Environment Variables Reference

All environment variables used by UberLotto v2. Copy .env.example to .env and fill in the values.

Variable Categories

Category	Prefix	Description
Public	`PUBLIC_*`	Safe to expose in client bundles
Vite Public	`VITE_PUBLIC_*`	Exposed to client via Vite
Private	No prefix	Server-only, never exposed to client

Shopify Configuration

Required for all environments.

Variable	Description	Example
`PUBLIC_STOREFRONT_ID`	Shopify Storefront ID	`gid://shopify/Shop/12345`
`PUBLIC_STOREFRONT_API_TOKEN`	Public Storefront API token	`shpat_xxxxx`
`PUBLIC_STORE_DOMAIN`	Store domain	`uberlotto.myshopify.com`
`PRIVATE_STOREFRONT_API_TOKEN`	Private Storefront API token	`shpat_xxxxx`
`PUBLIC_CUSTOMER_ACCOUNT_API_CLIENT_ID`	Customer Account API client ID	`shp_xxxxx`
`PUBLIC_CUSTOMER_ACCOUNT_API_URL`	Customer Account API URL	`https://shopify.com/xxxxx`
`SHOP_ID`	Shop GID	`gid://shopify/Shop/12345`
`SESSION_SECRET`	Session encryption key (32+ chars)	Random string
`PUBLIC_CHECKOUT_DOMAIN`	Checkout domain	`uberlotto.myshopify.com`

How to Obtain

Storefront API credentials — Shopify Admin → Settings → Apps → Develop apps → Create/select app → API credentials
Customer Account API — Shopify Admin → Settings → Customer accounts → Enable and configure

Supabase Configuration

Required for database functionality.

Variable	Description	Example
`SUPABASE_URL`	Project URL	`https://xxxxx.supabase.co`
`SUPABASE_ANON_KEY`	Anonymous/public key	`eyJhbGciOiJIUzI1NiIs...`
`SUPABASE_SERVICE_ROLE_KEY`	Service role key (admin)	`eyJhbGciOiJIUzI1NiIs...`

SUPABASE_SERVICE_ROLE_KEY

The service role key bypasses Row Level Security (RLS). Never expose it in client code, logs, or version control. Only use in .server.ts files.

How to Obtain

Open Supabase Dashboard
Select project → Settings → API
Copy keys from "Project API keys" section

Analytics (PostHog)

Optional — leave empty to disable analytics.

Variable	Description	Example
`VITE_PUBLIC_POSTHOG_KEY`	PostHog project API key	`phc_xxxxx`
`VITE_PUBLIC_POSTHOG_HOST`	PostHog host URL	`https://us.i.posthog.com`

TIP

Both variables must be set for analytics to work. Leave both empty to disable.

Payment Gateway — Plisio

Required for cryptocurrency payments via Plisio.

Variable	Description	Example
`PLISIO_API_KEY`	Plisio API key	`xxxxx`
`PLISIO_SECRET_KEY`	Webhook HMAC secret	`xxxxx`
`PLISIO_WEBHOOK_IPS`	Allowed webhook IPs (comma-separated)	`216.219.89.38`

How to Obtain

Open Plisio Dashboard
API Settings → Create/view API keys
Webhook Settings → Copy secret key

WARNING

PLISIO_SECRET_KEY is used to verify webhook HMAC signatures. PLISIO_WEBHOOK_IPS should include the official Plisio webhook IP: 216.219.89.38.

Payment Gateway — MoonPay

Required for fiat-to-crypto on-ramp payments via MoonPay.

Variable	Description	Example
`MOONPAY_PUBLISHABLE_KEY`	MoonPay publishable key	`pk_test_your_key_here`
`MOONPAY_SECRET_KEY`	MoonPay secret key	`sk_test_your_key_here`
`MOONPAY_WEBHOOK_KEY`	Webhook HMAC verification key	`whk_your_webhook_key_here`
`MOONPAY_WALLET_ADDRESS`	Destination wallet address	`0x3ae230Bc...`
`MOONPAY_ENVIRONMENT`	`sandbox` or `production`	`sandbox`

How to Obtain

Open MoonPay Dashboard
Get publishable and secret keys from the API Keys section
Configure webhook key in the Webhooks section

Cleanup Job Authentication

Required for the auto-expire pending transactions cron job.

Variable	Description	Example
`CLEANUP_SECRET_TOKEN`	Auth token for `/api/cleanup-pending-transactions`	Random 64-char hex

This token authenticates the cron endpoint that automatically expires pending transactions older than 1 hour. The cron runs every 15 minutes (*/15 * * * *).

How to Generate

bash

# Generate a cryptographically random 64-character token
node -e "console.log(require('crypto').randomBytes(32).toString('hex'))"

DANGER

Store this token in your password manager and deployment platform. Never commit the actual token to git.

Environment-Specific Setup

Local Development

bash

# .env (gitignored) — copy from .env.example
cp .env.example .env

# .env.local (gitignored) — optional overrides
VITE_PUBLIC_POSTHOG_KEY=  # Disable analytics locally

Production (Shopify Oxygen)

Set environment variables in:

Shopify Admin → Hydrogen → Environment Variables
Or via CLI: shopify hydrogen env push

CI/CD (GitHub Actions)

Set as GitHub Secrets:

Repository → Settings → Secrets and variables → Actions
Add each production variable as a secret

Validation Checklist

Before deploying, verify:

[ ] All required Shopify variables are set
[ ] SESSION_SECRET is unique per environment
[ ] SUPABASE_SERVICE_ROLE_KEY is not exposed in logs
[ ] PLISIO_SECRET_KEY matches Plisio dashboard
[ ] MOONPAY_WEBHOOK_KEY matches MoonPay dashboard
[ ] MOONPAY_ENVIRONMENT is set to production (not sandbox)
[ ] CLEANUP_SECRET_TOKEN is secure and stored safely

Environment Variables Reference ​

Variable Categories ​

Shopify Configuration ​

How to Obtain ​

Supabase Configuration ​

How to Obtain ​

Analytics (PostHog) ​

Payment Gateway — Plisio ​

How to Obtain ​

Payment Gateway — MoonPay ​

How to Obtain ​

Cleanup Job Authentication ​

How to Generate ​

Environment-Specific Setup ​

Local Development ​

Production (Shopify Oxygen) ​

CI/CD (GitHub Actions) ​

Validation Checklist ​

Environment Variables Reference

Variable Categories

Shopify Configuration

How to Obtain

Supabase Configuration

How to Obtain

Analytics (PostHog)

Payment Gateway — Plisio

How to Obtain

Payment Gateway — MoonPay

How to Obtain

Cleanup Job Authentication

How to Generate

Environment-Specific Setup

Local Development

Production (Shopify Oxygen)

CI/CD (GitHub Actions)

Validation Checklist