Environment Variables

CLI Environment Variables

These variables configure the Quickback CLI itself.

Variable	Description	Default
`QUICKBACK_API_URL`	Compiler API endpoint	`https://compiler.quickback.dev`
`QUICKBACK_API_KEY`	API key for headless authentication (CI/CD)	—
`QUICKBACK_AUTH_URL`	Auth server URL (custom deployments)	—

Authentication

The CLI authenticates via two methods:

Interactive login — quickback login stores credentials in ~/.quickback/credentials.json
API key — Set QUICKBACK_API_KEY for CI/CD environments

# Use the cloud compiler (default)
quickback compile

# Use a local compiler instance
QUICKBACK_API_URL=http://localhost:3000 quickback compile

# CI/CD with API key
QUICKBACK_API_KEY=qb_key_... quickback compile

Compiler Service Variables

These variables are used by the compiler service/runtime itself.

Variable	Description	Default
`QUICKBACK_SECURITY_REPORT_SIGNING_KEY`	HMAC key for signing `security-contracts.report.json` artifacts	—

When compiler.securityContracts.report.signature.required is true, this variable (or signature.key) must be set or compile fails.

Cloudflare Variables

Wrangler Bindings

These are configured as bindings in wrangler.toml, not environment variables. The compiler generates them automatically.

Binding	Type	Description
`AUTH_DB`	D1 Database	Better Auth tables (dual mode)
`DB`	D1 Database	Feature tables (dual mode)
`DATABASE`	D1 Database	All tables (single DB mode)
`KV`	KV Namespace	Key-value storage
`R2_BUCKET`	R2 Bucket	File storage (if configured)
`AI`	Workers AI	Embedding generation (if configured)
`VECTORIZE`	Vectorize	Vector similarity search (if configured)
`EMBEDDINGS_QUEUE`	Queue	Async embedding jobs (if configured)
`WEBHOOKS_DB`	D1 Database	Webhook events (if configured)
`WEBHOOKS_QUEUE`	Queue	Webhook delivery (if configured)
`FILES_DB`	D1 Database	File metadata (if R2 configured)
`BROADCASTER`	Service Binding	Realtime broadcast worker (if configured)

Worker Variables

Set these in wrangler.toml under [vars] or in the Cloudflare dashboard:

Variable	Description	Required
`BETTER_AUTH_URL`	Public URL of your auth endpoint	Yes
`APP_NAME`	Application name (used in emails)	No

Email (AWS SES)

Required when using the emailOtp plugin with AWS SES:

Variable	Description
`AWS_ACCESS_KEY_ID`	AWS access key
`AWS_SECRET_ACCESS_KEY`	AWS secret key
`AWS_SES_REGION`	SES region (e.g., `us-east-2`)
`EMAIL_FROM`	Sender email address
`EMAIL_FROM_NAME`	Sender display name
`EMAIL_REPLY_TO`	Reply-to address

Drizzle Kit (Migrations)

For running remote migrations with drizzle-kit, set these in .env:

Variable	Description
`CLOUDFLARE_ACCOUNT_ID`	Your Cloudflare account ID
`CLOUDFLARE_API_TOKEN`	API token with D1 permissions
`CLOUDFLARE_AUTH_DATABASE_ID`	Auth D1 database ID (dual mode)
`CLOUDFLARE_FEATURES_DATABASE_ID`	Features D1 database ID (dual mode)
`CLOUDFLARE_AUDIT_DATABASE_ID`	Security audit D1 database ID (unsafe cross-tenant actions)
`CLOUDFLARE_DATABASE_ID`	Database ID (single DB mode)

Bun Variables

Set these in a .env file in your project root:

Variable	Description	Default
`NODE_ENV`	Runtime environment	`development`
`PORT`	Server port	`3000`
`BETTER_AUTH_SECRET`	Auth encryption secret	— (required)
`BETTER_AUTH_URL`	Public URL of your server	`http://localhost:3000`
`DATABASE_PATH`	Path to SQLite file	`./data/app.db`

Turso (LibSQL) Variables

In addition to the Bun variables above:

Variable	Description	Default
`DATABASE_URL`	LibSQL connection URL	`file:./data/app.db`
`DATABASE_AUTH_TOKEN`	Turso auth token (required for remote)	—

# Local development
DATABASE_URL=file:./data/app.db

# Production (Turso cloud)
DATABASE_URL=libsql://your-db-slug.turso.io
DATABASE_AUTH_TOKEN=eyJhbGciOi...

When social login is configured in your auth provider:

Variable	Description
`GOOGLE_CLIENT_ID`	Google OAuth client ID
`GOOGLE_CLIENT_SECRET`	Google OAuth client secret
`GITHUB_CLIENT_ID`	GitHub OAuth client ID
`GITHUB_CLIENT_SECRET`	GitHub OAuth client secret
`DISCORD_CLIENT_ID`	Discord OAuth client ID
`DISCORD_CLIENT_SECRET`	Discord OAuth client secret