env.sample

# env.sample — LNMB
# Copy this file to .env.local and fill in real values for local development.
# Do NOT commit real secrets to git.

# Convex configuration
# NEXT_PUBLIC_CONVEX_URL is the Convex deployment URL (e.g. https://<your-app>.convex.cloud)
NEXT_PUBLIC_CONVEX_URL=
# CONVEX_DEPLOYMENT is the project name on convex
CONVEX_DEPLOYMENT=

# Jenga API Configuration for STK/USSD Push
# SECURITY: These credentials are required for signature verification
# Obtain these from your Jenga API dashboard
JENGA_MERCHANT_CODE=your_merchant_code
JENGA_CONSUMER_SECRET=your_consumer_secret
JENGA_API_KEY=your_api_key
JENGA_MERCHANT_ACCOUNT_NUMBER=your_account_number_for_settlement
JENGA_MERCHANT_NAME=Your_Merchant_Name
# Optional: override the Jenga auth endpoint (defaults to UAT)
# Example: https://uat.finserve.africa/authentication/api/v3/authenticate/merchant
JENGA_AUTH_URL=
# Optional: override the Jenga base URL used for other API endpoints (defaults to UAT)
# Example: https://api.finserve.africa
JENGA_BASE_URL=
# Public processPayment URL (used by client-side checkout form)
# Defaults to Jenga UAT process endpoint
NEXT_PUBLIC_JENGA_PROCESS_URL=https://v3-uat.jengapgw.io/processPayment
# RSA private key for signing checkout signature in production
# You can set the entire PEM value in JENGA_PRIVATE_KEY or point to a file with JENGA_PRIVATE_KEY_PATH
# For local dev the repo includes a sample `privatekey.pem` (do NOT commit production keys)
JENGA_PRIVATE_KEY=
JENGA_PRIVATE_KEY_PATH=./privatekey.pem
# Optional: base64-encoded PEM for platforms that require single-line secrets
# Example command to create a base64 value (on macOS / Linux):
#   base64 -w 0 privatekey.pem > privatekey.pem.base64
# Then copy the single-line contents into JENGA_PRIVATE_KEY_BASE64
JENGA_PRIVATE_KEY_BASE64=

# Site URL for callbacks (update for production)
# SECURITY: This must match your production domain for signature verification
# Use HTTPS in production for secure webhooks
SITE_URL=http://localhost:3000

# Environment (development/production)
NODE_ENV=development

# Cloudinary (for uploading student ID pictures)
# Create an account at https://cloudinary.com and copy these values into your .env.local
CLOUDINARY_CLOUD_NAME=
CLOUDINARY_API_KEY=
CLOUDINARY_API_SECRET=

# Authentication Configuration
# Google OAuth for admin login
# Create OAuth credentials at https://console.cloud.google.com/apis/credentials
AUTH_GOOGLE_ID=your_google_client_id
AUTH_GOOGLE_SECRET=your_google_client_secret

# Clerk (Authentication)
# From Clerk dashboard: https://dashboard.clerk.com/last-active?path=api-keys
# Copy these into your local `.env.local` (do NOT commit real keys).
NEXT_PUBLIC_CLERK_PUBLISHABLE_KEY=YOUR_PUBLISHABLE_KEY
CLERK_SECRET_KEY=YOUR_SECRET_KEY
CLERK_FRONTEND_API_URL=CLERK_FRONTEND_API_URL

# Clerk redirect customization (optional but recommended)
# These can be set in your .env.local to control where users are redirected
# after sign in / sign up. Use the NEXT_PUBLIC_ variants for client-side access.
NEXT_PUBLIC_CLERK_SIGN_IN_URL=/sign-in
NEXT_PUBLIC_CLERK_SIGN_UP_URL=/sign-up
NEXT_PUBLIC_CLERK_SIGN_IN_FORCE_REDIRECT_URL=/manage
NEXT_PUBLIC_CLERK_SIGN_UP_FORCE_REDIRECT_URL=/manage
NEXT_PUBLIC_CLERK_SIGN_IN_FALLBACK_REDIRECT_URL=/
NEXT_PUBLIC_CLERK_SIGN_UP_FALLBACK_REDIRECT_URL=/

# ============================================
# SECURITY NOTES
# ============================================
# 1. JENGA_MERCHANT_CODE is required for webhook signature verification
# 2. Always use HTTPS in production (enforced by Vercel/deployment platform)
# 3. Webhook endpoint is at: /api/pgw-webhook-4365c21f (unpredictable path)
# 4. Never commit this file with real values - use .env.local for actual secrets
# 5. Rotate credentials periodically according to security best practices
# 6. OAuth redirect URI should be: https://your-domain.com/api/auth/callback/google