Operate

Environment variables

Pitchbar reads its configuration from the standard Laravel .env, with overrides for some keys available via the platform admin's App Settings page so you can swap Stripe / mail / LLM credentials without redeploying.

Required

Variable	Why
`APP_KEY`	Encryption master key. Generate with `php artisan key:generate`. Never rotate without a re-encrypt migration.
`APP_URL`	Public URL, used to build widget snippets, OAuth callbacks, signed URLs.
`DB_*`	Postgres connection.
`REDIS_HOST`	Cache, sessions, queue, hot-path retrieval cache, conversation history cache.
`QUEUE_CONNECTION`	Set to `redis` in production.
`SESSION_DRIVER`	`redis` in production.
`CACHE_DRIVER`	`redis`.
`WIDGET_JWT_SECRET`	HS256 signing secret for visitor JWTs. ≥ 32 random bytes.

LLM provider

At least one of the following:

Variable	Provider
`CLOUDFLARE_ACCOUNT_ID` + `CLOUDFLARE_API_TOKEN`	Cloudflare Workers AI (preferred). Auto-binds Llama 3.3 70B + bge-base-en-v1.5.
`OPENAI_API_KEY`	OpenAI direct.
`OPENROUTER_API_KEY`	OpenRouter (router across many providers).

Set LLM_PROVIDER to force a binding (cloudflare, openai, openrouter). When unset, the resolver picks based on which keys are available, in the priority above.

Vector store

Variable	Provider
`VECTORIZE_INDEX`	Cloudflare Vectorize index name. Uses `CLOUDFLARE_ACCOUNT_ID` + token.
`QDRANT_URL` + `QDRANT_API_KEY`	Qdrant.

Set VECTOR_PROVIDER to force. Auto-binds based on available keys (Vectorize preferred).

Crawler

Variable	Strategy
(uses `CLOUDFLARE_*`)	Cloudflare Browser Rendering. Preferred.
`BROWSERLESS_TOKEN` + `BROWSERLESS_URL`	Browserless fallback.
(none)	Plain HTTP. Free; no JS rendering.

Stripe

Variable	Purpose
`STRIPE_KEY`	Publishable key.
`STRIPE_SECRET`	Secret key. Used for plan sync and Cashier.
`STRIPE_WEBHOOK_SECRET`	Signing secret for incoming webhooks (`whsec_…`).
`CASHIER_CURRENCY`	Defaults to `usd`.

Reverb (realtime)

Variable	Purpose
`REVERB_APP_KEY`	Public app key. Embedded in widget init payload.
`REVERB_APP_SECRET`	Secret. Server-side only.
`REVERB_APP_ID`	App identifier.
`REVERB_HOST`	Public hostname for the Reverb server.
`REVERB_PORT`	Default 8080.
`REVERB_SCHEME`	`wss` in production, `ws` locally.

Mail

Variable	Purpose
`MAIL_MAILER`	`smtp` / `postmark` / `resend` / etc.
`MAIL_FROM_ADDRESS`	Sender address. Required.
`MAIL_FROM_NAME`	Display name.
`MAIL_HOST` / `MAIL_PORT` / `MAIL_USERNAME` / `MAIL_PASSWORD`	SMTP credentials.

Branding

Variable	Purpose
`BRANDING_LABEL`	Default "Powered by Pitchbar" label. Override in app_settings for white-label.
`BRANDING_URL`	Where the label links to.
`BRANDING_FOOTER_LOGO_PATH`	Storage path to the footer logo image.

Observability

Variable	Purpose
`SENTRY_DSN`	Error reporting.
`OTEL_EXPORTER_OTLP_ENDPOINT`	OpenTelemetry collector. Honeycomb / Grafana Cloud.
`OTEL_SERVICE_NAME`	Service name in traces. Default `pitchbar`.

App Settings overrides

The app_settings singleton row stores plaintext-encrypted overrides for:

Stripe secret + webhook secret + publishable key.
Mail driver settings.
Cloudflare / OpenAI / OpenRouter keys.
Branding (label, URL, logo).

The AppSettingsOverrideServiceProvider reads this on boot and merges into config(). Setting things via the admin panel is preferred for production — you don't have to re-deploy when a key rotates.

APP_KEY rotation requires a manual migration. The encrypted columns in app_settings were sealed with the old key; rotating without re-encrypting renders them unreadable.