Skip to main content
Environment variables override overlay.config.json. Put secrets in the runtime secret manager; keep JSON config focused on non-secret deployment shape.

Base Runtime

Provider Variables

Private Deployment Defaults

For private deployments, disable unapproved processors in both server and client-visible env:

Convex Placement

Convex needs only the secrets used by Convex functions. For the normal web path, configure:
  • INTERNAL_API_SECRET, matching the app runtime.
Session and crypto secrets belong only on the Next.js app runtime:
  • SESSION_SECRET
  • SESSION_TRANSFER_KEY
  • SESSION_COOKIE_ENCRYPTION_KEY
  • INTERNAL_SERVICE_AUTH_SECRET
After editing convex/, push both deployments:
Do not pass .env.local to production Convex deploy commands; use the package scripts so production and development deployments receive the right environment.