Self-host
Environment variables
Required configuration for a self-hosted neonFin instance.
Required variables
| Variable | Example | Notes |
|---|---|---|
DATABASE_URL | postgres://... | Postgres connection string. |
NEONFIN_ENCRYPTION_KEY | base64... | Must decode to exactly 32 bytes. |
BETTER_AUTH_SECRET | base64... | Random auth secret. |
BETTER_AUTH_URL | https://pay.example.com | Public dashboard/auth URL. |
NEXT_PUBLIC_APP_URL | https://pay.example.com | Public URL used for webhooks, checkout returns, and registry links. |
NEONFIN_ALLOW_SIGNUPS | true or false | Allow new dashboard accounts. |
Generate secrets
Generate both secrets locally:
openssl rand -base64 32
openssl rand -base64 32Use one value for NEONFIN_ENCRYPTION_KEY and the other for
BETTER_AUTH_SECRET.
Local example
DATABASE_URL="postgres://neonfin:neonfin@localhost:5432/neonfin"
NEONFIN_ENCRYPTION_KEY="..."
BETTER_AUTH_SECRET="..."
BETTER_AUTH_URL="http://localhost:3000"
NEXT_PUBLIC_APP_URL="http://localhost:3000"
NEONFIN_ALLOW_SIGNUPS="true"Production tips
- Keep
BETTER_AUTH_URLandNEXT_PUBLIC_APP_URLon the same public origin unless you have a specific reason not to. - Rotate provider API keys from the provider dashboard, then update neonFin.
- Do not rotate
NEONFIN_ENCRYPTION_KEYcasually; it encrypts stored provider secrets. - Set
NEONFIN_ALLOW_SIGNUPS=falseafter your first admin user exists.