Skip to content
  • environment variables

Environment Variables

Environment Variables

Section titled “Environment Variables”

This document provides a complete reference for all environment variables used to configure Arrow.

Overview

Section titled “Overview”

Arrow uses environment variables for configuration, allowing you to customize behavior without modifying code. Variables are read from .env files in the backend and frontend directories respectively.

Backend Environment Variables

Section titled “Backend Environment Variables”

Required Variables

Section titled “Required Variables”

These variables must be configured for Arrow to function:

VariableDescriptionExample
B2_BUCKETPrimary S3-compatible storage bucket namearrow-storage
B2_REGIONStorage bucket regionus-east-1
B2_ENDPOINTS3-compatible endpoint URLhttps://s3.us-east-1.backblazeb2.com
B2_KEY_IDStorage access key IDyour-key-id
B2_APP_KEYStorage secret access keyyour-app-key
B2_ARROW_MANAGER_BUCKETBucket for Arrow Manager filesarrow-manager-files
B2_ARROW_CONTROL_BUCKETBucket for Arrow Control filesarrow-control-files
B2_PUBLIC_BUCKETBucket for public assetsarrow-public
DASHBOARD_URLFull URL of the Arrow dashboardhttps://arrow.yourcompany.com

EasyPost Integration

Section titled “EasyPost Integration”

Configure these variables for shipment tracking functionality:

VariableDescriptionExample
EASYPOST_PRODUCTION_API_KEYEasyPost production API keyEZAKxxxxxxxx
EASYPOST_TEST_API_KEYEasyPost test/sandbox API keyEZTKxxxxxxxx
EASYPOST_USE_TEST_FOR_SHIPMENTSUse test API for shipments (true/false)false
EASYPOST_WEBHOOK_SECRETSecret for validating EasyPost webhookswhsec_xxxxxxxx

HelpScout Integration

Section titled “HelpScout Integration”

Configure these variables for support ticket integration:

VariableDescriptionExample
HELPSCOUT_CLIENT_IDHelpScout OAuth client IDyour-client-id
HELPSCOUT_CLIENT_SECRETHelpScout OAuth client secretyour-client-secret
HELPSCOUT_MAILBOX_IDHelpScout mailbox ID for tickets12345

Mapping and Location

Section titled “Mapping and Location”

Configure these variables for geocoding and mapping features:

VariableDescriptionExample
MAPBOX_ACCESS_TOKENMapbox API access tokenpk.xxxxxxxx

Cellular and GPS

Section titled “Cellular and GPS”

Configure these variables for cellular connectivity and GPS tracking:

VariableDescriptionExample
SIMPLEX_API_USERNAMESimplex Wireless API usernameyour-username
SIMPLEX_API_PASSWORDSimplex Wireless API passwordyour-password
BLUES_WEBHOOK_SECRETSecret for validating Blues Notecard webhooksyour-webhook-secret

Cloudflare Services

Section titled “Cloudflare Services”

Configure these variables for Cloudflare integration:

VariableDescriptionExample
CLOUDFLARE_API_TOKENCloudflare API tokenyour-api-token
CLOUDFLARE_ZONE_IDCloudflare zone ID for your domainzone-id
CLOUDFLARE_TURNSTILE_SECRET_KEYTurnstile CAPTCHA secret key0x4xxxxxxxx

Optional Variables

Section titled “Optional Variables”

These variables enable additional functionality:

VariableDescriptionExample
BUILD_API_URLVM build automation endpoint URLhttps://build.yourcompany.com/api
DEVICE_LOOKUP_API_KEYAPI key for device lookup serviceyour-api-key
GITHUB_PATGitHub personal access token for releasesghp_xxxxxxxx
TESTING_API_KEYAPI key for testing endpointstest-api-key

Logging Configuration

Section titled “Logging Configuration”

Configure logging behavior with these variables:

VariableDescriptionDefault
LOG_LEVELMinimum log level (debug, info, warn, error)info
LOG_DIRDirectory for log files./logs
LOG_FILELog file namearrow.log
LOG_MAX_SIZEMaximum log file size in MB before rotation100
LOG_MAX_AGEMaximum days to retain old log files30
LOG_MAX_BACKUPSMaximum number of old log files to retain5
LOG_COMPRESSCompress rotated log files (true/false)true
LOG_CONSOLEAlso output logs to console (true/false)true
LOG_JSONOutput logs in JSON format (true/false)false
LOG_CALLERInclude caller info in logs (true/false)false

Licensing Configuration

Section titled “Licensing Configuration”

Configure these variables for license management:

VariableDescriptionExample
LICENSE_PRIVATE_KEY_PATHPath to license signing private key/etc/arrow/license.key
LICENSE_PUBLIC_KEY_PATHPath to license verification public key/etc/arrow/license.pub
LICENSING_API_KEYAPI key for licensing serviceyour-api-key

Security Configuration

Section titled “Security Configuration”

Configure these security-related variables:

VariableDescriptionExample
LETSENCRYPT_EMAILEmail for Let’s Encrypt certificate notificationsadmin@yourcompany.com
TURNSTILE_DEV_BYPASS_TOKENDevelopment bypass token for Turnstiledev-bypass-token
ENVEnvironment mode (development or production)production

Frontend Environment Variables

Section titled “Frontend Environment Variables”

Configure these variables in the frontend .env file:

VariableDescriptionDefault
VITE_API_URLPocketBase API URLhttp://localhost:8090
VITE_VPN_BASE_DOMAINBase domain for Arrow Control DNS-based URLs. Used when VMs have DNS enabled to construct hostname-based URLs for Arrow Control access.arrowvpn.io

Setup Instructions

Section titled “Setup Instructions”

Backend Setup

Section titled “Backend Setup”

  1. Navigate to the backend directory:

    Terminal window
    cd backend

  2. Copy the example environment file:

    Terminal window
    cp .env.example .env

  3. Edit the .env file with your configuration:

    Terminal window
    nano .env

  4. At minimum, configure all required variables listed above.

  5. Restart the backend service after making changes.

Frontend Setup

Section titled “Frontend Setup”

  1. Navigate to the frontend directory:

    Terminal window
    cd frontend

  2. Create a .env file:

    Terminal window
    touch .env

  3. Add the frontend environment variables:

    Terminal window
    VITE_API_URL=http://localhost:8090
    VITE_VPN_BASE_DOMAIN=arrowvpn.io

  4. Restart the development server or rebuild for production.

Security Best Practices

Section titled “Security Best Practices”

Follow these practices to keep your configuration secure:

Never Commit Secrets

Section titled “Never Commit Secrets”

Add .env files to your .gitignore:

.gitignore
.env
.env.local
.env.*.local

Use Different Keys Per Environment

Section titled “Use Different Keys Per Environment”

Maintain separate credentials for:

  • Development: Use test/sandbox API keys where available
  • Staging: Separate credentials from production
  • Production: Production-only credentials with restricted access

Rotate Credentials Regularly

Section titled “Rotate Credentials Regularly”
  • Change API keys and secrets periodically
  • Update credentials immediately if compromised
  • Use secret management tools for production (e.g., HashiCorp Vault, AWS Secrets Manager)

Principle of Least Privilege

Section titled “Principle of Least Privilege”
  • Only enable integrations you need
  • Use API keys with minimal required permissions
  • Restrict access to production credentials

Validate Before Deployment

Section titled “Validate Before Deployment”

Before deploying, verify:

  • All required variables are set
  • URLs are correct (no trailing slashes)
  • API keys are valid and active
  • Webhook secrets are configured for all enabled webhooks

Troubleshooting

Section titled “Troubleshooting”

Common Issues

Section titled “Common Issues”
IssueSolution
”Missing required environment variable”Ensure all required variables are set in .env
API integration not workingVerify API keys are valid and have correct permissions
Webhook failuresCheck webhook secret matches the integration’s configuration
File upload failuresVerify S3/B2 credentials and bucket permissions
Authentication errorsCheck Zitadel configuration and callback URLs

Verifying Configuration

Section titled “Verifying Configuration”

Test your configuration by checking the backend logs on startup. Arrow will log warnings for missing optional variables and errors for missing required variables.

Next Steps

Section titled “Next Steps”