Environment Variables

Backend variables (backend-js/src/app/config/envConfig.ts)

Variable	Required	Default	Notes
MYSQL_USER	Yes	none	DB user.
MYSQL_PASSWORD	Yes	none	DB password (secret).
MYSQL_HOST	Yes	none	DB host.
MYSQL_PORT	No	3306	DB port.
MYSQL_DATABASE	Yes	none	DB schema.
RESEND_API_KEY	Yes (for email features)	none	Required for login/reset/activation/status emails.
GOOGLE_DIRECTIONS_API_KEY	Yes	none	Used for route optimization and geocoding.
JWT_SECRET	No in code, but must be set in prod	hardcoded fallback string	Development fallback exists; production must override.
JWT_ACCESS_EXPIRES_IN	No	15m	Access token TTL.
JWT_REFRESH_EXPIRES_DAYS	No	7	Refresh token TTL.
TRACKING_EXPIRES_DAYS	No	30	Tracking token TTL.
TRACKING_BASE_URL	No	localhost/prod URL by mode	Used in tracking email links.
RESET_BASE_URL	No	localhost/prod URL by mode	Used in reset/activation links.
DEFAULT_USER_PASSWORD	No in code, but security-sensitive	hardcoded fallback string	Seed password for created users; must be overridden.

[!WARNING] JWT_SECRET and DEFAULT_USER_PASSWORD include hardcoded fallbacks in source. Treat them as development-only and override in production immediately.

Frontend variables (frontend-app/app/config/envConfig.ts)

Variable	Required	Default	Notes
NEXT_PUBLIC_API_BASE_URL	Yes in dev	none	API base URL for local/development frontend.
NEXT_PUBLIC_HERE_API_KEY	Yes	none	HERE map integration key.

Frontend hardcodes production API base URL as https://api.tolosaerronka.es/api when NODE_ENV=production.

Security-sensitive vars

• Backend: MYSQL_PASSWORD, RESEND_API_KEY, GOOGLE_DIRECTIONS_API_KEY, JWT_SECRET, DEFAULT_USER_PASSWORD.
• Frontend: public variables are exposed client-side by design; do not place secrets in NEXT_PUBLIC_*.

Source of truth

• backend-js/.env.example is the seed reference.
• Real production values should be supplied by deployment platform secrets.