# Copy to backend/.env. NEVER commit the real key; it stays server-side only (NFR-4.1).
UPSTREAM_API_KEY=replace-me
GATEWAY_BIND=0.0.0.0:8080
RUST_LOG=info,gateway=debug,ingestion=debug
# Auth: set to enable HS256 JWT verification on write endpoints (sub = user id).
# Unset → dev fallback where the bearer token IS the user id. Set as a Space secret.
# AUTH_JWT_SECRET=replace-with-a-long-random-secret
# Comma-separated active regions; ingestion cadence scales with regions×providers, not users (NFR-6.1).
ACTIVE_REGIONS=PL,GB