Multi-Host Deployment — Env Var Quick Reference¶
[!NOTE] Purpose of this file: Ready-to-paste environment variable blocks for each hosting platform (Railway, Vercel, Render). Use this when setting up a new environment or debugging CORS/CSRF issues. For architecture overview and Supabase setup, see MicroERP_deployment_guide.md.
✅ Configuration Audit¶
Status: settings.py is 100% environment-variable driven with NO hardcoded domains.
🔍 Audit Results¶
- ✅ CORS Configuration: Whitelist managed via
CORS_ALLOWED_ORIGINS. - ✅ CSRF Configuration: Trusted origins managed via
CSRF_TRUSTED_ORIGINS. - ✅ Host Security: Allowed hosts managed via
ALLOWED_HOSTS. - ✅ System Secrets: All keys and URLs (Supabase, Secret Key, etc.) use environment variables.
📋 Required Environment Variables by Host¶
Railway (Primary) 🚂¶
# Core Django
SECRET_KEY=<your-secret-key>
DEBUG=False
ALLOWED_HOSTS=merp25-api.up.railway.app,localhost,127.0.0.1
# CORS & CSRF
CORS_ALLOWED_ORIGINS=https://www.ebosai.com,https://merp25.up.railway.app,https://merp25.vercel.app
CSRF_TRUSTED_ORIGINS=https://www.ebosai.com,https://merp25.up.railway.app,https://merp25-api.up.railway.app
# Supabase
SUPABASE_URL=https://xxx.supabase.co
SUPABASE_KEY=<your-anon-key>
# Frontend
VITE_SITE_URL=https://merp25.up.railway.app
Dual Frontend Setup (Vercel + Railway) 🚀 🚀¶
If you are running two frontends pointing to the same Railway backend, use these exact values:
Backend Service (Railway API) Variables:
# Allowed Hosts (The Backend itself)
ALLOWED_HOSTS=merp25-api.up.railway.app,localhost,127.0.0.1
# CORS: Allow both frontends to talk to this API
CORS_ALLOWED_ORIGINS=https://www.ebosai.com,https://merp25.vercel.app,https://merp25.up.railway.app
# CSRF: Trust both frontends AND the backend API
CSRF_TRUSTED_ORIGINS=https://www.ebosai.com,https://merp25.vercel.app,https://merp25.up.railway.app,https://merp25-api.up.railway.app
Vercel (Production & Staging Frontend) ▲¶
- Production: Deployed from
main. Connects to Railway Backend (merp25-api.up.railway.app). - Staging (Preview): Deployed from
stage. Connects to Render Backend (merp25-backend.onrender.com).
Render (Staging Backend) 🎨¶
This service acts as the Staging Backend for the stage branch.
# Core Django
SECRET_KEY=<your-staging-secret-key>
DEBUG=True
ALLOWED_HOSTS=merp25-backend.onrender.com,localhost,127.0.0.1
# CORS & CSRF
CORS_ALLOWED_ORIGINS=https://merp25stage.vercel.app,https://staging.merp25.com
CSRF_TRUSTED_ORIGINS=https://merp25stage.vercel.app,https://staging.merp25.com,https://merp25-backend.onrender.com
# Frontend
VITE_SITE_URL=https://merp25stage.vercel.app
🔍 Frontend Audit Results¶
The frontend application (frontend/) is also 100% environment-variable driven within the source code:
- ✅ API Service:
frontend/src/lib/api.tsusesimport.meta.env.VITE_API_URL. - ✅ Supabase Client:
frontend/src/lib/supabase.tsusesVITE_SUPABASE_URLandVITE_SUPABASE_ANON_KEY. - ✅ Deployment Manifests:
railway.jsonandvercel.jsoncontain no hardcoded domains.
📁 Deployment Config Files Reference¶
- ✅ Railway:
railway.json/frontend/railway.json - ✅ Vercel:
frontend/vercel.json(SPA routing only) - ✅ Render:
render.yaml
🎯 Deployment Workflow¶
1. Configure¶
Set the environment variables listed above in your hosting provider's dashboard (Railway, Vercel, or Render).
2. Deploy¶
Push your code to the connected GitHub repository. The platform will automatically detect the configuration files and deploy.
3. Verify¶
Ensure the CORS_ALLOWED_ORIGINS includes the current frontend URL to prevent the "Authenticating..." hang issue.
Summary: This application is fully portable. By managing domains through environment variables, you can switch between Railway, Vercel, and Render without modifying any source code.