Env Vars · SlabTrack

SlabTrack environment variables

SlabTrack is the operator brain — collection, allocator, command bridge. It's the only repo with NO Stripe wiring of its own (sales happen on ToT/Storefront), but it does need outbound credentials to call satellites + a JWT secret shared with both.

⚠ Set in Railway, not in code

Use Railway's Variables tab on the SlabTrack service. Never commit a .env file with real secrets. The .env.example in the repo is a template only.

Required

Variable	Type	What it unlocks
`DATABASE_URL`	Required	Postgres connection string. Railway autopopulates this from the attached Postgres service — copy via the "Reference" link.
`JWT_SECRET`	Required	Signs the auth tokens. Must match exactly what's set on ToT and Storefront — handoff fails if these drift.
`SESSION_SECRET`	Required	Cookie signing. Generate with `openssl rand -hex 32`.
`NODE_ENV`	Required	`production` on Railway. Toggles security headers, error pages, etc.

Outbound to satellites

Variable	Type	What it unlocks
`THISORTHAT_API_URL`	Required	Where to push card engages/disengages. Production: `https://thisorthat.slabtrack.io`.
`STOREFRONT_API_URL`	Required	Storefront publish endpoint base URL. Production: `https://storefront.slabtrack.io`.
`ECOSYSTEM_WEBHOOK_SECRET`	Required	Validates inbound webhooks from satellites (sale events). Same value set on ToT and Storefront.

Third-party services

Variable	Type	What it unlocks
`SPORTSCARDSPRO_API_KEY`	Optional	Comp pricing data. Without it, comp_value falls back to eBay scraping or returns 0.
`EBAY_APP_ID` / `EBAY_CERT_ID` / `EBAY_DEV_ID`	Optional	eBay listing automation. Without these, the eBay channel adapter fails closed (cards stay in personal).
`EBAY_USER_TOKEN`	Optional	Per-operator eBay OAuth token. Operator authorizes via `/admin/ebay-connect`.
`RESEND_API_KEY`	Optional	Transactional email (consignor reports, buyer notifications). Without it, emails log to console.
`EMAIL_FROM`	Optional	From address on outbound emails. Defaults to `noreply@slabtrack.io`.
`OPENAI_API_KEY`	Optional	Card identification via vision + AI-assisted descriptions. Used by quick-price and PSA lookup paths.
`ANTHROPIC_API_KEY`	Optional	Alternate AI provider — claude vision for card ID. Either OpenAI or Anthropic; no need for both.
`CLOUDINARY_*` (cloud_name, api_key, api_secret)	Optional	Image hosting + transforms for card scans. Falls back to local file storage if not set (NOT production-safe).

Stripe (operator-side scan credits only)

SlabTrack itself doesn't process buyer payments — it sells scan credits to operators (the AI card-ID feature). If you don't sell scan credits, you can skip this section entirely.

Variable	Type	What it unlocks
`STRIPE_SECRET_KEY`	Optional	Operator-side scan-credit purchases. Secret
`STRIPE_WEBHOOK_SECRET`	Optional	Validates the scan-credit checkout webhook.

🔑 Generating secrets

For JWT_SECRET, SESSION_SECRET, and ECOSYSTEM_WEBHOOK_SECRET use:

openssl rand -hex 32

Same value goes on all three repos for JWT_SECRET and ECOSYSTEM_WEBHOOK_SECRET. Different values are fine for the others.

Production checklist

✓ DATABASE_URL referenced from Railway Postgres service
✓ JWT_SECRET matches ToT + Storefront exactly
✓ ECOSYSTEM_WEBHOOK_SECRET matches ToT + Storefront exactly
✓ THISORTHAT_API_URL + STOREFRONT_API_URL point at production domains (https://, no trailing slash)
✓ NODE_ENV=production
○ Optional: at least one of OPENAI_API_KEY or ANTHROPIC_API_KEY for card identification
○ Optional: RESEND_API_KEY + EMAIL_FROM for transactional email
○ Optional: CLOUDINARY_* for image hosting

← Previous Architecture Next → Env Vars · ThisOrThat