Environment Variables

This document lists all environment variables used across the Hello World Co-Op DAO platform.

Frontend (React + Vite)

Located in frontend/app/www/:

• .env - Base configuration
• .env.local - Local overrides (gitignored)
• .env.staging - Staging environment
• .env.production - Production environment

Canister Configuration

Variable	Description	Example
VITE_USER_SERVICE_CANISTER_ID	User service canister principal	j4rvr-3aaaa-aaaao-qkvfq-cai
VITE_AUTH_SERVICE_CANISTER_ID	Auth service canister principal	lqy7q-dh777-77777-aaaaq-cai
VITE_INTERNET_IDENTITY_CANISTER_ID	Internet Identity canister	rdmx6-jaaaa-aaaaa-aaadq-cai
VITE_NETWORK	Target network (local | ic)	ic

OAuth Configuration

Variable	Description	Where to Get
VITE_GOOGLE_CLIENT_ID	Google OAuth client ID	Google Cloud Console
VITE_GITHUB_CLIENT_ID	GitHub OAuth client ID	GitHub Developer Settings
VITE_GITHUB_CLIENT_SECRET	GitHub OAuth client secret	GitHub Developer Settings

Security Notes:

• Client IDs are safe to expose (public)
• Client Secrets in VITE_ variables are bundled into the app
• Rotate credentials every 90 days
• Use different credentials per environment

Oracle Bridge

Variable	Description	Default
VITE_ORACLE_BRIDGE_URL	Oracle bridge service URL	http://localhost:8787
VITE_ORACLE_BRIDGE_API_TOKEN	API authentication token	(empty for local)

Environment Values:

Environment	URL
Local	http://localhost:8787
Staging	https://staging-oracle.helloworlddao.com
Production	https://oracle.helloworlddao.com

Analytics

Variable	Description	Default
VITE_POSTHOG_API_KEY	PostHog project key	-
VITE_POSTHOG_API_HOST	PostHog API host	https://us.i.posthog.com

Cross-App Navigation (FOS-1.2.7)

Variable	Description	Default
VITE_FOUNDERY_OS_URL	URL for "Open FounderyOS" navigation	http://127.0.0.1:5174

Environment Values:

Environment	FounderyOS URL
Local	http://127.0.0.1:5174
Staging	https://staging-foundery.helloworlddao.com (TBD)
Production	https://foundery.helloworlddao.com (TBD)

UI Configuration

Variable	Description	Options
VITE_DESIGN_VARIANT	Theme variant	sunrise, sunset, ocean, forest

Example .env.local

# Local Development
VITE_USER_SERVICE_CANISTER_ID=uxrrr-q7777-77774-qaaaq-cai
VITE_AUTH_SERVICE_CANISTER_ID=lqy7q-dh777-77777-aaaaq-cai
VITE_INTERNET_IDENTITY_CANISTER_ID=rdmx6-jaaaa-aaaaa-aaadq-cai
VITE_NETWORK=local
VITE_ORACLE_BRIDGE_URL=http://localhost:8787
VITE_DESIGN_VARIANT=sunrise

foundery-os-suite (React + Vite)

The productivity suite application (foundery-os-suite/) shares authentication with the main DAO frontend via the same auth-service canister.

Located in foundery-os-suite/:

• .env.local.example - Template with documentation
• .env.local - Local overrides (gitignored)

Canister Configuration

Variable	Description	Example
VITE_IC_HOST	IC replica URL	http://127.0.0.1:4943
VITE_FOUNDERY_OS_CORE_CANISTER_ID	Productivity data canister	uxrrr-q7777-77774-qaaaq-cai
VITE_AUTH_SERVICE_CANISTER_ID	Shared auth service canister	lqy7q-dh777-77777-aaaaq-cai

Cross-App Navigation (FOS-1.2.7)

Variable	Description	Default
VITE_DAO_FRONTEND_URL	URL for "Back to DAO" navigation	http://127.0.0.1:5173

Environment Values:

Environment	DAO Frontend URL
Local	http://127.0.0.1:5173
Staging	https://staging.helloworlddao.com
Production	https://www.helloworlddao.com

Example .env.local

# Local Development
VITE_IC_HOST=http://127.0.0.1:4943
VITE_FOUNDERY_OS_CORE_CANISTER_ID=your-canister-id-here
VITE_AUTH_SERVICE_CANISTER_ID=your-auth-service-canister-id-here
VITE_DAO_FRONTEND_URL=http://127.0.0.1:5173

Shared Authentication

foundery-os-suite uses the same auth-service canister as the main frontend. When users authenticate:

1. Login credentials are sent to auth-service.login_email_password()
2. auth-service validates and returns session tokens
3. Tokens are stored in localStorage (separate per origin)
4. ProtectedRoute component validates tokens on navigation
5. Expired access tokens trigger auth-service.refresh_tokens()

Important: Since foundery-os-suite and frontend are separate asset canisters (different origins), users must log in to each application separately. The same credentials work for both, but sessions are independent.

Oracle Bridge (Node.js)

Located in oracle-bridge/:

• .env.example - Template with documentation
• .env - Actual configuration (gitignored)

Server Configuration

Variable	Description	Default
NODE_ENV	Environment mode	production
PORT	HTTP server port	8787

SMTP Configuration (Email)

Variable	Description	Example
SMTP_HOST	SMTP server host	127.0.0.1
SMTP_PORT	SMTP server port	1025
SMTP_USER	SMTP username	email@domain.com
SMTP_PASS	SMTP password	(Proton Bridge password)
SMTP_FROM_NOREPLY	No-reply sender address	noreply@domain.com
SMTP_FROM_CONTACT	Contact sender address	contact@domain.com

Security Configuration

Variable	Description	Notes
SIGNING_PRIVATE_KEY_BASE64	Ed25519 signing key	Base64 encoded
API_KEY	API authentication key	Generate securely
CANISTER_PUBLIC_KEYS	Canister signature verification	JSON map

Canister Public Keys Format:

{
  "rrkah-fqaaa-aaaaa-aaaaq-cai": "Ylx8BF+FVY7nZxE8TN3nPvLF8NJCz3qPxNBBmVMj2g0=",
  "user-service-id": "pubkey2",
  "membership-id": "pubkey3"
}

External API Keys

Variable	Description	Service
PERSONA_API_KEY	KYC verification	Persona
COMPLYADVANTAGE_API_KEY	AML screening	ComplyAdvantage
CIRCLE_API_KEY	Payment processing	Circle

Rate Limiting

Variable	Description	Default
TEMP_KEY_RATE_LIMIT	Max temp key requests per 24h	5

Recommended Values:

Environment	Value
Local/Dev	100
Staging	10
Production	5

Example .env

# Server
NODE_ENV=production
PORT=8787

# SMTP (Proton Mail Bridge)
SMTP_HOST=127.0.0.1
SMTP_PORT=1025
SMTP_USER=email@helloworlddao.com
SMTP_PASS=bridge-password-here
SMTP_FROM_NOREPLY=noreply@helloworlddao.com
SMTP_FROM_CONTACT=contact@helloworlddao.com

# Security
SIGNING_PRIVATE_KEY_BASE64=your-base64-private-key
API_KEY=your-secure-api-key

# Canister Auth
CANISTER_PUBLIC_KEYS={"user-service-id":"pubkey1"}

# External APIs
PERSONA_API_KEY=persona_live_xxx
COMPLYADVANTAGE_API_KEY=xxx
CIRCLE_API_KEY=xxx

# Rate Limiting
TEMP_KEY_RATE_LIMIT=5

GitHub Actions Secrets

Configure these in repository Settings → Secrets and variables → Actions:

Deployment Secrets

Secret	Description	Used By
DFX_IDENTITY_PEM	dfx identity private key	All canister deploys
DFX_IDENTITY_PRINCIPAL	dfx identity principal	Deployment workflows
CYCLES_WALLET_ID	Cycles wallet canister ID	Cycles top-up

OAuth Secrets

Secret	Description	Frontend Name
OAUTH_GOOGLE_CLIENT_ID	Google OAuth ID	VITE_GOOGLE_CLIENT_ID
OAUTH_GITHUB_CLIENT_ID	GitHub OAuth ID	VITE_GITHUB_CLIENT_ID
OAUTH_GITHUB_CLIENT_SECRET	GitHub OAuth secret	VITE_GITHUB_CLIENT_SECRET

Note: GitHub doesn't allow secrets starting with GITHUB_, so OAuth secrets use OAUTH_ prefix.

Oracle Bridge Secrets

Secret	Description
ORACLE_SIGNING_KEY	Ed25519 private key (base64)
ORACLE_API_KEY	API authentication key
PERSONA_API_KEY	Persona KYC API key

Analytics Secrets

Secret	Description
POSTHOG_API_KEY	PostHog project key

dfx Configuration

Network settings are in ops-infra/dfx.networks.json:

{
  "local": {
    "bind": "127.0.0.1:4943",
    "type": "ephemeral"
  },
  "testnet": {
    "providers": ["https://ic0.app"]
  },
  "mainnet": {
    "providers": ["https://ic0.app"]
  }
}

Most canister repos symlink to this shared config.

Local Development Setup

1. Frontend Setup

cd frontend/app/www

# Copy example files
cp .env.example .env
cp .env.local.example .env.local

# Edit with your local canister IDs
nano .env.local

2. Oracle Bridge Setup

cd oracle-bridge

# Copy example file
cp .env.example .env

# Configure for local development
nano .env

Minimum local config:

NODE_ENV=development
PORT=8787
TEMP_KEY_RATE_LIMIT=100
# Leave other fields empty for local dev

3. foundery-os-suite Setup

cd foundery-os-suite

# Copy example file
cp .env.local.example .env.local

# Edit with your local canister IDs
nano .env.local

4. Get Local Canister IDs

After deploying canisters locally:

# Get user-service canister ID
cd ~/git/user-service
dfx canister id user_service --network local

# Get auth-service canister ID
cd ~/git/auth-service
dfx canister id auth_service --network local

# Get foundery-os-core canister ID (when available)
cd ~/git/foundery-os-core
dfx canister id foundery_os_core --network local

Update .env.local files with these IDs:

• frontend/app/www/.env.local - For DAO Dashboard
• foundery-os-suite/.env.local - For Productivity Suite

Environment-Specific Values

Local Development

VITE_NETWORK=local
VITE_ORACLE_BRIDGE_URL=http://localhost:8787
TEMP_KEY_RATE_LIMIT=100

Staging

VITE_NETWORK=ic
VITE_ORACLE_BRIDGE_URL=https://staging-oracle.helloworlddao.com
TEMP_KEY_RATE_LIMIT=10

Production

VITE_NETWORK=ic
VITE_ORACLE_BRIDGE_URL=https://oracle.helloworlddao.com
TEMP_KEY_RATE_LIMIT=5

Security Best Practices

1. Never commit secrets - All .env files (except .example) are gitignored
2. Use GitHub Secrets - Store production secrets in repository settings
3. Rotate regularly - OAuth credentials every 90 days
4. Environment separation - Different credentials per environment
5. Minimal exposure - Only include secrets needed for each service

Troubleshooting

"Canister ID not found"

Ensure you've deployed canisters and updated .env.local:

dfx canister id user_service --network local

"Network error" connecting to Oracle Bridge

1. Verify oracle-bridge is running: npm run dev
2. Check VITE_ORACLE_BRIDGE_URL matches the running port
3. Ensure no firewall blocking localhost:8787

"OAuth login failed"

1. Verify OAuth credentials in .env
2. Check OAuth app redirect URIs match your development URL
3. For GitHub, ensure correct scopes are configured