# docflow-auth — local development environment
# =============================================
# Used when running the service directly (go run / go build).
# docker-compose.yml injects these via the root .env — this file
# is for running docflow-auth outside of Docker (e.g. local dev, debugging).
PORT=8090
# ── Zitadel — JWT validation ─────────────────────────────────────────────
ZITADEL_JWKS_URL=https://auth.simplifyaipro.com/oauth/v2/keys
ZITADEL_ISSUER=https://auth.simplifyaipro.com
# ── Zitadel — PKCE / OIDC proxy ──────────────────────────────────────────
# Public-facing URL (browser redirects here — must be reachable from user's browser)
ZITADEL_EXTERNAL_URL=https://auth.simplifyaipro.com
# Docker-internal URL (server-to-server API calls — same as external if running locally)
ZITADEL_INTERNAL_URL=https://auth.simplifyaipro.com
# PKCE app client ID — Zitadel console → Projects → your project → New App → User Agent
ZITADEL_CLIENT_ID=370578963807862787
# Where Zitadel sends the auth code after login (must be registered in Zitadel app settings)
ZITADEL_REDIRECT_URI=http://localhost:8000/auth/callback
# Personal Access Token for Zitadel Management API (user creation / password management)
# Zitadel console → IAM → Service Users → <your service user> → Generate PAT
# Role required: ORG_USER_MANAGER on the organisation
ZITADEL_SERVICE_PAT=RPRvDSvZ0NLnAATOyVVtD9TRutiwxhWg6zr9a9g6GWztCr6XRLkarPiIgqQQo1HhA06oUZY
# Default organisation ID (sent as x-zitadel-orgid on all API calls)
# Zitadel console → Organisation → Settings → Resource Owner ID
ZITADEL_ORG_ID=370544088589533187
# ── Frontend ──────────────────────────────────────────────────────────────
# Post-login redirect target after the BFF sets the session cookie
FRONTEND_URL=http://localhost:3000
# ── Redis — session storage (DB 1) ───────────────────────────────────────
REDIS_URL=redis://localhost:6379
# ── PostgreSQL — app_users identity mapping ───────────────────────────────
DATABASE_URL=postgresql://docflow:oRXsQD8nqxJvOnkrWdSbw2tZ70YWTnET@localhost:6543/docflow?sslmode=disable
# ── CORS ──────────────────────────────────────────────────────────────────
CORS_ALLOWED_ORIGINS=http://localhost:3000,https://app.simplifydocflow.com
# ── Internal service-to-service secret ───────────────────────────────────
# Must match INTERNAL_JWT_SECRET in the root .env (used by admin-backend → auth)
INTERNAL_JWT_SECRET=f7cac2bfb2de8dfb4fc1f68d8c89813bc545e485505b422bf93bf03a54ff6e81
# ── Kong gateway base URL (used as base for SSO callback redirect) ────────
# The browser-reachable URL of the Kong gateway.
GATEWAY_BASE_URL=http://localhost:8000
# ── SSO / IDP ─────────────────────────────────────────────────────────────
# Zitadel instance-level IDP IDs (Settings → Identity Providers → click provider → copy from URL)
IDP_GOOGLE_ID=371435084957351939
IDP_MICROSOFT_ID=371411385076154371