Skip to content

Secrets & Environments

The project separates build-time values, runtime secrets and manual contract deployment secrets. This avoids putting deployer private keys into application containers and keeps public frontend values explicit.

Environment map

Build-time values

Frontend values are baked into the static SPA during build. The most important production value is API_BASE_URL=https://api.usecontent.app. Public RPC URLs can also be provided for frontend wallet reads, but private keys are never needed by the frontend build.

Backend image build is handled by GitHub Actions. The workflow injects MinIO-related build configuration for Encore Docker build and then pushes the image to GHCR.

Runtime values

Runtime areaValues
Backend APIMONGO_URI, JWT_SECRET, MinIO credentials, RPC URLs, deployment registry token
Frontend containerStatic files and public build-time config
MongoDBPersistent metadata volume
MinIOPersistent object storage volume and root credentials
Coolify proxyDomains, routing labels and TLS certificates

Contract deployment secrets

Contract deployment is intentionally separate from normal application deployment. Manual GitHub Actions workflows receive deployer private keys, treasury addresses, RPC URLs and registry token only for the duration of the deployment job. Runtime containers only read the resulting deployment registry records.

For reader and platform billing contract deployments, REGISTRY_API_BASE_URL and DEPLOYMENT_REGISTRY_TOKEN are mandatory in GitHub Actions. REGISTRY_API_BASE_URL should be the public backend origin, normally https://api.usecontent.app; it must not be the Coolify internal backend port such as http://server-ip:8080. The deploy scripts check /health before any on-chain transaction, register the deployed contracts, then perform public read-back checks against the backend lookup endpoints. Local platform deploys can intentionally skip this with SKIP_DEPLOYMENT_REGISTRY_SYNC=true, but CI should not.

If an on-chain deployment already succeeded and only registry sync failed, rerun the manual Platform Billing Contracts workflow with the existing platformTierManagerAddress and platformStorageManagerAddress inputs. That mode syncs and verifies the addresses without deploying new contracts.

Domain layout

  • https://usecontent.app for the main useContent frontend;
  • https://api.usecontent.app for frontend-to-backend API traffic;
  • https://docs.usecontent.app for the VitePress documentation portal.

Keeping these origins explicit makes CORS, certificate routing and deployment ownership easier to reason about.