Configuration
Every environment variable temetro reads, in one table.
temetro is configured through environment variables. In Docker setups a .env is
optional — the backend generates any missing secrets on first start (see below).
Create backend/.env (from backend/.env.example) only to override defaults.
Environment variables
Backend
| Variable | Required | Description |
|---|---|---|
BETTER_AUTH_SECRET | Auto | Secret key for signing sessions. Auto-generated and persisted if unset (Docker). Set your own to control it; changing it signs everyone out. |
AI_CREDENTIALS_KEY | Auto | Key used to encrypt stored AI provider API keys at rest. Auto-generated and persisted if unset (Docker). Changing it invalidates saved provider keys (they must be re-entered). |
DATABASE_URL | Yes | PostgreSQL connection string. The Docker default (postgres://temetro:temetro@db:5432/temetro) points at the bundled database. |
BETTER_AUTH_URL | Yes | Public URL of the backend (default http://localhost:4000). An https:// URL switches session cookies to secure mode. |
FRONTEND_URL | Yes | Public URL of the app (default http://localhost:3000). Used for CORS and for links in emails. |
PORT | No | Port the API listens on (default 4000). |
POSTGRES_PORT | No | Host port for the bundled Postgres (default 5432). Change it if 5432 is taken. |
NODE_ENV | No | development or production. |
In Docker, auto-generated secrets are stored in the temetro_secrets volume and reused
on every restart. They're only regenerated if you remove that volume (e.g.
docker compose down -v).
Email (SMTP)
All optional. If SMTP_HOST is unset, outgoing emails (password resets,
verifications, invitations) are printed to the backend logs instead of being sent.
| Variable | Description |
|---|---|
SMTP_HOST | SMTP server hostname. |
SMTP_PORT | SMTP port (typically 587 or 465). |
SMTP_USER | SMTP username. |
SMTP_PASS | SMTP password. |
SMTP_FROM | The From header, e.g. temetro <no-reply@yourclinic.example>. |
Frontend
| Variable | Description |
|---|---|
NEXT_PUBLIC_API_URL | URL where the app reaches the API (default http://localhost:4000). In Docker this is set for you. |
Built-in rate limits
To slow down password-guessing, the API limits authentication attempts per 60-second window:
| Action | Limit |
|---|---|
| Sign in | 5 attempts |
| Sign up | 3 attempts |
| Password reset | 3 attempts |
Sessions last one week before requiring sign-in again.