Environment variables
Configuration is read from a single .env at the repo root on the server. Docker Compose substitutes ${VAR} from it for both runtime env and frontend build args.
Secrets are loaded through a fail‑closed
getSecret()— in production a missing required secret stops the service rather than booting insecure. Never commit.env; it's git‑ignored.
Build-time vs runtime
NEXT_PUBLIC_*are baked into the web/admin bundle at build time (Next.js inlines them). Changing one requires rebuilding the frontend image — a restart is not enough.- Everything else is read at runtime, so a backend service picks up changes on its next restart.
NEXT_PUBLIC_PRIVY_APP_ID is required for the web build — without it the auth/wagmi provider stack is dropped and the dashboard breaks.
Key variables by area
| Area | Variables |
|---|---|
| Core | DATABASE_URL, POSTGRES_PASSWORD, REDIS_URL, JWT_SECRET, AXON_SERVICE_TOKEN |
| Auth / wallets | NEXT_PUBLIC_PRIVY_APP_ID, PRIVY_APP_ID, PRIVY_APP_SECRET |
| Chain | NEXT_PUBLIC_RPC_URL, NEXT_PUBLIC_CHAIN_ID (84532), ESCROW_CONTRACT_ADDRESS, USDC_ADDRESS, USDC_IS_MOCK |
| Treasury / collection | USDC_TREASURY_PRIVATE_KEY, COLLECTION_WALLET_ADDRESS, COLLECTION_WALLET_PRIVATE_KEY |
| KYC | SUMSUB_APP_TOKEN, SUMSUB_SECRET_KEY, SUMSUB_WEBHOOK_SECRET |
| AI | AI_PROVIDER=openai, OPENAI_API_KEY, AI_MODEL=gpt-4o |
| Ramps / payout | MOONPAY_*, ONRAMPER_API_KEY, ONRAMPER_MODE, WISE_*, FUNDING_LYDIAM_MODE |
| Frontend build args | NEXT_PUBLIC_API_URL (https://api.vistus.io), NEXT_PUBLIC_BLOCKCHAIN_EXPLORER_URL, NEXT_PUBLIC_APP_VERSION |
| Service wiring | SERVICE_*_HOST (container names), SERVICE_*_PORT, SERVICE_SETTLEMENTS_HOST, ALLOWED_ORIGINS |
| Admin | ADMIN_USERNAME, ADMIN_PASSWORD |
Provider mode flags
Several integrations are gated by a mode flag so you can run sandbox/simulation until a partner is live:
| Flag | Values | Today | |
|---|---|---|---|
ONRAMPER_MODE |
sandbox \ |
production |
sandbox |
FUNDING_LYDIAM_MODE |
simulation \ |
live |
simulation (pending partner agreement) |
USDC_IS_MOCK |
true \ |
false |
true (testnet MockUSDC) |
CUSTODY_PROVIDER |
escrow-contract \ |
circle-cpn |
escrow-contract |
AI_PROVIDER |
openai \ |
anthropic |
openai |
Rotating a secret
- Update the value in the server
.env. - Rebuild + recreate the affected service(s):
$DC up -d --no-deps <service>(orbuild --no-cacheif it's a build arg /NEXT_PUBLIC_*). - For a leaked secret, also rotate it at the provider, and remember
NEXT_PUBLIC_*values are visible in the client bundle by design — never put a true secret behind aNEXT_PUBLIC_name.