.env.example

# ==========================================
# COINPAY PORTAL ENVIRONMENT VARIABLES
# ==========================================
# Replace all placeholder values with your actual keys.
# Do NOT commit your actual .env file to version control.

# ------------------------------------------
# SUPABASE ALIGNMENT (REQUIRED)
# ------------------------------------------
# From your Supabase project dashboard: Settings → API
NEXT_PUBLIC_SUPABASE_URL=https://your-project.supabase.co
NEXT_PUBLIC_SUPABASE_ANON_KEY=your-supabase-anon-key
SUPABASE_SERVICE_ROLE_KEY=your-supabase-service-role-key

# New API-keys style (gradually replacing anon/service_role)
# From Settings → API → API Keys
SUPABASE_PUBLISHABLE_KEY=your-supabase-publishable-key
SUPABASE_SECRET_KEY=your-supabase-secret-key
SUPABASE_SECRETMAT_KEY=your-supabase-secret-mat-key

# For migrations + CLI (Settings → Database → Connection string)
SUPABASE_ACCESS_TOKEN=your-supabase-personal-access-token
SUPABASE_DB_PASSWORD=your-supabase-db-password
SUPABASE_JWT_SECRET=your-supabase-jwt-secret

# ------------------------------------------
# ENCRYPTION & AUTHENTICATION (REQUIRED)
# ------------------------------------------
# Generate with: openssl rand -hex 32
ENCRYPTION_KEY=changeme-generate-with-openssl-rand-hex-32
# Master encryption key for advanced features
MASTER_ENCRYPTION_KEY=changeme-generate-with-openssl-rand-hex-32
# Used for Lightning Network keys
LN_KEY_ENCRYPTION_KEY=changeme-generate-with-openssl-rand-hex-32
# Generate with: openssl rand -base64 64
JWT_SECRET=changeme-generate-with-openssl-rand-base64-64
# Generate with: openssl rand -hex 32
OIDC_SIGNING_SECRET=changeme-generate-with-openssl-rand-hex-32
# Generate with: openssl rand -hex 32
REPUTATION_SIGNING_SECRET=changeme-generate-with-openssl-rand-hex-32

# ------------------------------------------
# APPLICATION URLS & CORS (REQUIRED)
# ------------------------------------------
NODE_ENV=production
PORT=8080
NEXT_PUBLIC_APP_URL=https://your-domain.com
APP_URL=https://your-domain.com
NEXT_PUBLIC_API_URL=https://your-domain.com/api
# Comma-separated list of allowed origins for CORS
ALLOWED_ORIGINS=https://your-domain.com
CORS_ALLOWED_ORIGINS=https://your-domain.com

# ------------------------------------------
# RPC PROVIDER URLS
# ------------------------------------------
# Create apps in Alchemy (https://alchemy.com/) or another provider
ALCHEMY_API_KEY=your-alchemy-api-key

# REQUIRED for Core Chains
BITCOIN_RPC_URL=https://your-bitcoin-rpc-endpoint
ETHEREUM_RPC_URL=https://eth-mainnet.g.alchemy.com/v2/your-api-key
POLYGON_RPC_URL=https://polygon-mainnet.g.alchemy.com/v2/your-api-key
SOLANA_RPC_URL=https://api.mainnet-beta.solana.com
NEXT_PUBLIC_SOLANA_RPC_URL=https://api.mainnet-beta.solana.com
NEXT_PUBLIC_SOLANA_NETWORK=mainnet-beta

# OPTIONAL for Alt Chains
BCH_RPC_URL=https://your-bitcoin-cash-rpc-endpoint
BNB_RPC_URL=https://bsc-dataseed.binance.org
BSC_RPC_URL=https://bsc-dataseed.binance.org
ADA_RPC_URL=https://your-cardano-rpc-endpoint
XRP_RPC_URL=wss://xrplcluster.com
DOGE_RPC_URL=https://your-dogecoin-rpc-endpoint
BASE_RPC_URL=https://base-mainnet.g.alchemy.com/v2/your-api-key
ARB_RPC_URL=https://arb-mainnet.g.alchemy.com/v2/your-api-key
AVAX_RPC_URL=https://api.avax.network/ext/bc/C/rpc
OP_RPC_URL=https://opt-mainnet.g.alchemy.com/v2/your-api-key

# ------------------------------------------
# PLATFORM FEE WALLETS (REQUIRED)
# ------------------------------------------
# Where the system's 0.5% commission is sent (NEVER commit actual values)
# Native chain wallets
PLATFORM_FEE_WALLET_BTC=your-btc-platform-fee-address
PLATFORM_FEE_WALLET_BCH=your-bch-platform-fee-address
PLATFORM_FEE_WALLET_ETH=your-eth-platform-fee-address
PLATFORM_FEE_WALLET_POL=your-polygon-platform-fee-address
PLATFORM_FEE_WALLET_SOL=your-solana-platform-fee-address
PLATFORM_FEE_WALLET_BNB=your-bnb-platform-fee-address
PLATFORM_FEE_WALLET_ADA=your-ada-platform-fee-address
PLATFORM_FEE_WALLET_DOGE=your-doge-platform-fee-address
PLATFORM_FEE_WALLET_XRP=your-xrp-platform-fee-address

# Stablecoin wallets (per-chain variants — set the ones you accept)
PLATFORM_FEE_WALLET_USDC=your-usdc-platform-fee-address
PLATFORM_FEE_WALLET_USDC_ETH=your-usdc-on-ethereum-address
PLATFORM_FEE_WALLET_USDC_POL=your-usdc-on-polygon-address
PLATFORM_FEE_WALLET_USDC_SOL=your-usdc-on-solana-address
PLATFORM_FEE_WALLET_USDT=your-usdt-platform-fee-address
PLATFORM_FEE_WALLET_USDT_ETH=your-usdt-on-ethereum-address
PLATFORM_FEE_WALLET_USDT_POL=your-usdt-on-polygon-address
PLATFORM_FEE_WALLET_USDT_SOL=your-usdt-on-solana-address

# ------------------------------------------
# SYSTEM HD WALLET SEED PHRASES
# ------------------------------------------
# Generate a unique phrase for EACH variable below using the included helper script:
#   node scripts/gen-mnemonic.mjs
# Run it once per mnemonic — do NOT reuse the same phrase across chains.
#
# IMPORTANT: Values MUST be wrapped in double quotes because they contain spaces.
# Example:  SYSTEM_MNEMONIC_BTC="word1 word2 word3 word4 word5 word6 word7 word8 word9 word10 word11 word12"
#
# These are used to derive unique payment addresses for each transaction.
# The system owns these wallets and forwards funds to merchants after taking commission.
# NEVER commit actual values — treat these like private keys.

# REQUIRED Core Chains:
SYSTEM_MNEMONIC_BTC="word1 word2 word3 word4 word5 word6 word7 word8 word9 word10 word11 word12"
SYSTEM_MNEMONIC_ETH="word1 word2 word3 word4 word5 word6 word7 word8 word9 word10 word11 word12"
SYSTEM_MNEMONIC_POL="word1 word2 word3 word4 word5 word6 word7 word8 word9 word10 word11 word12"
SYSTEM_MNEMONIC_SOL="word1 word2 word3 word4 word5 word6 word7 word8 word9 word10 word11 word12"

# OPTIONAL Alt Chains:
SYSTEM_MNEMONIC_ADA="word1 word2 word3 word4 word5 word6 word7 word8 word9 word10 word11 word12"
SYSTEM_MNEMONIC_BCH="word1 word2 word3 word4 word5 word6 word7 word8 word9 word10 word11 word12"
SYSTEM_MNEMONIC_BNB="word1 word2 word3 word4 word5 word6 word7 word8 word9 word10 word11 word12"
SYSTEM_MNEMONIC_DOGE="word1 word2 word3 word4 word5 word6 word7 word8 word9 word10 word11 word12"
SYSTEM_MNEMONIC_XRP="word1 word2 word3 word4 word5 word6 word7 word8 word9 word10 word11 word12"

# Stablecoin mnemonics (per-chain variants — set the ones you accept)
SYSTEM_MNEMONIC_USDC="word1 word2 word3 word4 word5 word6 word7 word8 word9 word10 word11 word12"
SYSTEM_MNEMONIC_USDC_ETH="word1 word2 word3 word4 word5 word6 word7 word8 word9 word10 word11 word12"
SYSTEM_MNEMONIC_USDC_POL="word1 word2 word3 word4 word5 word6 word7 word8 word9 word10 word11 word12"
SYSTEM_MNEMONIC_USDC_SOL="word1 word2 word3 word4 word5 word6 word7 word8 word9 word10 word11 word12"
SYSTEM_MNEMONIC_USDT="word1 word2 word3 word4 word5 word6 word7 word8 word9 word10 word11 word12"
SYSTEM_MNEMONIC_USDT_ETH="word1 word2 word3 word4 word5 word6 word7 word8 word9 word10 word11 word12"
SYSTEM_MNEMONIC_USDT_POL="word1 word2 word3 word4 word5 word6 word7 word8 word9 word10 word11 word12"
SYSTEM_MNEMONIC_USDT_SOL="word1 word2 word3 word4 word5 word6 word7 word8 word9 word10 word11 word12"

# Master mnemonic (optional — kept for legacy single-wallet deployments)
MASTER_MNEMONIC="word1 word2 word3 word4 word5 word6 word7 word8 word9 word10 word11 word12"

# ------------------------------------------
# THIRD_PARTY APIS
# ------------------------------------------
# Tatum API (Exchange Rates for BTC, ETH, SOL)
TATUM_API_KEY=your-tatum-api-key

# Kraken API (fallback for exchange rates, used for POL/Polygon)
# Public Ticker API doesn't require auth, but keys enable private APIs
KRAKEN_API_KEY=your-kraken-api-key
KRAKEN_API_SECRET=your-kraken-api-secret

# Crypto APIs (for BCH and other blockchains - https://cryptoapis.io/)
CRYPTO_APIS_KEY=your-cryptoapis-key
CRYPTOAPIS_API_KEY=your-cryptoapis-key

# Block Explorers (for indexing and finalizing transactions)
ETHERSCAN_API_KEY=your-etherscan-api-key
POLYGONSCAN_API_KEY=your-polygonscan-api-key
BSCSCAN_API_KEY=your-bscscan-api-key
BLOCKFROST_API_KEY=your-blockfrost-api-key

# ChangeNOW (Swaps)
CHANGENOW_API_KEY=your-changenow-api-key

# Mailgun / Resend (Email Notifications — pick one)
MAILGUN_API_KEY=your-mailgun-api-key
MAILGUN_DOMAIN=mg.your-domain.com
FROM_EMAIL=no-reply@your-domain.com
REPLY_TO_EMAIL=support@your-domain.com
RESEND_API_KEY=your-resend-api-key

# ------------------------------------------
# WEBHOOKS & INTERNAL APIS
# ------------------------------------------
# Generate with: openssl rand -hex 32
WEBHOOK_SECRET=changeme-generate-with-openssl-rand-hex-32
WEBHOOK_SIGNING_SECRET=changeme-generate-with-openssl-rand-base64-32
COINPAY_WEBHOOK_SECRET=changeme-generate-with-openssl-rand-hex-32

# Internal APIs and Cron
INTERNAL_API_KEY=changeme-generate-with-openssl-rand-hex-32
CRON_SECRET=changeme-generate-with-openssl-rand-hex-32

# ------------------------------------------
# MONITORING
# ------------------------------------------
# Set to "true" to start the background payment monitor loop.
# Disable in local dev to avoid RPC burn; enable on the server that
# owns the cron / worker role.
ENABLE_BACKGROUND_MONITOR=false

# ------------------------------------------
# MISCELLANEOUS & OPTIONAL
# ------------------------------------------
# WalletConnect / Reown AppKit (https://cloud.reown.com/)
NEXT_PUBLIC_WALLETCONNECT_PROJECT_ID=your-walletconnect-project-id

# Stripe (Optional for Card Payments)
STRIPE_SECRET_KEY=sk_test_your-stripe-secret
STRIPE_PUBLISHABLE_KEY=pk_test_your-stripe-publishable-key
NEXT_PUBLIC_STRIPE_PUBLISHABLE_KEY=pk_test_your-stripe-publishable-key
STRIPE_WEBHOOK_SECRET=whsec_your-stripe-webhook-secret
STRIPE_CONNECT_WEBHOOK_SECRET=whsec_your-stripe-connect-webhook-secret
# Stripe Connect organization id (platform account)
STRIPE_ORG_ID=acct_your-stripe-org-id

# WebAuthn (Optional)
WEBAUTHN_RP_ID=your-domain.com
WEBAUTHN_ORIGIN=https://your-domain.com

# ------------------------------------------
# LIGHTNING NETWORK (Optional)
# ------------------------------------------
# LNbits — hosted Lightning accounts
LNBITS_URL=https://your-lnbits-instance.com
LNBITS_ADMIN_KEY=your-lnbits-admin-key
LNBITS_INVOICE_KEY=your-lnbits-invoice-key
# Optional: self-hosted LNbits droplet provisioning
LNBITS_DROPLET_HOST=your-droplet-host
LNBITS_DROPLET_USER=your-droplet-user

# Greenlight (Blockstream's hosted Lightning node service)
# Credentials are typically multi-line PEM — keep on one line with
# \n separators or use a secret manager (Doppler / 1Password) to
# inject the real PEM at runtime.
GL_NOBODY_CRT=-----BEGIN CERTIFICATE-----\nyour-pem-body-here\n-----END CERTIFICATE-----
GL_NOBODY_KEY=-----BEGIN PRIVATE KEY-----\nyour-pem-body-here\n-----END PRIVATE KEY-----
# bitcoin | testnet
GL_NETWORK=bitcoin
GL_WEBHOOK_SECRET=changeme-generate-with-openssl-rand-hex-32

# Blockstream API (Optional — for auxiliary explorer / broadcast paths)
BLOCKSTREAM_CLIENT_ID=your-blockstream-client-id
BLOCKSTREAM_CLIENT_SECRET=your-blockstream-client-secret

# ------------------------------------------
# SWAPS (Optional)
# ------------------------------------------
# SideShift integration
SIDESHIFT_AFFILIATE_ID=your-sideshift-affiliate-id
SIDESHIFT_SECRET=your-sideshift-secret

# ------------------------------------------
# DEVELOPER TOKENS (Optional)
# ------------------------------------------
# For publishing private packages (e.g., @profullstack/*)
NPM_TOKEN=your-npm-token

# ------------------------------------------
# DOPPLER (Optional — for teams using Doppler secrets manager)
# ------------------------------------------
# If you use Doppler to inject env vars at build/run time, these
# values are picked up by the Doppler CLI. Not required if you're
# injecting env another way.
DOPPLER_PROJECT=coinpayportal
DOPPLER_CONFIG=prod
DOPPLER_ENVIRONMENT=prod

# CrawlProof Audience Hub (https://crawlproof.com)
CRAWLPROOF_PROJECT_ID=69420039-675a-4c3e-95ec-c8287fc21cc5
CRAWLPROOF_PROJECT_KEY=
CRAWLPROOF_INGEST_URL=https://crawlproof.com/api/events