All runtime configuration is controlled via the .env file in the project root. This document covers every available variable, grouped by functional category.
How configuration works
- The
.env file is the single source of truth for your environment.
- Laravel reads
.env and maps values into config/ files.
- In production, run
php artisan config:cache to compile all config into a single cached file — this improves performance and prevents direct .env reads.
- After any
.env change in production, clear and rebuild the cache:
php artisan config:clear && php artisan cache:clear
php artisan config:cache && php artisan route:cache
For Docker environments, the .env.docker file is pre-configured for container networking. make setup copies it to .env automatically.
Application Core
| Variable |
Required |
Default |
Description |
APP_NAME |
Yes |
OnlineCasinoScript |
Casino display name. Shown in browser tab and emails. |
APP_ENV |
Yes |
local |
Set to production on live servers. |
APP_KEY |
Yes |
(empty) |
32-character encryption key. Generate with php artisan key:generate. |
APP_DEBUG |
Yes |
false |
Must be false in production. Setting to true exposes stack traces. |
APP_URL |
Yes |
http://localhost |
Full URL including scheme (e.g., https://casino.example.com). |
FORCE_HTTPS |
No |
false |
Set to true in production to force all requests to HTTPS. |
CSP_ENABLED |
No |
false |
Enables Content-Security-Policy header. Recommended for production. |
CORS_ALLOWED_ORIGINS |
No |
* |
Comma-separated list of allowed origins for CORS. Restrict in production. |
Database
| Variable |
Required |
Default |
Description |
DB_CONNECTION |
Yes |
mysql |
Database driver. Use mysql (MySQL 8+ or MariaDB 10.6+). |
DB_HOST |
Yes |
127.0.0.1 |
Database host. Use mysql inside Docker. |
DB_PORT |
No |
3306 |
Database port. |
DB_DATABASE |
Yes |
online_casino |
Database name. |
DB_USERNAME |
Yes |
(empty) |
Database user. |
DB_PASSWORD |
Yes |
(empty) |
Database password. Use a strong unique password in production. |
DB_READ_HOST |
No |
(empty) |
Comma-separated read replica hosts for horizontal scaling. |
All monetary values are stored as DECIMAL(18,8) and handled as strings via bcmath. Never use float arithmetic on money.
Cache and Sessions
| Variable |
Required |
Default |
Description |
CACHE_STORE |
No |
redis |
Cache driver. Use redis in production. |
REDIS_HOST |
Yes |
127.0.0.1 |
Redis host. Use redis inside Docker. |
REDIS_PASSWORD |
No |
(empty) |
Redis password (required if requirepass is set in redis.conf). |
REDIS_PORT |
No |
6379 |
Redis port. |
REDIS_CACHE_DB |
No |
1 |
Redis database index for application cache. |
REDIS_SESSION_DB |
No |
2 |
Redis database index for sessions. |
SESSION_DRIVER |
No |
redis |
Session backend. Use redis in production. |
SESSION_LIFETIME |
No |
120 |
Session expiry in minutes (player inactivity). |
SESSION_SECURE_COOKIE |
No |
true |
Set to true in production (requires HTTPS). Set to false for local HTTP development. |
SESSION_SAME_SITE |
No |
strict |
SameSite cookie policy. Use strict in production. |
Queue (Horizon)
| Variable |
Required |
Default |
Description |
QUEUE_CONNECTION |
No |
redis |
Queue driver. Must be redis for Horizon to work. |
HORIZON_PREFIX |
No |
casino_horizon_ |
Redis key prefix for Horizon. Change if running multiple Horizon instances on the same Redis. |
The queue processes: email delivery, withdrawal processing, bonus wagering calculations, KYC notifications, push notifications, and audit log writes.
WebSockets (Reverb)
| Variable |
Required |
Default |
Description |
REVERB_APP_ID |
Yes |
online-casino |
Reverb app identifier. Must be unique per installation. |
REVERB_APP_KEY |
Yes |
(empty) |
Reverb authentication key. Generate: openssl rand -hex 16. |
REVERB_APP_SECRET |
Yes |
(empty) |
Reverb signing secret. Generate: openssl rand -hex 32. |
REVERB_HOST |
Yes |
localhost |
WebSocket server host. Use your domain in production. |
REVERB_PORT |
No |
8080 |
WebSocket server port. Use 443 in production (proxied through Nginx). |
REVERB_SCHEME |
No |
http |
http for local development, https for production. |
REVERB_ALLOWED_ORIGINS |
Yes |
localhost |
Comma-separated origins allowed to connect via WebSocket. |
REVERB_SCALING_ENABLED |
No |
false |
Enable Redis-backed WebSocket scaling for multi-server deployments. |
VITE_REVERB_APP_KEY |
Yes |
(matches REVERBAPPKEY) |
Frontend Vite variable — must match REVERB_APP_KEY. |
VITE_REVERB_HOST |
Yes |
localhost |
Frontend Vite variable — WebSocket host for the browser. |
VITE_REVERB_PORT |
No |
8080 |
Frontend Vite variable — WebSocket port for the browser. |
VITE_REVERB_SCHEME |
No |
http |
Frontend Vite variable — scheme for the browser. |
Mail / SMTP
| Variable |
Required |
Default |
Description |
MAIL_MAILER |
Yes |
log |
Mail driver. Use smtp in production (log writes emails to log file only). |
MAIL_HOST |
Yes (smtp) |
(empty) |
SMTP server hostname (e.g., smtp.mailgun.org). |
MAIL_PORT |
Yes (smtp) |
587 |
SMTP port. 587 for TLS, 465 for SSL. |
MAIL_USERNAME |
Yes (smtp) |
(empty) |
SMTP username. |
MAIL_PASSWORD |
Yes (smtp) |
(empty) |
SMTP password or API key. |
MAIL_ENCRYPTION |
No |
tls |
Encryption protocol: tls or ssl. |
MAIL_FROM_ADDRESS |
Yes |
(empty) |
Sender email address (e.g., noreply@casino.example.com). |
MAIL_FROM_NAME |
No |
"${APP_NAME}" |
Sender display name. |
Emails are dispatched via the queue. If emails aren’t sending, check that Horizon is running.
JWT Authentication
| Variable |
Required |
Default |
Description |
JWT_SECRET |
Yes |
(empty) |
JWT signing secret. Generate with php artisan jwt:secret. |
JWT_TTL |
No |
15 |
Access token lifespan in minutes. Default is 15 minutes. |
JWT_REFRESH_TTL |
No |
43200 |
Refresh token lifespan in minutes. Default is 30 days. |
Player tokens expire after 15 minutes and are refreshed automatically by the Vue frontend. Admin tokens also expire every 15 minutes and require re-authentication with a fresh TOTP code.
Logging
| Variable |
Required |
Default |
Description |
LOG_CHANNEL |
No |
stack |
Log channel driver. |
LOG_STACK |
No |
single,structured |
Comma-separated stack channels. structured outputs JSON logs. |
LOG_LEVEL |
No |
warning |
Minimum log severity: debug, info, notice, warning, error, critical. Use warning or error in production. |
Log files are at:
storage/logs/laravel.log — application logstorage/logs/structured.json — structured JSON log (for log aggregators)
Payment Providers
Payment provider credentials are set in .env and used by the payment adapter layer. Available provider variables:
| Variable |
Description |
STRIPE_KEY |
Stripe publishable key |
STRIPE_SECRET |
Stripe secret key |
STRIPE_WEBHOOK_SECRET |
Stripe webhook signing secret |
COINBASE_COMMERCE_KEY |
Coinbase Commerce API key |
COINBASE_WEBHOOK_SECRET |
Coinbase Commerce webhook secret |
PAYPAL_CLIENT_ID |
PayPal REST client ID |
PAYPAL_CLIENT_SECRET |
PayPal REST client secret |
PAYPAL_SANDBOX |
true for testing, false for live |
MOLLIE_KEY |
Mollie API key |
BANK_TRANSFER_ACCOUNT_NAME |
Display name for bank transfer instructions |
BANK_TRANSFER_IBAN |
IBAN shown for bank transfer deposits |
BANK_TRANSFER_BIC |
BIC/SWIFT code for bank transfers |
Payment methods are enabled and configured per-method in Admin → Settings → Payment Methods. The .env variables provide the API credentials that back-end adapters use.
KYC Providers
| Variable |
Description |
KYC_PROVIDER |
KYC provider driver: manual, onfido, or sumsub |
ONFIDO_API_TOKEN |
Onfido API token (when KYC_PROVIDER=onfido) |
SUMSUB_APP_TOKEN |
Sum&Substance application token (when KYC_PROVIDER=sumsub) |
SUMSUB_SECRET_KEY |
Sum&Substance secret key |
CLAMAV_ENABLED |
true to enable ClamAV virus scanning on KYC file uploads |
CLAMAV_HOST |
ClamAV daemon host (default: 127.0.0.1) |
CLAMAV_PORT |
ClamAV daemon port (default: 3310) |
With KYC_PROVIDER=manual, operators review uploaded documents directly in the admin panel.
Responsible Gaming
These variables set platform-wide defaults. Operators can override per-player limits via the admin panel, and players can set their own limits in account settings.
| Variable |
Default |
Description |
RG_DEPOSIT_LIMIT_ENABLED |
true |
Allow players to set deposit limits |
RG_LOSS_LIMIT_ENABLED |
true |
Allow players to set loss limits |
RG_WAGER_LIMIT_ENABLED |
true |
Allow players to set wagering limits |
RG_SELF_EXCLUSION_ENABLED |
true |
Allow players to self-exclude |
RG_COOL_OFF_ENABLED |
true |
Allow players to set cool-off periods |
SESSION_REMINDER_MINUTES |
60 |
How often the platform shows a session time reminder to players (in minutes) |
RG_MAX_SESSION_HOURS |
24 |
Maximum continuous play session duration before forced logout |
RG_DEFAULT_DAILY_DEPOSIT_LIMIT |
(none) |
Optional platform-wide daily deposit cap in player currency |
Compliance and AML
| Variable |
Default |
Description |
AML_LARGE_TRANSACTION_THRESHOLD |
10000 |
Single transaction value (in player currency) that triggers an AML alert |
AML_RAPID_DEPOSIT_COUNT |
5 |
Number of deposits in a short window that triggers a rapid deposit alert |
AML_RAPID_DEPOSIT_WINDOW_MINUTES |
60 |
Time window (minutes) for rapid deposit detection |
AML_STRUCTURING_THRESHOLD |
9000 |
Deposits close to this value trigger structuring alerts |
GAMSTOP_ENABLED |
false |
Enable GAMSTOP self-exclusion register check (UK) |
GAMSTOP_API_KEY |
(empty) |
GAMSTOP API key |
VPN_DETECTION_ENABLED |
false |
Block players connecting via VPN/proxy |
VPN_DETECTION_API_KEY |
(empty) |
IP intelligence API key for VPN detection |
AFFORDABILITY_THRESHOLD |
2000 |
Cumulative loss threshold (in player currency) that triggers an affordability review |
EDD_HIGH_DEPOSIT_THRESHOLD |
5000 |
Deposit volume that triggers enhanced due diligence |
MULTI_ACCOUNT_DETECTION_ENABLED |
true |
Run daily multi-account detection scan |
Scheduled Tasks (Cron Timing)
These variables allow you to adjust when scheduled maintenance tasks run (useful for avoiding peak hours).
| Variable |
Default |
Description |
LEDGER_AUDIT_TIME |
03:00 |
Daily time (UTC) for ledger balance audit |
MULTI_ACCOUNT_DETECTION_TIME |
04:00 |
Daily time (UTC) for multi-account scan |
BONUS_ABUSE_DETECTION_TIME |
05:00 |
Daily time (UTC) for bonus abuse scan |
VELOCITY_CHECK_TIME |
06:00 |
Daily time (UTC) for betting velocity check |
Monitoring and Alerting
| Variable |
Default |
Description |
ALERT_SLACK_WEBHOOK |
(empty) |
Slack webhook URL for critical alerts (failed jobs, high error rate, health failures) |
ALERT_EMAIL_TO |
(empty) |
Email address to receive critical alert notifications |
TELESCOPE_ENABLED |
false |
Enable Laravel Telescope debug dashboard (development only — never in production) |
Scaling
| Variable |
Default |
Description |
DB_READ_HOST |
(empty) |
Comma-separated read replica hosts. When set, read queries are load-balanced across these hosts. |
REVERB_SCALING_ENABLED |
false |
Enable Redis pub/sub for WebSocket scaling across multiple Reverb nodes |
Docker-specific variables
When running via Docker (make setup), these variables are set automatically in .env.docker:
| Variable |
Docker value |
Notes |
DB_HOST |
mysql |
Container service name |
REDIS_HOST |
redis |
Container service name |
REVERB_HOST |
localhost |
Proxied through Nginx container |
APP_URL |
http://localhost |
|
SESSION_SECURE_COOKIE |
false |
HTTP-only in local Docker |
REVERB_SCHEME |
http |
|
Production .env template
A minimal production-ready .env configuration:
APP_NAME="Your Casino"
APP_ENV=production
APP_KEY= # php artisan key:generate
APP_DEBUG=false
APP_URL=https://example.com
FORCE_HTTPS=true
CSP_ENABLED=true
DB_CONNECTION=mysql
DB_HOST=127.0.0.1
DB_DATABASE=online_casino
DB_USERNAME=casino
DB_PASSWORD=
REDIS_HOST=127.0.0.1
REDIS_PASSWORD=
REDIS_PORT=6379
REDIS_CACHE_DB=1
REDIS_SESSION_DB=2
SESSION_DRIVER=redis
SESSION_SECURE_COOKIE=true
SESSION_SAME_SITE=strict
JWT_SECRET= # php artisan jwt:secret
REVERB_APP_ID=online-casino
REVERB_APP_KEY= # openssl rand -hex 16
REVERB_APP_SECRET= # openssl rand -hex 32
REVERB_HOST=example.com
REVERB_PORT=443
REVERB_SCHEME=https
REVERB_ALLOWED_ORIGINS=https://example.com
VITE_REVERB_APP_KEY= # same as REVERB_APP_KEY
VITE_REVERB_HOST=example.com
VITE_REVERB_PORT=443
VITE_REVERB_SCHEME=https
MAIL_MAILER=smtp
MAIL_HOST=
MAIL_PORT=587
MAIL_USERNAME=
MAIL_PASSWORD=
MAIL_ENCRYPTION=tls
MAIL_FROM_ADDRESS=noreply@example.com
MAIL_FROM_NAME="Your Casino"
LOG_LEVEL=warning
CACHE_STORE=redis
QUEUE_CONNECTION=redis
After filling in values, run:
php artisan key:generate
php artisan jwt:secret
php artisan config:cache
php artisan route:cache