Add environment variables documentation to README

max-lt · max-lt · commit abda25b8572b · 2026-02-20T08:14:54.000+01:00
Add env vars table, system tokens, shared storage and email sections.
Remove duplicate table from DEPLOY.md, link to README instead.
diff --git a/DEPLOY.md b/DEPLOY.md
@@ -94,6 +94,8 @@ Create the environment **before** the first upload so the project inherits it au
 
 ## Environment variables
 
+See [README.md](./README.md#environment-variables) for the full list of environment variables.
+
 Secrets are prompted interactively (masked input) when value is omitted:
 
 ```bash
@@ -104,29 +106,9 @@ ow <space> env set openworkers-api-env APP_URL https://dash.example.com
 ow <space> env set openworkers-api-env JWT_ACCESS_SECRET --secret
 ```
 
-| Variable                           | Type    | Required | Description                              |
-| ---------------------------------- | ------- | -------- | ---------------------------------------- |
-| `DATABASE`                         | binding | yes      | Database binding (type: database)        |
-| `ASSETS`                           | binding | yes      | Assets storage binding (SvelteKit files) |
-| `APP_URL`                          | var     | yes      | Dashboard URL (for OAuth redirects)      |
-| `POSTGATE_SYSTEM_TOKEN_SECRET`     | secret  | yes      | System token HMAC secret (>= 32 chars)   |
-| `JWT_ACCESS_SECRET`                | secret  | yes      | JWT signing secret (>= 32 chars)         |
-| `JWT_REFRESH_SECRET`               | secret  | yes      | JWT refresh token secret (>= 32 chars)   |
-| `GITHUB_CLIENT_ID`                 | var     | no       | GitHub OAuth app client ID               |
-| `GITHUB_CLIENT_SECRET`             | secret  | no       | GitHub OAuth app client secret           |
-| `MISTRAL_API_KEY`                  | secret  | no       | Mistral AI API key                       |
-| `SHARED_STORAGE_BUCKET`            | var     | no       | S3 bucket name                           |
-| `SHARED_STORAGE_ENDPOINT`          | var     | no       | S3 endpoint URL                          |
-| `SHARED_STORAGE_ACCESS_KEY_ID`     | secret  | no       | S3 access key                            |
-| `SHARED_STORAGE_SECRET_ACCESS_KEY` | secret  | no       | S3 secret key                            |
-| `SHARED_STORAGE_PUBLIC_URL`        | var     | no       | S3 public URL                            |
-| `EMAIL_PROVIDER`                   | var     | no       | Email provider (e.g. `scaleway`)         |
-| `EMAIL_FROM`                       | var     | no       | Sender email address                     |
-| `SCW_SECRET_KEY`                   | secret  | no       | Scaleway secret key                      |
-| `SCW_PROJECT_ID`                   | var     | no       | Scaleway project ID                      |
-| `SCW_REGION`                       | var     | no       | Scaleway region                          |
-
-In worker mode, the `DATABASE` binding provides direct database access. `POSTGATE_URL` and `POSTGATE_TOKEN` are only needed in Docker mode (see below).
+Bindings (`DATABASE`, `ASSETS`) are set with `ow infra env bind` during the initial setup (see step 5 above). They connect the worker to its database and assets storage at runtime.
+
+In worker mode, the `DATABASE` binding provides direct database access — no Postgate HTTP proxy needed. `POSTGATE_URL` and `POSTGATE_TOKEN` are only required in Docker mode, where there are no runtime bindings.
 
 ## Docker mode
 
@@ -144,14 +126,7 @@ bun start
 
 The server listens on `PORT` (default `7000`).
 
-In Docker mode, there is no `DATABASE` binding. Set these additional variables in `.env`:
-
-| Variable         | Required | Description                      |
-| ---------------- | -------- | -------------------------------- |
-| `POSTGATE_URL`   | yes      | Postgate HTTP proxy URL          |
-| `POSTGATE_TOKEN` | yes      | Postgate token (`pg_xxx` format) |
-
-All other environment variables from the table above also apply (without the bindings).
+In Docker mode, `POSTGATE_URL` and `POSTGATE_TOKEN` must be set in `.env` to connect to the Postgate HTTP proxy. All other environment variables from the README also apply (without the bindings).
 
 ## Managing projects
 
diff --git a/README.md b/README.md
@@ -122,3 +122,52 @@ console.log(users[0], users.count);
 - SQL validation and injection prevention
 - Token-based access control per database
 - Same API works from workers (OpenWorkers runtime)
+
+## Environment Variables
+
+The API runs in two modes with different configuration:
+
+- **Worker mode** — deployed on OpenWorkers, uses `DATABASE` binding for direct DB access
+- **Docker/standalone mode** — uses `POSTGATE_URL` + `POSTGATE_TOKEN` for HTTP-based DB access
+
+| Variable                           | Type    | Required | Description                              |
+| ---------------------------------- | ------- | -------- | ---------------------------------------- |
+| `DATABASE`                         | binding | worker   | Database binding (direct DB access)      |
+| `ASSETS`                           | binding | worker   | Assets storage binding (SvelteKit files) |
+| `POSTGATE_URL`                     | var     | docker   | Postgate HTTP proxy URL                  |
+| `POSTGATE_TOKEN`                   | secret  | docker   | Postgate token (`pg_xxx` format)         |
+| `POSTGATE_SYSTEM_TOKEN_SECRET`     | secret  | yes      | System token HMAC secret (>= 32 chars)   |
+| `APP_URL`                          | var     | yes      | Dashboard URL (for OAuth redirects)      |
+| `JWT_ACCESS_SECRET`                | secret  | yes      | JWT signing secret (>= 32 chars)         |
+| `JWT_REFRESH_SECRET`               | secret  | yes      | JWT refresh token secret (>= 32 chars)   |
+| `GITHUB_CLIENT_ID`                 | var     | no       | GitHub OAuth app client ID               |
+| `GITHUB_CLIENT_SECRET`             | secret  | no       | GitHub OAuth app client secret           |
+| `MISTRAL_API_KEY`                  | secret  | no       | Mistral AI API key (transcription)       |
+| `SHARED_STORAGE_BUCKET`            | var     | yes      | S3 bucket name                           |
+| `SHARED_STORAGE_ENDPOINT`          | var     | yes      | S3 endpoint URL                          |
+| `SHARED_STORAGE_ACCESS_KEY_ID`     | secret  | yes      | S3 access key                            |
+| `SHARED_STORAGE_SECRET_ACCESS_KEY` | secret  | yes      | S3 secret key                            |
+| `SHARED_STORAGE_PUBLIC_URL`        | var     | yes      | S3 public URL                            |
+| `EMAIL_PROVIDER`                   | var     | no       | Email provider (`scaleway`)              |
+| `EMAIL_FROM`                       | var     | no       | Sender email address                     |
+| `SCW_SECRET_KEY`                   | secret  | no       | Scaleway secret key                      |
+| `SCW_PROJECT_ID`                   | var     | no       | Scaleway project ID                      |
+| `SCW_REGION`                       | var     | no       | Scaleway region                          |
+
+### System tokens
+
+When the API executes SQL on a user's database (via `/api/v1/databases/:id/exec`), it authenticates to Postgate using a **system token**. These tokens are deterministic — derived from `HMAC-SHA256(POSTGATE_SYSTEM_TOKEN_SECRET, "system_token:{databaseId}")` — so they don't need to be stored in plain text. Only the hash is persisted in the `database_tokens` table.
+
+This means the API can regenerate the token on the fly for any database, as long as `POSTGATE_SYSTEM_TOKEN_SECRET` stays the same. If the secret changes, all system tokens become invalid and must be recreated.
+
+### Shared storage
+
+The `SHARED_STORAGE_*` variables configure the S3-compatible bucket used to store worker assets (uploaded scripts, static files). Without these, workers cannot be deployed. Any S3-compatible provider works (Cloudflare R2, AWS S3, MinIO, etc.).
+
+`SHARED_STORAGE_PUBLIC_URL` is the public-facing URL used to serve assets to clients (e.g. `https://assets.example.com`).
+
+### Email
+
+The `EMAIL_*` and `SCW_*` variables are optional. When configured, the API can send transactional emails (e.g. invitations). Currently only Scaleway TEM is supported as a provider (`EMAIL_PROVIDER=scaleway`).
+
+See [DEPLOY.md](./DEPLOY.md) for deployment instructions.
