Secrets, Tokens, and Passwords: Setting Up Tobesee Environment Variables the Right Way

Environment variables are the glue between your Tobesee code and the services it depends on. Get them right and everything works seamlessly. Get them wrong and you will spend hours debugging cryptic error messages. This guide walks through each variable, explains what it does, and shows you how to configure it on different platforms.

The Variables You Need

Tobesee requires a small set of environment variables. Here is the complete list with a brief explanation of each:

| Variable | Purpose | Example | |----------|---------|---------| | GITHUB_TOKEN | Authenticates API calls to your GitHub repository | ghp_abc123... | | GITHUB_OWNER | The GitHub username or organization that owns the repo | coolcbq | | GITHUB_REPO | The repository name where content is stored | tobesee_com | | ACCESS_PASSWORD | Password for the admin dashboard | A strong random string | | JWT_SECRET | Signs authentication tokens for admin sessions | A 64+ character random string | | DOMAIN | The domain where your site runs | tobesee.com or localhost |

Optional variables for analytics and monetization:

| Variable | Purpose | |----------|---------| | NEXT_PUBLIC_GA_ID | Google Analytics measurement ID | | NEXT_PUBLIC_ADSENSE_ID | Google AdSense publisher ID |

Generating Secure Values

GitHub Personal Access Token

1. Go to GitHub Settings > Developer settings > Personal access tokens > Tokens (classic)
2. Click Generate new token (classic)
3. Give it a descriptive name like "Tobesee Production"
4. Select the repo scope — this grants read and write access to your repositories
5. Set an expiration date (90 days is a reasonable balance between security and convenience)
6. Click Generate token and copy it immediately — GitHub will not show it again

Fine-grained tokens are also supported. If you prefer tighter permissions, create a fine-grained token scoped to your specific repository with Contents read/write access.

JWT Secret

Generate a cryptographically random string:

node -e "console.log(require('crypto').randomBytes(64).toString('hex'))"

This produces a 128-character hex string. Never reuse this value across projects — each Tobesee instance should have its own unique secret.

Admin Password

Use your password manager to generate a random password of at least 16 characters. Avoid dictionary words and personal information. The password is hashed before comparison, so complexity matters more than memorability.

Local Development Setup

Create a file called .env.local in your project root:

GITHUB_TOKEN=ghp_your_token_here
GITHUB_OWNER=your_username
GITHUB_REPO=your_repo_name
JWT_SECRET=your_generated_secret
DOMAIN=localhost
ACCESS_PASSWORD=your_admin_password

Important formatting rules:

• No spaces around the = sign
• No quotes around values (unless the value contains special shell characters)
• One variable per line
• No trailing whitespace

After creating or modifying this file, restart your development server for changes to take effect.

Verifying the File Is Git-Ignored

Your .env.local file contains secrets that must never be committed to version control. Verify it is ignored:

git check-ignore .env.local

If this command prints the filename, you are safe. If it prints nothing, add .env.local to your .gitignore immediately.

Production Deployment on Vercel

1. Open your project in the Vercel dashboard
2. Navigate to Settings > Environment Variables
3. Add each variable one at a time:
   • Type the variable name in the "Name" field
   • Paste the value in the "Value" field
   • Select which environments should use it (Production, Preview, Development)
4. Click Save after each variable
5. Trigger a redeployment for changes to take effect

Vercel encrypts environment variables at rest and injects them at build time and runtime. They are never exposed in client-side JavaScript unless the variable name starts with NEXT_PUBLIC_.

Other Hosting Platforms

Netlify: Go to Site settings > Build & deploy > Environment > Edit variables

Railway: Open your project, click Variables, and add each key-value pair

Docker: Pass variables through a .env file or -e flags in your docker run command

AWS Amplify: Go to App settings > Environment variables in the Amplify console

Security Practices Worth Following

Principle of Least Privilege

Your GitHub token should only have the permissions Tobesee actually needs. The repo scope is sufficient. Do not grant admin:org, delete_repo, or other elevated permissions.

Rotation Schedule

Rotate sensitive credentials on a regular cadence:

• GitHub Token: Every 90 days, or immediately if you suspect compromise
• Admin Password: Every quarter, or when a team member leaves
• JWT Secret: Only when necessary — changing it invalidates all active admin sessions

Environment Isolation

Use different values for development, staging, and production. If your development token leaks, your production data remains safe. This also prevents accidental writes to your production repository during local testing.

Audit Your Token Usage

GitHub provides an audit log for personal access tokens. Periodically review which tokens exist, when they were last used, and whether any should be revoked. Stale tokens are a common attack vector.

Diagnosing Common Problems

"Repository not found" After Deployment

This almost always means GITHUB_OWNER or GITHUB_REPO does not match your actual repository. These values are case-sensitive — CoolCBQ is different from coolcbq. Copy the values directly from your GitHub repository URL to avoid typos.

"API rate limit exceeded"

Unauthenticated GitHub API requests are limited to 60 per hour. Authenticated requests get 5,000 per hour. If you see rate limit errors, your token is likely missing or invalid. Verify it with:

curl -H "Authorization: token YOUR_TOKEN" https://api.github.com/rate_limit

Admin Login Fails After Redeployment

If you changed JWT_SECRET during redeployment, all existing sessions become invalid. This is expected behavior. Clear your browser cookies and log in again with your admin password.

Variables Not Loading in Development

Make sure the file is named exactly .env.local — not .env-local, not env.local, not .env.Local. Next.js is specific about this filename. Also confirm you restarted the dev server after making changes.

A Note on Client-Side Variables

Variables prefixed with NEXT_PUBLIC_ are embedded in the JavaScript bundle sent to browsers. This is by design — Google Analytics and AdSense IDs need to be in client-side code to function. However, never prefix sensitive values like tokens or passwords with NEXT_PUBLIC_. Doing so would expose them to every visitor.

Summary

Environment variables are a small but critical part of your Tobesee setup. Take the time to generate strong values, store them securely, and configure them correctly on your hosting platform. A few minutes of careful setup prevents hours of debugging later.