Secrets Setup (Supabase)

Keep all provider secrets in Supabase project secrets (Edge Functions) rather than in the frontend. Example command (replace values):

supabase secrets set \
  RESEND_API_KEY=... RESEND_FROM="Al Huda Travels <no-reply@alhuda.co.in>" \
  MAILJET_API_KEY=... MAILJET_SECRET=... MAIL_FROM="Al Huda Travels <no-reply@alhuda.co.in>" \
  WHATSAPP_ACCESS_TOKEN=... WHATSAPP_PHONE_NUMBER_ID=... WHATSAPP_VERIFY_TOKEN=... \
  WHATSAPP_DEFAULT_COUNTRY_CODE=91 WHATSAPP_OTP_TEMPLATE_NAME=... WHATSAPP_TEMPLATE_LANGUAGE=en_US \
  COMMUNICATION_DISPATCH_KEY=... \
  CLOUDINARY_URL=... \
  B2_ENDPOINT=... B2_BUCKET=... B2_ACCESS_KEY_ID=... B2_SECRET_ACCESS_KEY=... \
  IDRIVEE2_ENDPOINT=... IDRIVEE2_REGION=... IDRIVEE2_BUCKET=... IDRIVEE2_ACCESS_KEY_ID=... IDRIVEE2_SECRET_ACCESS_KEY=... \
  GOOGLE_DRIVE_PROJECT_ID=... GOOGLE_DRIVE_CLIENT_EMAIL=... GOOGLE_DRIVE_PRIVATE_KEY="..." \
  TURNSTILE_SECRET_KEY=...

For local builds, use .env.local (ignored) and copy from env.example only if you need non-sensitive values (anon keys, public site keys). Do not store secrets in the frontend.***

WhatsApp notes:

• WHATSAPP_ACCESS_TOKEN should be a Meta system-user token with whatsapp_business_messaging.
• WHATSAPP_PHONE_NUMBER_ID is the sender number ID used by Cloud API.
• WHATSAPP_VERIFY_TOKEN is the custom token Meta sends back during webhook verification.
• WHATSAPP_OTP_TEMPLATE_NAME should match your approved authentication template if you want OTP delivery outside the 24-hour customer care window.
• COMMUNICATION_DISPATCH_KEY can be used by your cron/scheduler to call the communications-dispatcher function securely. If omitted, use the Supabase service role key as the authorization bearer token for the dispatcher.