The frontend reads a few environment variables. All have fallbacks or are only required when the password gate is enabled.
-> Create a .env.local in the project root if needed
You can optionally set this if you wish to serve from somewhere else:
NEXT_PUBLIC_API_URL=http://localhost:8000If omitted,
lib/api.jsfalls back tohttp://localhost:8000, which works automatically when the frontend and backend are deployed on the same server. Override this only when the backend lives elsewhere.
Note:
NEXT_PUBLIC_*variables are setnpm run buildtime, not read at runtime. Rebuild after changing the value.
The app sits behind a password gate (see lib/gate-token.js and the login flow). Two variables are required for the gate to work:
PROTOTYPE_PASSWORD=your-shared-password
GATE_SECRET=your-long-random-secret
PROTOTYPE_PASSWORDis the shared password users enter on the login page.GATE_SECRETsigns the 48-hour JWT issued after a successful login. Both are server-side only and never exposed to the browser. Pick a long, randomGATE_SECRETand keep it stable across restarts!