Engine configuration
The engine shell reads configuration from environment variables. Defaults are suitable for local development; production deployments should override the security-sensitive ones.
Database (Sequelize / PostgreSQL)
| Variable | Default | Notes |
|---|---|---|
DB_HOST | localhost | Database host |
DB_PORT | 5432 | Database port |
DB_USER | box | Database user |
DB_PASSWORD | box | Database password |
DB_NAME | box | Database name |
DB_SSL | false | Enable TLS to the database |
Server
| Variable | Default | Notes |
|---|---|---|
PORT | 3001 | HTTP port the engine listens on |
Authentication
| Variable | Default | Notes |
|---|---|---|
BOX_JWT_SECRET | box-dev-secret-change-me | Signing secret for box-issued JWTs |
BOX_JWT_EXPIRES_IN | 7d | Token lifetime |
⚠️
Change BOX_JWT_SECRET and BOX_COOKIE_SECRET for any non-local deployment.
The defaults are intentionally obvious placeholders.
Google OAuth
| Variable | Default | Notes |
|---|---|---|
GOOGLE_CLIENT_ID | (empty) | OAuth client id |
GOOGLE_CLIENT_SECRET | (empty) | OAuth client secret |
GOOGLE_REDIRECT_URI | http://localhost:3011/accounts/google/callback | OAuth callback |
Box runtime
| Variable | Default | Notes |
|---|---|---|
BOX_ROOT_DOMAINS | box.local | CSV of root domains the box serves |
BOX_CORS_ORIGINS | DASHBOARD_URL | CSV of allowed CORS origins |
BOX_COOKIE_SECRET | dev-cookie-secret-change-me | Cookie signing secret |
BOX_TENANT_SLUG_HEADER | x-tenant-slug | Header carrying the resolved tenant slug |
Dashboards & control plane
| Variable | Default | Notes |
|---|---|---|
DASHBOARD_URL | http://localhost:3002 | Console URL |
HELP_URL | {DASHBOARD_URL}/help | Help link |
CONTROL_PLANE_URL | (empty) | Control-plane base URL |
POTTER_LICENSE_KEY | (empty) | License key for control-plane integration |
Payment gateways
The shell reads no payment gateway variables. Provider credentials are read
by whatever payment adapter you bind — for example a
Paystack adapter reads PAYSTACK_SECRET_KEY. Keep gateway secrets with the
adapter, not the shell.