Deployment Overview & Configuration
Getting up and running is a easy with various options available. Simply ensure you have a Postgres database and a server that can run Node.js. Customize all the settings of the Feature Flags Platform by referring to the detailed configuration provided below.
App hosting
You have the flexibility to host the platform on any service capable of hosting NextJS ↗ (opens in a new tab) applications with serverless function support. Additionally, you'll need a separate database running elsewhere that the app can connect to. Some app hosting providers that support include Vercel, more coming, all of which offer a free tier option.
- Vercel
- Stay tuned for more upcoming guides!
Managed databases
Ensure that the PostgreSQL service or instance supports serverless environments. Any traditional instance of PostgreSQL with connection pooling, such as PgBouncer ↗ (opens in a new tab), will work effectively.
- Neon - Serverless Postgres
- Stay tuned for more upcoming guides!
Environment Variables
The platform boasts a straightforward configuration process, requiring a set of essential environment variables to configure the services and run the platform smoothly.
Database Configuration
Property | Description | Required |
---|---|---|
DATABASE_URL | Connection URL to your database using PgBouncer. | true |
DIRECT_DATABASE_URL | Direct connection URL to the database used for migrations | true |
Authentication Configuration
General
For the NEXTAUTH_SECRET
variable you can use openssl rand -base64 32
or generate a random value (opens in a new tab).
Property | Description | Required | Example |
---|---|---|---|
NEXTAUTH_SECRET | Used to encrypt the NextAuth.js JWT, and to hash email verification tokens. | true | generate (opens in a new tab) |
NEXTAUTH_URL | Set to the canonical URL of your site | true | https://your-basestack-instance.com (opens in a new tab) |
Providers
Authentication Providers in the Platform are services that you and your team can use for signing in. To find the list of supported providers, check below:
You can have multiple Auth providers on the platform, providing you with more options. However, it is essential to configure at least one Auth provider for the platform to function properly.
API Configuration
The configurations relevant to the API are associated with the endpoint from the REST API
, which enables tasks like fetching the Flags. On the other hand, services concerning the dashboard, members, and permissions are safeguarded by Authentication and can only be accessed from the same origin (CORS).
Rate Limit Configuration
Ensure the protection of REST API
Endpoints against sudden attacks by implementing request rate limits.
Property | Description | Required | Example |
---|---|---|---|
API_RATE_LIMIT_MAX | Requests per minute | false | 120 |
API_RATE_LIMIT_WINDOW_MS | In seconds | false | 60000 |
API_RATE_LIMIT_UNIQUE_TOKEN_PER_SECOND | Max users per second | false | 2000 |
Examples
Here are some examples of how you might configure rate limiting values for different types of applications
Mobile App/API Interaction
Mobile apps often make frequent API requests, and a higher limit can accommodate this behavior. The window and unique token limit provide flexibility for bursts of requests from different users.
API_RATE_LIMIT_MAX: 120 # requests per minute
API_RATE_LIMIT_WINDOW_MS: 60000 # milliseconds (1 minute)
API_RATE_LIMIT_UNIQUE_TOKEN_PER_SECOND: 2000
Web Application
Web applications typically have a mix of user interactions. The rate limits here balance user interactions while preventing abuse.
API_RATE_LIMIT_MAX: 60 # requests per minute
API_RATE_LIMIT_WINDOW_MS: 60000 # milliseconds (1 minute)
API_RATE_LIMIT_UNIQUE_TOKEN_PER_SECOND: 1000
Public API with High Traffic
For public APIs with high traffic, you might need higher limits to accommodate a large number of clients. The unique token limit can handle a substantial number of unique clients.
API_RATE_LIMIT_MAX: 300 # requests per minute
API_RATE_LIMIT_WINDOW_MS: 60000 # milliseconds (1 minute)
API_RATE_LIMIT_UNIQUE_TOKEN_PER_SECOND: 5000
Heavy Data Processing API
APIs that involve heavy data processing might have lower limits to avoid resource exhaustion. The longer window provides more time for processing.
API_RATE_LIMIT_MAX: 10 # requests per minute
API_RATE_LIMIT_WINDOW_MS: 300000 # milliseconds (5 minutes)
API_RATE_LIMIT_UNIQUE_TOKEN_PER_SECOND: 50
CORS Configuration
We highly recommend securing the REST API
requests to ensure they originate from the same domain as your services. You can modify the variables below to align with your product domains.
Property | Description | Required | Example |
---|---|---|---|
API_ACCESS_CONTROL_ALLOW_ORIGIN | Indicates whether the response can be shared with requesting code from the given origin | false | * |