Environment Variables

All configuration is driven by a .env file at the monorepo root. Copy .env.example to .env before starting the application.

How Variables Are Loaded

Consumer	Mechanism
Backend	Spring Boot reads `.env` via `spring.config.import=optional:file:.env[.properties]` in `application.yml`. Local override: `backend/.env`.
Frontend	Next.js loads `.env` via `dotenv` in `next.config.ts`. Local override: `frontend/.env.local`.
CI/CD	Variables are passed as GitHub Actions environment variables (not from `.env`). Secrets are stored in GitHub repository secrets.

Never commit .env

.env is listed in .gitignore. Never commit real credentials. Use .env.example as the template.

Variable	Default	Description
`SPRING_DATASOURCE_URL`	`jdbc:postgresql://localhost:5432/nextgenpoll`	JDBC connection URL
`SPRING_DATASOURCE_USERNAME`	`ngp_user`	Database username
`SPRING_DATASOURCE_PASSWORD`	`ngp_local_pass`	Database password
`SPRING_PROFILES_ACTIVE`	`dev`	Active Spring profile (`dev`, `prod`, `test`)

Variable	Default	Description
`AZURE_TENANT_ID`	—	Azure CIAM tenant ID (used to build JWKS URI)
`JWT_JWK_CONNECT_TIMEOUT_MS`	`5000`	JWKS endpoint connect timeout (ms)
`JWT_JWK_READ_TIMEOUT_MS`	`5000`	JWKS endpoint read timeout (ms)
`JWT_JWK_WARMUP_ENABLED`	`true`	Warm up JWKS cache on startup (`false` in `test` profile)

Variable	Default	Description
`AZURE_COMMUNICATION_CONNECTION_STRING`	—	Azure Communication Services connection string
`AZURE_EMAIL_SENDER`	`[email protected]`	Sender address

Variable	Default	Description
`ALLOWED_ORIGINS`	`http://localhost:3000`	Comma-separated list of allowed CORS origins

All NEXT_PUBLIC_* variables are included in the browser bundle — never put secrets in these.

Variable	Default	Description
`NEXT_PUBLIC_API_URL`	`http://localhost:8080`	Backend REST base URL
`NEXT_PUBLIC_WS_URL`	`ws://localhost:8080/ws`	WebSocket endpoint
`NEXT_PUBLIC_AZURE_CLIENT_ID`	—	MSAL app registration client ID
`NEXT_PUBLIC_AZURE_AUTHORITY`	—	MSAL authority URL (CIAM tenant)
`NEXT_PUBLIC_AZURE_REDIRECT_URI`	`http://localhost:3000/auth/callback`	OAuth redirect URI
`NEXT_PUBLIC_AZURE_POST_LOGOUT_REDIRECT_URI`	`http://localhost:3000`	Post-logout redirect URI
`NEXT_PUBLIC_AZURE_API_SCOPE`	—	API scope for access tokens
`NEXT_DEV_ALLOWED_ORIGINS`	—	Comma-separated dev origins for Next.js (e.g. PowerPoint add-in HTTPS origin)

Variable	Default	Description
`NEXTGENPOLL_ADDIN_PROD_URL`	`https://nextgenpoll.com/addin/`	Base URL where add-in assets are served in production

These secrets must be configured in GitHub → Settings → Secrets and Variables → Actions:

Secret	Used By	Description
`AZURE_BACKEND_PUBLISH_PROFILE`	`backend-cd.yml`	Azure App Service publish profile for `nextgenpoll-api`
`AZURE_FRONTEND_PUBLISH_PROFILE`	`frontend-cd.yml`	Azure App Service publish profile for `nextgenpoll-web`
`AZURE_STATIC_WEB_APPS_API_TOKEN_DOCS`	`docs-cd.yml`	Azure Static Web Apps deployment token for `nextgenpoll-docs`
`AZURE_DB_URL`	`backend-cd.yml`	Production JDBC URL for Flyway migration
`AZURE_DB_USERNAME`	`backend-cd.yml`	Production DB username for Flyway migration
`AZURE_DB_PASSWORD`	`backend-cd.yml`	Production DB password for Flyway migration
`NEXT_PUBLIC_API_URL`	`frontend-cd.yml`	Production API URL
`NEXT_PUBLIC_WS_URL`	`frontend-cd.yml`	Production WebSocket URL
`NEXT_PUBLIC_AZURE_CLIENT_ID`	`frontend-cd.yml`	Production MSAL client ID
`NEXT_PUBLIC_AZURE_AUTHORITY`	`frontend-cd.yml`	Production MSAL authority
`NEXT_PUBLIC_AZURE_REDIRECT_URI`	`frontend-cd.yml`	Production redirect URI
`NEXT_PUBLIC_AZURE_POST_LOGOUT_REDIRECT_URI`	`frontend-cd.yml`	Production post-logout URI
`NEXT_PUBLIC_AZURE_API_SCOPE`	`frontend-cd.yml`	Production API scope
`AZURE_TENANT_ID`	`frontend-cd.yml`	Azure tenant ID (used in build)
`NEXTGENPOLL_ADDIN_PROD_URL`	`frontend-cd.yml`	Production add-in assets URL