diff --git a/docs/06-configuration.md b/docs/06-configuration.md index 855f0241..564b0e6b 100644 --- a/docs/06-configuration.md +++ b/docs/06-configuration.md @@ -89,16 +89,12 @@ This table is based on `backend/app/core/config.py`, `.env.example`, `backend/.e |---|---:|---|---|---| | `NEXT_PUBLIC_API_URL` | **yes** | Backend base URL used by the browser | `http://localhost:8000` | Must be browser-reachable | | `NEXT_PUBLIC_CLERK_PUBLISHABLE_KEY` | **yes** | Enables Clerk in the frontend | (none) | Must be a real publishable key | -| `CLERK_SECRET_KEY` | **yes** | Clerk secret key used by the frontend (server-side) and E2E | (none) | Do not commit; required for Clerk-enabled operation | -| `NEXT_PUBLIC_CLERK_SIGN_IN_FORCE_REDIRECT_URL` | optional | Post-login redirect | `/boards` | — | -| `NEXT_PUBLIC_CLERK_SIGN_UP_FORCE_REDIRECT_URL` | optional | Post-signup redirect | `/boards` | — | | `NEXT_PUBLIC_CLERK_SIGN_IN_FALLBACK_REDIRECT_URL` | optional | Fallback redirect | `/boards` | — | -| `NEXT_PUBLIC_CLERK_SIGN_UP_FALLBACK_REDIRECT_URL` | optional | Fallback redirect | `/boards` | — | | `NEXT_PUBLIC_CLERK_AFTER_SIGN_OUT_URL` | optional | Post-logout redirect | `/` | — | ## Operational footguns -- **Clerk placeholder keys**: `frontend/.env.example` contains non-empty Clerk placeholders. `compose.yml` intentionally does **not** load it, because it can accidentally flip Clerk “on”. Prefer user-managed `frontend/.env` (for Compose) or `frontend/.env.local` (for Next dev). +- **Frontend env template vs runtime env**: `frontend/.env.example` is a template and `compose.yml` intentionally does **not** load it at runtime. Use user-managed `frontend/.env` (for Compose) or `frontend/.env.local` (for Next dev). - **`DB_AUTO_MIGRATE`**: - In `ENVIRONMENT=dev`, backend defaults `DB_AUTO_MIGRATE=true` if you didn’t set it explicitly. - In production, consider disabling auto-migrate and running migrations as an explicit step. diff --git a/docs/deployment/README.md b/docs/deployment/README.md index 60add961..ef844497 100644 --- a/docs/deployment/README.md +++ b/docs/deployment/README.md @@ -15,7 +15,9 @@ When running Compose, you get: - Health check: `GET /healthz` - **Frontend UI** (Next.js) on `http://localhost:${FRONTEND_PORT:-3000}` -Auth (Clerk) is **required** right now. You must configure Clerk keys for the frontend and backend (`CLERK_SECRET_KEY`). +Auth is configurable per deployment: +- `AUTH_MODE=local` (self-host default; shared bearer token) +- `AUTH_MODE=clerk` (Clerk JWT auth; backend requires `CLERK_SECRET_KEY`) ## Requirements @@ -86,7 +88,7 @@ These persist across `docker compose down`. ### Root `.env` (Compose) - Copy the template: `cp .env.example .env` -- Edit values as needed (ports, Clerk URLs/keys, etc.) +- Edit values as needed (ports, auth mode, tokens, API URL, etc.) Compose is invoked with: @@ -158,7 +160,6 @@ Create `frontend/.env` with at least: NEXT_PUBLIC_AUTH_MODE=clerk NEXT_PUBLIC_API_URL=http://localhost:8000 NEXT_PUBLIC_CLERK_PUBLISHABLE_KEY=pk_test_your_real_key -CLERK_SECRET_KEY=sk_test_your_real_key ``` **Security:** treat `LOCAL_AUTH_TOKEN` and `CLERK_SECRET_KEY` like passwords. Do not commit them. diff --git a/frontend/.env.example b/frontend/.env.example index 425dc8d9..b1db4249 100644 --- a/frontend/.env.example +++ b/frontend/.env.example @@ -9,9 +9,5 @@ NEXT_PUBLIC_AUTH_MODE=local # Clerk auth (used when NEXT_PUBLIC_AUTH_MODE=clerk) NEXT_PUBLIC_CLERK_PUBLISHABLE_KEY= -CLERK_SECRET_KEY= -NEXT_PUBLIC_CLERK_SIGN_IN_FORCE_REDIRECT_URL=/boards -NEXT_PUBLIC_CLERK_SIGN_UP_FORCE_REDIRECT_URL=/boards NEXT_PUBLIC_CLERK_SIGN_IN_FALLBACK_REDIRECT_URL=/boards -NEXT_PUBLIC_CLERK_SIGN_UP_FALLBACK_REDIRECT_URL=/boards NEXT_PUBLIC_CLERK_AFTER_SIGN_OUT_URL=/ diff --git a/frontend/README.md b/frontend/README.md index 1bcc1eb0..33052326 100644 --- a/frontend/README.md +++ b/frontend/README.md @@ -70,8 +70,8 @@ For `local` mode: For `clerk` mode, configure: - `NEXT_PUBLIC_CLERK_PUBLISHABLE_KEY` -- `CLERK_SECRET_KEY` -- optional Clerk redirect env vars +- optional `NEXT_PUBLIC_CLERK_SIGN_IN_FALLBACK_REDIRECT_URL` +- optional `NEXT_PUBLIC_CLERK_AFTER_SIGN_OUT_URL` ## How the frontend talks to the backend