Configuration

Environment variables and configuration files for the backend

Configuration

Environment Files

Symfony loads environment files in this order (later files override earlier ones):

  1. .env — committed defaults and documentation
  2. .env.localyour local overrides (gitignored)
  3. .env.{APP_ENV} — environment-specific defaults (e.g., .env.test)
  4. .env.{APP_ENV}.local — environment-specific local overrides

Real environment variables (set in your shell or Docker) always win over .env files.

Never commit secrets. Put all real credentials in .env.local or set them as environment variables in your deployment platform.

Environment Variables

Core

VariableDescriptionExample
APP_ENVSymfony environmentdev, test, prod
APP_SECRETSymfony secret (CSRF, signing)Random 32+ char string
DATABASE_URLPostgreSQL connection stringpostgresql://app:pass@database:5432/app?serverVersion=16&charset=utf8
MESSENGER_TRANSPORT_DSNMessage transportsync:// (dev) or redis://redis:6379/messages
DEFAULT_URIBase URL for console route generationhttp://localhost
JWT_PASSPHRASEPassphrase for JWT key pairRandom string
CORS_ALLOW_ORIGINAllowed CORS origins (regex)^https?://(localhost|127\.0\.0\.1)(:[0-9]+)?$

Email / Brevo

VariableDescriptionExample
EMAIL_SENDER_EMAILFrom address for all emailsnoreply@yourdomain.com
EMAIL_SENDER_NAMEFrom name for all emailsYour App Name
MAILER_DSNSymfony Mailer transportsmtp://mailer:1025 (dev)
BREVO_API_KEYBrevo API key (production emails)xkeysib-...

In development, emails go to Mailpit at http://localhost:8025. In production, emails are sent via the Brevo API.

Stripe

VariableDescriptionExample
STRIPE_SECRET_KEYStripe API secret keysk_test_... or sk_live_...
STRIPE_WEBHOOK_SECRETStripe webhook signing secretwhsec_...
STRIPE_SUCCESS_URLRedirect after successful paymenthttps://yourapp.com/payment/success
STRIPE_CANCEL_URLRedirect after cancelled paymenthttps://yourapp.com/payment/cancel

Firebase

VariableDescriptionExample
FIREBASE_PROJECT_IDFirebase project IDmy-app-12345

Frontend URLs

VariableDescriptionExample
EMAIL_VALIDATION_REDIRECT_URLWhere users land after email validationhttps://yourapp.com/auth/email-verified
FRONTEND_RESET_PASSWORD_URLFrontend password reset formhttps://yourapp.com/auth/reset-password

Dokploy (Deployment)

VariableDescriptionExample
DOKPLOY_URLDokploy instance URLhttps://your-dokploy.com
DOKPLOY_TOKENDokploy API tokenYour Dokploy auth token

Config Files

Stripe Plans {#stripe-plans}

Defined in config/packages/stripe.yaml.

Defines your plan tiers. Supports both one-time and recurring payment models:

parameters:
    stripe_plans:
        # One-time (lifetime) plans
        starter:
            name: 'Starter Plan'
            type: 'one_time'
            price_cents: 4900          # $49.00
        pro:
            name: 'Pro Plan'
            type: 'one_time'
            price_cents: 14900         # $149.00

        # OR recurring plans (uncomment to switch)
        # starter:
        #     name: 'Starter Plan'
        #     type: 'recurring'
        #     monthly_price_cents: 900   # $9.00/mo
        #     yearly_price_cents: 9000   # $90.00/yr
        # pro:
        #     name: 'Pro Plan'
        #     type: 'recurring'
        #     monthly_price_cents: 2900
        #     yearly_price_cents: 29000

After changing plan definitions, sync to Stripe:

docker compose exec php bin/console app:stripe:sync-plans

Brevo Email Templates {#brevo-email-templates}

Defined in config/packages/brevo.yaml.

Maps Brevo template IDs to email types:

parameters:
    brevo_api_key: '%env(BREVO_API_KEY)%'
    brevo_sender_email: '%env(EMAIL_SENDER_EMAIL)%'
    brevo_sender_name: '%env(EMAIL_SENDER_NAME)%'
    brevo_template_welcome: 1
    brevo_template_password_changed: 2
    brevo_template_password_reset: 3

Each template receives specific variables:

TemplateIDVariables
Welcome1userName, validationLink
Password Changed2userName
Password Reset3userName, resetLink

Create these templates in your Brevo dashboard and update the IDs accordingly.

Rate Limiting {#rate-limiting}

Defined in config/packages/rate_limiter.yaml.

LimiterLimitWindowScope
auth_signup_ip515 minutesIP
auth_signup_email315 minutesEmail
auth_login_ip515 minutesIP
auth_login_email515 minutesEmail
auth_logout101 minuteIP

JWT — config/packages/lexik_jwt_authentication.yaml

SettingValue
Access token TTL3600s (1 hour)
Refresh token TTL2592000s (30 days)
Refresh tokenSingle-use (rotated on each refresh)

CORS — config/packages/nelmio_cors.yaml

SettingValue
Allowed originsRegex from CORS_ALLOW_ORIGIN env var
Allowed methodsGET, OPTIONS, POST, PUT, PATCH, DELETE
Allowed headersContent-Type, Authorization
Max age3600s
Previous ← Quick StartNextLocal Development →