Current Setup

The project already has:
- **`.env`** file (exists but protected from reading)
- **`.env.example`** file (exists but protected from reading)
- **`dotenvy`** crate integration in `main.rs` and config loading

## Why .env Files Are Important

The application uses environment variables for several critical configurations:

### 1. **JWT Configuration**
```template/server/src/auth/jwt.rs#L36-54
let secret = env::var("JWT_SECRET")
    .unwrap_or_else(|_| "your-super-secret-jwt-key-change-this-in-production".to_string());
let issuer = env::var("JWT_ISSUER").unwrap_or_else(|_| "rustelo-auth".to_string());
let access_token_expires_in = Duration::minutes(
    env::var("JWT_ACCESS_TOKEN_EXPIRES_IN")
        .unwrap_or_else(|_| "15".to_string())
        .parse()
        .unwrap_or(15),
);
```

### 2. **OAuth Configuration**
```template/server/src/auth/oauth.rs#L105-115
let client_id = env::var("GOOGLE_CLIENT_ID").map_err(|_| {
    anyhow!("Google OAuth not configured: missing GOOGLE_CLIENT_ID")
})?;
let client_secret = env::var("GOOGLE_CLIENT_SECRET").map_err(|_| {
    anyhow!("Google OAuth not configured: missing GOOGLE_CLIENT_SECRET")
})?;
```

### 3. **Server Configuration Overrides**
```template/server/src/config/mod.rs#L304-346
// Server overrides
if let Ok(protocol) = env::var("SERVER_PROTOCOL") { ... }
if let Ok(host) = env::var("SERVER_HOST") { ... }
if let Ok(port) = env::var("SERVER_PORT") { ... }
if let Ok(database_url) = env::var("DATABASE_URL") { ... }
if let Ok(session_secret) = env::var("SESSION_SECRET") { ... }
```

## Key Environment Variables You Should Set

Based on the code analysis, here are the important environment variables:

### **Authentication & Security**
- `JWT_SECRET` - JWT signing secret (critical for security)
- `JWT_ISSUER` - JWT issuer name
- `JWT_ACCESS_TOKEN_EXPIRES_IN` - Access token expiration (minutes)
- `JWT_REFRESH_TOKEN_EXPIRES_IN` - Refresh token expiration (days)
- `SESSION_SECRET` - Session cookie secret

### **Database**
- `DATABASE_URL` - PostgreSQL connection string

### **OAuth (if using social login)**
- `OAUTH_REDIRECT_BASE_URL` - OAuth callback base URL
- `GOOGLE_CLIENT_ID` & `GOOGLE_CLIENT_SECRET`
- `GITHUB_CLIENT_ID` & `GITHUB_CLIENT_SECRET`
- `DISCORD_CLIENT_ID` & `DISCORD_CLIENT_SECRET`
- `MICROSOFT_CLIENT_ID`, `MICROSOFT_CLIENT_SECRET`, `MICROSOFT_TENANT_ID`

### **Server Configuration**
- `ENVIRONMENT` - Runtime environment (development/production)
- `SERVER_PROTOCOL` - HTTP or HTTPS
- `SERVER_HOST` - Server bind address
- `SERVER_PORT` - Server port
- `LOG_LEVEL` - Logging level
- `CONFIG_FILE` - Custom config file path
- `TLS_CERT_PATH` & `TLS_KEY_PATH` - For HTTPS

## How It Works

1. **Environment Loading**: The app uses `dotenvy::dotenv().ok()` to load `.env` files
2. **Config Hierarchy**: TOML files provide defaults, environment variables override them
3. **Fallback Values**: Most settings have sensible defaults if env vars aren't set

The `.env` file is essential for keeping sensitive credentials like database passwords, JWT secrets, and OAuth keys separate from your code and configuration files.