Deployment

Production Checklist

Required changes before deploying Trackr to production

Overview

The default .env file ships with placeholder secrets that are not safe for production. Before exposing Trackr to the internet, regenerate every secret listed below.

Secrets to Regenerate

VariableWhat It DoesHow to Generate
ANON_KEYPublic JWT for anonymous API accessGenerate with Supabase JWT tool using your JWT_SECRET
SERVICE_ROLE_KEYPrivileged JWT for server-side API accessGenerate with Supabase JWT tool using your JWT_SECRET
JWT_SECRETSigns and verifies all JWTsopenssl rand -base64 32
POSTGRES_PASSWORDDatabase superuser passwordopenssl rand -base64 32
DASHBOARD_USERNAMESupabase Studio login usernameChoose a unique username
DASHBOARD_PASSWORDSupabase Studio login passwordopenssl rand -base64 32
SECRET_KEY_BASEApplication secret for sessionsopenssl rand -base64 64
VAULT_ENC_KEYEncryption key for Supabase Vault (min 32 chars)openssl rand -base64 32
PG_META_CRYPTO_KEYEncryption key for pg_meta (min 32 chars)openssl rand -base64 32
S3_PROTOCOL_ACCESS_KEY_IDS3 protocol access keyopenssl rand -hex 16
S3_PROTOCOL_ACCESS_KEY_SECRETS3 protocol secret keyopenssl rand -hex 32

After changing JWT_SECRET, you must regenerate both ANON_KEY and SERVICE_ROLE_KEY to match.

Quick Generate

Run this to generate all random secrets at once:

echo "JWT_SECRET=$(openssl rand -base64 32)"
echo "POSTGRES_PASSWORD=$(openssl rand -base64 32)"
echo "DASHBOARD_PASSWORD=$(openssl rand -base64 32)"
echo "SECRET_KEY_BASE=$(openssl rand -base64 64)"
echo "VAULT_ENC_KEY=$(openssl rand -base64 32)"
echo "PG_META_CRYPTO_KEY=$(openssl rand -base64 32)"
echo "S3_PROTOCOL_ACCESS_KEY_ID=$(openssl rand -hex 16)"
echo "S3_PROTOCOL_ACCESS_KEY_SECRET=$(openssl rand -hex 32)"

Copy the output into your .env file.

Other Steps

  • Configure your domain — see Custom Domain
  • Set up email delivery — see Email Setup
  • Set DISABLE_SIGNUP=true if you want to restrict registration after creating your admin account
ende