Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.refactkit.com/llms.txt

Use this file to discover all available pages before exploring further.

RefactKit reads its configuration from a .env file in the project root. Start by copying the example file: 
cp .env.example .env
The variables below are grouped by concern. Required variables must be set before the app will start. Optional variables unlock specific features — you can add them incrementally as you need those features.

Auth

These variables configure Better Auth, which handles sessions, email/password flows, OAuth, and organization management.
BETTER_AUTH_SECRET
string
required
A random secret used to sign and verify session tokens. Generate a secure value with openssl rand -base64 32. This must be at least 32 characters.
openssl rand -base64 32
BETTER_AUTH_URL
string
required
The canonical base URL of your application. Better Auth uses this to construct callback URLs for email verification and password resets.
  • Development: http://localhost:3000
  • Production: https://your-domain.com
If BETTER_AUTH_URL does not match the URL your app is actually served from, email verification links and OAuth callbacks will fail.
BETTER_AUTH_API_KEY
string
An API key for authenticating server-to-server calls to the Better Auth admin API (for example, managing users programmatically). You can generate this from the Better Auth dashboard or leave it unset if you do not need programmatic admin access.
VITE_APP_URL
string
required
The public URL of your app, exposed to the browser. The auth client uses this to construct API request URLs. Set the same value as BETTER_AUTH_URL during development.
VITE_APP_URL="http://localhost:3000"
Variables prefixed with VITE_ are bundled into the client-side JavaScript. Never put secrets in VITE_ variables.

Database

RefactKit uses Drizzle ORM with a PostgreSQL database. The recommended database provider is Supabase.
DATABASE_URL
string
required
A PostgreSQL connection string. Supabase provides two connection strings per project — use the Transaction pooler URL (port 6543) for serverless and edge deployments.
DATABASE_URL="postgresql://postgres.your-project-id:your_db_password@aws-0-region.pooler.supabase.com:6543/postgres"
Find this in your Supabase dashboard under Project Settings → Database → Connection string → Transaction pooler.
After setting DATABASE_URL, run npx drizzle-kit push to create all required tables in your database. Re-run this command any time you modify db/schema.ts.

Storage

RefactKit uploads avatars, organization logos, and gallery images to Supabase Storage. All uploads go through a server function — the service role key is never exposed to the browser.
VITE_SUPABASE_URL
string
required
The URL of your Supabase project. You will find this in the Supabase dashboard under Project Settings → API → Project URL.
VITE_SUPABASE_URL="https://your-project-id.supabase.co"
SUPABASE_SERVICE_ROLE_KEY
string
required
The service role secret for your Supabase project. This key bypasses Row Level Security and is used exclusively by server-side upload functions. Never expose it to the client.Find it in the Supabase dashboard under Project Settings → API → Service role secret.
SUPABASE_SERVICE_ROLE_KEY does not have a VITE_ prefix. This is intentional — it keeps the key server-only and out of the client bundle. Never rename it to VITE_SUPABASE_SERVICE_ROLE_KEY.
Before file uploads will work you also need to create a storage bucket in Supabase. Run the following SQL in your Supabase SQL Editor: 
-- Create the avatars bucket with public read access
insert into storage.buckets (id, name, public)
values ('avatars', 'avatars', true)
on conflict (id) do nothing;

-- Allow anyone to read files from the bucket
create policy "Public Access"
on storage.objects for select
using ( bucket_id = 'avatars' );

Email

RefactKit sends transactional emails — account verification, password resets, and organization invitations — using Resend.
RESEND_API_KEY
string
required
Your Resend API key, used to authenticate email sending requests. Create an API key in the Resend dashboard with Full access or Sending access.
RESEND_API_KEY="re_your_resend_api_key_here"
EMAIL_FROM
string
required
The sender address and display name shown in outgoing emails. The domain in this address must be verified in your Resend account.
EMAIL_FROM="Your App Name <noreply@yourdomain.com>"
To verify your domain in Resend: go to Domains → Add Domain, add the provided DNS records to your domain registrar, and wait for DNS propagation.
If you do not yet have a custom domain, Resend lets you send from onboarding@resend.dev for testing — but this only works for your own email address. Set up a real domain before inviting other users.

Complete example

Here is a complete .env file with all variables filled in for a local development setup: 
# Auth
BETTER_AUTH_SECRET="your_random_32_character_secret_string"
BETTER_AUTH_URL="http://localhost:3000"
BETTER_AUTH_API_KEY="ba_your_api_key_here"
VITE_APP_URL="http://localhost:3000"

# Database
DATABASE_URL="postgresql://postgres.your-project-id:your_db_password@aws-0-region.pooler.supabase.com:6543/postgres"

# Storage
VITE_SUPABASE_URL="https://your-project-id.supabase.co"
SUPABASE_SERVICE_ROLE_KEY="eyJhbGci...your_long_service_role_key..._here"

# Email
RESEND_API_KEY="re_your_resend_api_key_here"
EMAIL_FROM="My App <noreply@yourdomain.com>"
Never commit your .env file to version control. The .gitignore in RefactKit already excludes it. If you deploy to Vercel, set each variable in Project Settings → Environment Variables instead of using a .env file.