# Cloudflare credentials (server-side only, never sent to browser)
CLOUDFLARE_ACCOUNT_ID=your_account_id_here
CLOUDFLARE_API_TOKEN=your_api_token_here

# Required API Token permissions:
#   - Access: Apps and Policies Write  (list + create Access apps)
#   - Cloudflare Tunnel: Edit          (create / configure / delete tunnels)
#   - DNS: Edit                        (create CNAME records)
#   - Zone: Read                       (lookup zone ID for a hostname)

# Optional: Cloudflare Access Service Token for fetching server metrics
# (Create one in Zero Trust > Settings > Service Auth)
CF_SERVICE_CLIENT_ID=
CF_SERVICE_CLIENT_SECRET=

# Upstash Redis — stores per-user CF credentials (multi-user)
# Create a free database at https://console.upstash.com
UPSTASH_REDIS_URL=https://your-db.upstash.io
UPSTASH_REDIS_TOKEN=your_upstash_token_here

# GitHub OAuth (create at https://github.com/settings/developers)
# Callback URL: https://your-domain.vercel.app/api/auth/callback/github
GITHUB_CLIENT_ID=
GITHUB_CLIENT_SECRET=

# Required for next-auth session encryption (run: openssl rand -base64 32)
NEXTAUTH_SECRET=
# Optional on Vercel — set to your production URL if self-hosting
# NEXTAUTH_URL=https://your-domain.vercel.app