This page is for operators running their own Switchbord deployment. If you’re using a hosted Switchbord instance, your admin has already handled this configuration — you can skip to Setup to connect your WhatsApp channel.
Self-hosting Switchbord requires setting environment variables across a few deployed services. The variables below control how the operator app connects to Supabase, how it authenticates with Meta, and how the first workspace owner gains access.
Workspace-managed secrets — your Meta access token, webhook signing secret, and verify token — are entered through the product UI, not as environment variables. See Setup for those. The variables on this page are infrastructure-level configuration that you set when deploying the application. Supabase connection
These variables are required for any Switchbord service that reads or writes data.
| Variable | Description |
|---|
NEXT_PUBLIC_SUPABASE_URL | Your Supabase project URL. Required by all services. |
NEXT_PUBLIC_SUPABASE_PUBLISHABLE_KEY | Supabase publishable key for browser and request-scoped clients. |
SUPABASE_SECRET_KEY | Server-side Supabase admin key. Keep this out of browser contexts. |
SUPABASE_DB_URL | Direct Postgres connection string. Required for the Setup wizard to store provider secrets in Vault, and for the Settings → Provider rotation flow. |
SUPABASE_DB_URL must be set on the operator app server if you want the in-product Setup flow to work. Without it, the app can’t write credentials to Vault and the setup checklist won’t complete.
| Variable | Description |
|---|
WHATSAPP_META_ACCESS_TOKEN | Meta Graph API token for outbound message sends. Used by the worker service. |
WEBHOOK_SIGNATURE_SECRET | Validates the X-Hub-Signature-256 header on inbound webhook payloads. |
META_WEBHOOK_VERIFY_TOKEN | Used for the Meta webhook challenge handshake. |
Workspace bootstrap and access control
These variables control how the first workspace owner gains access, which is important for new deployments where no members exist yet.
| Variable | Description |
|---|
WORKSPACE_BOOTSTRAP_ADMIN_EMAILS | Comma-separated list of email addresses that are granted admin access during workspace bootstrap, without needing an invite. |
WORKSPACE_ALLOW_FIRST_CLAIM | Set to true to allow the first authenticated user to claim workspace ownership when no members exist. Defaults to false. Disable this after the first owner is established. |
If a user signs in to a fresh deployment and lands on /pending-access, the workspace has no members yet. Set WORKSPACE_BOOTSTRAP_ADMIN_EMAILS to their email address (or temporarily enable WORKSPACE_ALLOW_FIRST_CLAIM=true) and have them sign in again. You don’t need to delete and recreate the auth user.
Data mode
| Variable | Values | Description |
|---|
WHATSAPP_PLATFORM_DATA_MODE | mock (default) or supabase | Controls whether the operator app reads and writes data against the typed in-memory mock store or the real Supabase-backed data path. Set to supabase for production deployments. |
mock mode — useful for evaluating Switchbord locally without a Supabase project, but not suitable for real traffic.
Default channel variables
These variables pre-populate the default workspace channel context. They are useful for single-tenant deployments where the channel identity is known at deploy time.
| Variable | Description |
|---|
DEFAULT_WORKSPACE_SLUG | Slug for the default workspace. |
DEFAULT_CHANNEL_WABA_ID | WhatsApp Business Account ID for the default channel. |
DEFAULT_CHANNEL_PHONE_NUMBER_ID | Meta phone number ID for the default channel. |
DEFAULT_CHANNEL_PHONE_E164 | E.164-formatted phone number for the default channel. |
DEFAULT_CHANNEL_DISPLAY_NAME | Human-readable display name for the default channel. |
Backward compatibility
Switchbord accepts NEXT_PUBLIC_SUPABASE_ANON_KEY and SUPABASE_SERVICE_ROLE_KEY as aliases for the publishable key and secret key respectively. New deployments should use the names listed above. 