Environment Setup
Version: 0.1.0 Last Updated: May 2026
This is the full reference for every environment variable AgentZero reads, what it does, where to get it, and whether it's required.
For a guided walk-through, see the Quickstart. This page is the table you bookmark.
Required to boot
These four must be set or the app won't start.
NEXT_PUBLIC_SUPABASE_URL
Your Supabase project URL. The NEXT_PUBLIC_ prefix is intentional — this is safe to expose to the browser.
- ›Where: Supabase dashboard → Project Settings → API → Project URL
- ›Format:
https://<project-ref>.supabase.co
SUPABASE_SECRET_KEY
The service_role key. Never commit this. Never expose it to the browser. It bypasses Row-Level Security.
- ›Where: Supabase dashboard → Project Settings → API →
service_rolekey - ›Format:
eyJ...(a long JWT)
AUTH_SECRET
Used by Auth.js to sign JWT session tokens. If this changes, every existing session is invalidated.
- ›Generate:
openssl rand -base64 32 - ›Format: 32+ random characters
NEXTAUTH_URL
The canonical URL of your deployment. Auth.js uses this for redirect callbacks.
- ›Local:
http://localhost:3000 - ›Production:
https://yourdomain.com(no trailing slash)
AI inference
AI_GATEWAY_API_KEY
A single key that routes inference requests to Claude, GPT, DeepSeek, and other models. The codebase chats through @ai-sdk/gateway and embeddings through NVIDIA NIMs separately (see below).
- ›Where: Vercel dashboard → AI Gateway → Tokens → Create
- ›Required for: every agent run
- ›Models enabled by default: see
lib/ai/model-registry.ts
NVIDIA_NIMS_API_KEY
Used by the RAG pipeline for generating embeddings via nvidia/llama-nemotron-embed-1b-v2.
- ›Where: build.nvidia.com → NIMs → API Catalog → Generate API key
- ›Required for: knowledge base / RAG features
- ›Note: the DB vector columns are locked to 1024 dimensions to match this model. If you swap embedding providers, you must also rerun the embedding migration with the new dimension count.
Tools (opt-in)
These power individual agent tools. Each tool is independently toggleable from the agent settings UI — you only need the key if you want that tool enabled.
TAVILY_API_KEY
Powers the webSearchTool.
- ›Where: tavily.com → API Keys
- ›Free tier: 1,000 searches/month
- ›Skip if: you don't need agents to search the web
RESEND_API_KEY + RESEND_FROM_EMAIL
Powers the emailAutomateTool and outbound transactional emails (waitlist confirmations, future magic-link auth).
- ›Where: resend.com → API Keys
- ›
RESEND_FROM_EMAILformat:Your Brand <noreply@yourdomain.com> - ›DNS: you must verify your sending domain with Resend before email works
Billing (opt-in)
Only needed if you're using AgentZero to sell agents to paying customers. For internal tooling, skip this entire section.
LEMONSQUEEZY_API_KEY
Server-side API key for creating checkouts and reading orders.
- ›Where: lemonsqueezy.com → Settings → API
- ›Scope: full read/write
LEMONSQUEEZY_STORE_ID
The numeric store ID where your products live.
- ›Where: lemonsqueezy.com → Store URL contains it, or Settings → Stores
LEMONSQUEEZY_WEBHOOK_SECRET
Used to verify incoming webhook signatures. Without this, anyone could POST fake "order completed" events to your endpoint.
- ›Where: lemonsqueezy.com → Settings → Webhooks → Add endpoint → reveal signing secret
- ›Webhook URL to register:
https://yourdomain.com/api/webhooks/lemonsqueezy - ›Events to subscribe to:
order_created,subscription_created,subscription_updated,subscription_cancelled
LEMONSQUEEZY_FOUNDING_VARIANT_ID / LEMONSQUEEZY_PRO_VARIANT_ID
The variant IDs for your founding-member and pro products. The credit-grant logic reads these to match orders to tiers.
- ›Where: lemonsqueezy.com → Products → click product → Variant ID (numeric)
Tuning knobs
These have sensible defaults — only change if you know what you're doing.
RAG_MATCH_THRESHOLD
The cosine-similarity cutoff for retrieving knowledge-base chunks. Lower = more results, more noise. Higher = fewer results, more precise.
- ›Default:
0.1 - ›Range:
0.0–1.0 - ›Tune up if: agents are pulling irrelevant context
- ›Tune down if: agents say "no relevant context found" too often
Local-only
NEXTAUTH_DEBUG
Verbose Auth.js logs. Helpful when debugging session/JWT issues.
- ›Default: unset
- ›Set to:
truefor verbose output
.env.example template
Here's a starter .env.example covering everything:
$ snippet# ─── Required ───────────────────────────────────────────────── NEXT_PUBLIC_SUPABASE_URL= SUPABASE_SECRET_KEY= AUTH_SECRET= NEXTAUTH_URL=http://localhost:3000 # ─── AI inference ───────────────────────────────────────────── AI_GATEWAY_API_KEY= NVIDIA_NIMS_API_KEY= # ─── Tools (opt-in) ─────────────────────────────────────────── TAVILY_API_KEY= RESEND_API_KEY= RESEND_FROM_EMAIL= # ─── Billing (opt-in) ───────────────────────────────────────── LEMONSQUEEZY_API_KEY= LEMONSQUEEZY_STORE_ID= LEMONSQUEEZY_WEBHOOK_SECRET= LEMONSQUEEZY_FOUNDING_VARIANT_ID= LEMONSQUEEZY_PRO_VARIANT_ID= # ─── Tuning ─────────────────────────────────────────────────── RAG_MATCH_THRESHOLD=0.1
Validating your config
Run this once you've filled in .env.local:
$ snippetpnpm dev
Then check:
- ›Landing page loads → Supabase URL + Auth secret are good
- ›
/signupcreates a user → Supabase service-role key is good - ›Creating an agent + running a prompt → AI Gateway key is good
- ›Uploading a PDF + querying it → NIMs key is good
If any of those fail, the error log will name the missing or wrong variable specifically.
Security notes
- ›
SUPABASE_SECRET_KEY,AI_GATEWAY_API_KEY, and webhook secrets should never appear in client-side code or in your git history. The error sanitiser inagent-actions.tsstrips them from streamed error messages — but the best defence is not committing them in the first place. - ›Use a different
AUTH_SECRETper environment (dev / staging / production). - ›Rotate keys if you've ever pasted them in a screenshot, Discord channel, or AI chat. They are recoverable from those logs forever.