Configure Environment Variables

The API server uses an .env file to manage environment-specific configuration, such as database connection strings and secret keys. This approach keeps sensitive data out of your source code.

This guide explains each variable found in the .env.example file.

Creating Your .env File

First, copy the example file to create your local configuration file. Run this command from the flutter-news-app-api-server-full-source-code directory:

cp .env.example .env

Now, open the new .env file and fill in the values as described below.

---

Required Variables

These variables are essential for the server to function correctly.

DATABASE_URL

The full connection string for your MongoDB instance. The application cannot start without a valid database connection.

• Local Development: mongodb://localhost:27017/your_db_name
• Production: Use the connection string provided by your database hosting service (e.g., MongoDB Atlas).

Tip

For guidance on setting up a local MongoDB instance, see the Configure MongoDB guide.

JWT_SECRET_KEY

A cryptographically secure secret key used to sign and verify JSON Web Tokens (JWTs). This key ensures that authentication tokens are not tampered with.

• Recommendation: Use a secure, randomly generated string with at least 64 characters. You can use an online tool to generate a suitable key.

Security Warning

The JWT_SECRET_KEY is highly sensitive. Never commit this key to version control or expose it publicly. Treat it with the same level of security as a password.

SENDGRID_API_KEY

The API key for your SendGrid account. The server uses SendGrid to send transactional emails, such as One-Time Passwords (OTPs) for user authentication.

• To obtain your key:
  1. Log in to your SendGrid account.
  2. Follow the official SendGrid guide for detailed instructions.

SendGrid Plan Limitations

SendGrid’s free trial (no credit card required) is an excellent choice for development and initial testing. It provides a limit of 100 emails per day for the first 60 days. After this period, your account will be converted to a Pay As You Go plan, which requires adding a payment method to continue service.

For more details, see the SendGrid Pricing Page.

DEFAULT_SENDER_EMAIL

The “From” email address for all outgoing transactional emails.

Caution

This email address must be verified in SendGrid to ensure email delivery. SendGrid will reject emails from unverified senders.

• To verify your sender identity: Follow the official SendGrid guide on sender verification.

OTP_TEMPLATE_ID

The unique ID of the SendGrid dynamic template used for sending OTP codes.

• To create the template:

  1. Navigate to the Dynamic Templates page in your SendGrid dashboard.
  2. Click Create a Dynamic Template and give it a memorable name (e.g., OTP Template).
  3. Select your new template, click Add Version, and choose the Code Editor.
  4. Replace the default content with the HTML below. This code includes the mandatory {{otp_code}} substitution tag.

  <!DOCTYPE html>
  <html>
  <head>
    <title>Your One-Time Password</title>
  </head>
  <body style="font-family: sans-serif; text-align: center; padding: 40px;">
    <div style="max-width: 600px; margin: auto; border: 1px solid #ddd; padding: 20px; border-radius: 8px;">
      <h2 style="color: #333;">Your One-Time Password</h2>
      <p style="color: #555;">Use the code below to complete your sign-in.</p>
      <div style="font-size: 36px; font-weight: bold; letter-spacing: 5px; margin: 20px 0; padding: 15px; background-color: #f5f5f5; border-radius: 5px;">
        {{otp_code}}
      </div>
      <p style="color: #888; font-size: 12px;">This code will expire in 10 minutes. If you did not request this, please ignore this email.</p>
    </div>
  </body>
  </html>

  5. Save the template. From the Dynamic Templates list, copy the Template ID and paste it into your .env file.

OVERRIDE_ADMIN_EMAIL

This variable provides a powerful and secure way to set or recover the application’s single administrator account. On server startup, the system ensures that the user with this email is the one and only administrator.

• If no admin exists: A new administrator account will be created with this email.
• If an admin with a DIFFERENT email exists: The old admin account will be removed and replaced by a new one with this email. All associated data for the old admin will be deleted.
• If an admin with this email already exists: No changes will be made.

Email Delivery Note

Be aware that if the administrator’s email is the same as the DEFAULT_SENDER_EMAIL, you may not receive the OTP email required for login. Some email services, including SendGrid, can prevent an address from sending an email to itself. For reliable administrator access, it is recommended to use an admin email that is different from your verified sender email.

Optional Variables

These variables have default values but can be customized for your environment.

JWT_EXPIRY_HOURS

The duration, in hours, for which a JWT is valid.

• Default: 720 (1 month)

Cost & User Experience Implications

Lowering this value will require users to sign in more often. Each sign-in sends a verification code via email, which may incur costs from your email provider (e.g., SendGrid). The default value of one month is recommended to balance security with a smooth user experience and predictable costs.

CORS_ALLOWED_ORIGIN

The specific origin URL of your web client (e.g., the Flutter Web Dashboard) that is allowed to make requests to this API. This is required for production to prevent Cross-Origin Resource Sharing (CORS) errors.

• Example: https://dashboard.yourdomain.com

Caution

For more details on CORS, see the Configure CORS guide.

SENDGRID_API_URL

The base URL for the SendGrid API.

• Default: https://api.sendgrid.com
• EU Accounts: If your SendGrid account is based in the EU, you may need to set this to https://api.eu.sendgrid.com.

RATE_LIMIT_REQUEST_CODE_LIMIT

The number of times a user can request a sign-in code within the defined window.

• Default: 3

Security & Cost Implications

This limit is a critical security measure to prevent abuse of the email sign-in system. Increasing this value could allow a malicious actor to trigger a large number of emails to a specific address, potentially incurring significant costs from your email provider. It is strongly recommended to keep this value low.

RATE_LIMIT_REQUEST_CODE_WINDOW_HOURS

The time window, in hours, for the sign-in code request limit.

• Default: 24

RATE_LIMIT_DATA_API_LIMIT

The number of general data API requests a user can make within the defined window.

• Default: 1000

RATE_LIMIT_DATA_API_WINDOW_MINUTES

The time window, in hours, for the data API request limit.

• Default: 1