This page lists every environment variable recognized by The Shift Platform gateway and supporting scripts.
Gateway Runtime
| Variable | Default | Description |
|---|
PORT | 3000 | Gateway listen port |
NODE_ENV | development | Environment mode (development, staging, production) |
LOG_LEVEL | info | Logging verbosity (debug, info, warn, error) |
YELLOWPAGES_CATALOG | .yellowpages | Path to Yellow Pages data directory (file-based storage only) |
STAGE_PROXY_URL | unset | External Stage base URL. When set, proxies /api/v1/stage/* to $STAGE_PROXY_URL/api/stage/*. Falls back to in-process Stage when unset. |
Storage
| Variable | Default | Description |
|---|
SHIFT_STORAGE | convex | Storage backend to use: convex or file |
CONVEX_URL | unset | Convex Cloud deployment URL (e.g., https://xxx.convex.cloud) |
CONVEX_SELF_HOSTED_URL | unset | Self-hosted Convex URL (e.g., http://127.0.0.1:3210). Takes precedence over CONVEX_URL when both are set. |
CONVEX_SELF_HOSTED_ADMIN_KEY | unset | Admin key for self-hosted Convex. Generated during K8s bootstrap or Convex setup. |
When SHIFT_STORAGE=convex, either CONVEX_URL or CONVEX_SELF_HOSTED_URL must be set. When SHIFT_STORAGE=file, the gateway reads and writes JSON files in per-service dotfile directories (.yellowpages/, .ledger/, etc.).
Authentication
| Variable | Default | Description |
|---|
GOOGLE_CLIENT_ID | unset | Google OAuth client ID for web browser login. Auth is disabled when unset. |
GOOGLE_CLIENT_SECRET | unset | Google OAuth client secret for web browser login |
GOOGLE_CLI_CLIENT_ID | unset | Google OAuth client ID for CLI login flow |
GOOGLE_CLI_CLIENT_SECRET | unset | Google OAuth client secret for CLI login flow |
SESSION_SECRET | unset | HMAC key for signing session cookies |
SHIFT_API_KEY | unset | API key for scripts and agents. Sent via X-API-Key header to bypass cookie auth. |
SHIFT_ALLOWED_DOMAIN | the-shift.dev | Email domain restriction for Google OAuth. Only emails from this domain are allowed to authenticate. |
When none of the authentication variables are set, all routes are public (backward-compatible with unauthenticated setups). When GOOGLE_CLIENT_ID is set, all endpoints except /healthz and /auth/* require authentication.
Scripts and Tests
| Variable | Default | Description |
|---|
GATEWAY_URL | http://localhost:3000 | Target gateway URL used by scripts/seed.ts, the golden path E2E test, and other scripts |
K8s Dev Overlay (ConfigMap)
These values are set in the dev overlay's ConfigMap (k8s/overlays/dev/configmap-patch.yml):
| Key | Value |
|---|
NODE_ENV | development |
LOG_LEVEL | debug |
SHIFT_STORAGE | convex |
CONVEX_SELF_HOSTED_URL | http://convex-backend.shift-platform.svc.cluster.local:3210 |
K8s Secrets
Sensitive values are stored in the shift-platform-secrets Kubernetes secret and mounted as environment variables. In local dev, these are injected from Doppler:
| Secret | Description |
|---|
GOOGLE_CLIENT_ID | Google OAuth client ID (web login) |
GOOGLE_CLIENT_SECRET | Google OAuth client secret (web login) |
GOOGLE_CLI_CLIENT_ID | Google OAuth client ID (CLI login) |
GOOGLE_CLI_CLIENT_SECRET | Google OAuth client secret (CLI login) |
SESSION_SECRET | HMAC key for signing session cookies |
SHIFT_API_KEY | API key for scripts/agents |