed in local files, chat transcripts, logs, or screenshots.

Do not commit populated .env* files. Prefer Doppler (or your platform secret store). Legacy local files are optional and must never override injected secrets when using CASCADES_DOTENV_BOOTSTRAP=false.

CommunityReport issue / Discuss(tags: Cascades, workflows)
Deployment ModelsRoles & permissions