Setup guide

• •External Supabase is the active source of truth for data and auth.
• •Migrations under db/ are run manually in the Supabase SQL Editor when provided.
• •Service role keys must never be exposed to the browser.
• •Frontend-safe variables use the VITE_ prefix; server-only variables must not.

Current migration relevant to communications:

db/0006_transactional_email_logs.sql

Creates public.transactional_email_logs for ZeptoMail send logs.

Frontend-safe (bundled into the browser):

VITE_SUPABASE_URL=
VITE_SUPABASE_PUBLISHABLE_KEY=

Server-only (never prefixed with VITE_):

ZEPTOMAIL_API_URL=
ZEPTOMAIL_SEND_MAIL_TOKEN=
ZEPTOMAIL_FROM_EMAIL=
ZEPTOMAIL_FROM_NAME=
ZEPTOMAIL_ADMIN_EMAIL=
UD_SUPABASE_SERVICE_ROLE_KEY=

• •Never prefix secrets with VITE_.
• •UD_SUPABASE_SERVICE_ROLE_KEY is used because Lovable reserves the SUPABASE_ custom secret prefix.
• •Republish/redeploy after env var changes so server functions pick them up.

• •ZeptoMail REST API handles app transactional emails.
• •Supabase Auth still handles signup/reset/auth emails.
• •The sending domain must be verified in ZeptoMail.
• •The sender address must match the verified sender/domain in the same Mail Agent.

For the current AU region setup:

ZEPTOMAIL_API_URL=https://api.zeptomail.com.au/v1.1/email

The Send Mail Token is generated/copied inside:

ZeptoMail → Mail Agent → SMTP/API → API tab

• •Do NOT use the SMTP username/password in ZEPTOMAIL_SEND_MAIL_TOKEN.
• •The token is server-side only — never expose it in the browser.
• •Use /admin/communications to send a test email after configuring.

• •Google login is available alongside email/password.
• •Redirect URIs and origins are configured in Supabase Auth and Google Cloud Console.
• •Do not alter unless required.