[Docs] Clarify env vars and custom page URL overrides in AI setup prompts

[mantrakp04]

Summary

• Stress in the SDK setup prompt that STACK_PROJECT_ID (plus STACK_SECRET_SERVER_KEY server-side) are the complete env-var set — there is no separate publishable / client key, and any third slot in .env.local is wrong.
• Add per-framework prefix guidance (NEXT_PUBLIC_…, VITE_…) and explicitly note the server key must never be prefixed/exposed.
• In the custom-page prompt, explain that overriding one handler URL does not override the others: every target falls back to urls.default, so OAuth / magic-link / sign-out / verification flows will visibly redirect through <projectId>.built-with-stack-auth.com unless each is customized.
• Add a table of every handler URL target (signIn, signUp, oauthCallback, signOut, magicLinkCallback, forgotPassword, …) and the SDK call each custom page must invoke.
• Call out the Trusted Domains whitelist requirement (and the localhost-callbacks dev toggle) to avoid REDIRECT_URL_NOT_WHITELISTED.
• Regenerated docs-mintlify/guides/getting-started/setup.mdx and home-prompt-island.jsx from the updated prompt source.

Test plan

• pnpm lint
• pnpm typecheck
• Spot-check the rendered Mintlify setup page reflects the new env-var + URL guidance.

Summary by CodeRabbit

• Documentation
  • Clarified environment variable setup instructions for cloud projects with framework-specific prefixing requirements
  • Enhanced security guidance emphasizing server-side secret key protection
  • Improved OAuth callback configuration guidance for hosted domain redirects

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
stack-auth-hosted-components	Ready	Preview, Comment	May 15, 2026 11:46pm
stack-auth-mcp	Ready	Preview, Comment	May 15, 2026 11:46pm
stack-auth-skills	Ready	Preview, Comment	May 15, 2026 11:46pm
stack-backend	Ready	Preview, Comment	May 15, 2026 11:46pm
stack-dashboard	Ready	Preview, Comment	May 15, 2026 11:46pm
stack-demo	Ready	Preview, Comment	May 15, 2026 11:46pm
stack-docs	Ready	Preview, Comment	May 15, 2026 11:46pm
stack-preview-backend	Ready	Preview, Comment	May 15, 2026 11:46pm
stack-preview-dashboard	Ready	Preview, Comment	May 15, 2026 11:46pm

[coderabbitai]

📝 Walkthrough

Walkthrough

Updated environment variable guidance and OAuth handler documentation across SDK setup prompts and auto-generated documentation. Frontend cloud deployments now explicitly describe framework-specific STACK_PROJECT_ID prefixing conventions (NEXT_PUBLIC_, VITE_, etc.), while backend deployments clarify that STACK_SECRET_SERVER_KEY must never be exposed or prefixed. Added OAuth callback flow guidance and handler URL target overriding rules.

Changes

Configuration and OAuth Guidance

Layer / File(s)	Summary
Cloud project environment variable guidance (source) packages/stack-shared/src/ai/prompts.ts	AI SDK setup prompt updated to clarify that frontend cloud deployments prefix STACK_PROJECT_ID with framework conventions and read only that variable, while backend deployments must keep STACK_SECRET_SERVER_KEY unexposed and unaffixed, consuming only both variables together.
Setup documentation (derived from prompts) docs-mintlify/guides/getting-started/setup.mdx, docs-mintlify/snippets/home-prompt-island.jsx	Auto-generated setup documentation for Next.js, React, Other JS/TS, Tanstack Start, Node.js, and Bun updated with consistent multi-line comments replacing inline guidance, reinforcing framework-specific prefixing rules, secret exposure prevention, and SDK variable consumption for cloud deployments.
OAuth redirect and custom handler URL guidance packages/stack-shared/src/interface/page-component-versions.ts	Custom page prompts expanded to document handler URL target overriding consequences, hosted-domain OAuth behavior, URL whitelisting requirements, and instructions for custom OAuth callback pages to call stackApp.callOAuthCallback() on mount.

🎯 2 (Simple) | ⏱️ ~8 minutes

Suggested reviewers

• N2D4

🐰 Environment vars now speak so clear,
No secrets mixed, no prefixes to fear!
OAuth flows on their custom path,
Handler URLs skip the aftermath.
Framework conventions light the way,
Cloud configs shine another day! ✨

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately and concisely summarizes the main changes: clarifying environment variable instructions and custom page URL overrides in AI setup prompts.
Description check	✅ Passed	The description comprehensively outlines the changes, provides clear reasoning, and includes a test plan with checkboxes for verification.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch docs/clarify-env-vars-and-custom-page-urls

Warning

There were issues while running some tools. Please review the errors and either fix the tool's configuration or disable the tool if it's a critical failure.

🔧 ESLint

If the error stems from missing dependencies, add them to the package.json file. For unrecoverable errors (e.g., due to private dependencies), disable the tool in the CodeRabbit configuration.

docs-mintlify/snippets/home-prompt-island.jsx

Parsing error: The keyword 'export' is reserved

docs-mintlify/guides/getting-started/setup.mdx

Parsing error: Assigning to rvalue

packages/stack-shared/src/ai/prompts.ts

Parsing error: error TS5012: Cannot read file '/tsconfig.json': ENOENT: no such file or directory, open '/tsconfig.json'.

• 1 others

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[greptile-apps]

Greptile Summary

This PR updates the Stack Auth AI setup prompts to clarify that only STACK_PROJECT_ID (+ STACK_SECRET_SERVER_KEY server-side) are required — no publishable/client key — and adds per-framework prefix guidance. It also enriches the custom-page prompt with a table of all handler URL targets and a warning that overriding one URL does not override the others.

• SDK Setup section (prompts.ts): expanded env-var block with NEXT_PUBLIC_/VITE_ prefix examples and an explicit "two-variable complete set" note; the message is clear and correct for the SDK flows.
• Custom-page prompt (page-component-versions.ts): adds a handler URL table with required SDK calls and a Trusted Domains/localhost-callbacks callout, meaningfully improving guidance for developers building fully custom auth flows.
• Supabase and CLI sections (prompts.ts): not updated — the Supabase .env.local block still lists NEXT_PUBLIC_STACK_PUBLISHABLE_CLIENT_KEY as a third variable, and the CLI setup still passes publishable_client_key to prompt_cli_login, directly contradicting the new "no publishable key" guidance the rest of the prompt introduces.

Confidence Score: 3/5

The core SDK guidance improvements are accurate, but the Supabase setup section was left with a contradictory third env-var entry that directly undermines the 'no publishable key' message this PR introduces.

The Supabase .env.local block still instructs users to add NEXT_PUBLIC_STACK_PUBLISHABLE_CLIENT_KEY — the exact three-variable pattern the PR explicitly says is wrong. AI agents following this unified prompt will hit the contradiction and either add the now-unnecessary key (Supabase path) or be confused about whether CLI auth needs it.

packages/stack-shared/src/ai/prompts.ts — the Supabase setup block (line ~170) and CLI setup block (line ~299) need to be updated to match the new env-var guidance, or the blanket 'no publishable key' statement needs to be qualified for those flows.

Important Files Changed

Filename	Overview
packages/stack-shared/src/ai/prompts.ts	SDK Setup section updated with clear env-var guidance; Supabase and CLI sections not updated, leaving contradictory NEXT_PUBLIC_STACK_PUBLISHABLE_CLIENT_KEY and publishable_client_key references.
packages/stack-shared/src/interface/page-component-versions.ts	Adds a detailed URL-override warning and handler table; magicLinkCallback row lacks a specific SDK method name.
docs-mintlify/guides/getting-started/setup.mdx	Auto-generated from prompts.ts; inherits the same Supabase/CLI inconsistency from the source.
docs-mintlify/snippets/home-prompt-island.jsx	Auto-generated from prompts.ts; mirrors the changes in setup.mdx.

Flowchart

%%{init: {'theme': 'neutral'}}%%
flowchart TD
    A[User visits auth flow URL] --> B{Is URL target customized?}
    B -- Yes --> C[Render custom page at your origin]
    C --> D{Which target?}
    D -- signIn/signUp --> E[Render form, call stackApp.signIn/signUp]
    D -- oauthCallback --> F[Call stackApp.callOAuthCallback]
    D -- signOut --> G[Call stackApp.signOut + redirectToAfterSignOut]
    D -- magicLinkCallback --> H[Complete magic-link exchange]
    D -- other targets --> I[Implement per-target]
    B -- No --> J[Redirect through projectId.built-with-stack-auth.com]
    J --> K{Domain whitelisted?}
    K -- Yes --> L[Hosted page serves request]
    K -- No --> M[REDIRECT_URL_NOT_WHITELISTED error]

Loading

Comments Outside Diff (1)

1. packages/stack-shared/src/ai/prompts.ts, line 168-172 (link)

   Supabase section contradicts the new "no publishable key" guidance

   The SDK Setup section (lines 543 and 570) now explicitly states: "there is no separate publishable / client key — the project ID alone is sufficient on the client" and "if a third slot is present in any .env.local you write, it is wrong." However, the Supabase setup section was not updated and still instructs users to add NEXT_PUBLIC_STACK_PUBLISHABLE_CLIENT_KEY as a third .env.local slot. An AI agent reading this prompt will encounter directly contradictory instructions: the general guidance says no third key, but the Supabase example shows exactly that. The CLI Setup section at line 299 also still passes publishable_client_key to prompt_cli_login, which is a related inconsistency — if the CLI flow genuinely requires this key, the blanket "no publishable key" statement should be qualified to exclude CLI auth.

   Prompt To Fix With AI

   This is a comment left during a code review.
   Path: packages/stack-shared/src/ai/prompts.ts
   Line: 168-172
   
   Comment:
   **Supabase section contradicts the new "no publishable key" guidance**
   
   The SDK Setup section (lines 543 and 570) now explicitly states: *"there is **no** separate publishable / client key — the project ID alone is sufficient on the client"* and *"if a third slot is present in any `.env.local` you write, it is wrong."* However, the Supabase setup section was not updated and still instructs users to add `NEXT_PUBLIC_STACK_PUBLISHABLE_CLIENT_KEY` as a third `.env.local` slot. An AI agent reading this prompt will encounter directly contradictory instructions: the general guidance says no third key, but the Supabase example shows exactly that. The CLI Setup section at line 299 also still passes `publishable_client_key` to `prompt_cli_login`, which is a related inconsistency — if the CLI flow genuinely requires this key, the blanket "no publishable key" statement should be qualified to exclude CLI auth.
   
   How can I resolve this? If you propose a fix, please make it concise.

   

Prompt To Fix All With AI

Fix the following 2 code review issues. Work through them one at a time, proposing concise fixes.

---

### Issue 1 of 2
packages/stack-shared/src/ai/prompts.ts:168-172
**Supabase section contradicts the new "no publishable key" guidance**

The SDK Setup section (lines 543 and 570) now explicitly states: *"there is **no** separate publishable / client key — the project ID alone is sufficient on the client"* and *"if a third slot is present in any `.env.local` you write, it is wrong."* However, the Supabase setup section was not updated and still instructs users to add `NEXT_PUBLIC_STACK_PUBLISHABLE_CLIENT_KEY` as a third `.env.local` slot. An AI agent reading this prompt will encounter directly contradictory instructions: the general guidance says no third key, but the Supabase example shows exactly that. The CLI Setup section at line 299 also still passes `publishable_client_key` to `prompt_cli_login`, which is a related inconsistency — if the CLI flow genuinely requires this key, the blanket "no publishable key" statement should be qualified to exclude CLI auth.

### Issue 2 of 2
packages/stack-shared/src/interface/page-component-versions.ts:116
**`magicLinkCallback` row missing its required SDK call**

The `oauthCallback` row specifies `await stackApp.callOAuthCallback()` and the `signOut` row specifies `await stackApp.signOut()` / `await stackApp.redirectToAfterSignOut(...)`. The `magicLinkCallback` row only says "Complete the magic-link exchange" without naming the SDK method to invoke on mount. Since this table is the primary guidance for AI agents implementing custom pages, the missing call will cause agents to either guess the API name or leave the page incomplete.

_{Reviews (1): Last reviewed commit: "[Docs] Clarify env vars and custom page ..." | Re-trigger Greptile}

[greptile-apps]

magicLinkCallback row missing its required SDK call

The oauthCallback row specifies await stackApp.callOAuthCallback() and the signOut row specifies await stackApp.signOut() / await stackApp.redirectToAfterSignOut(...). The magicLinkCallback row only says "Complete the magic-link exchange" without naming the SDK method to invoke on mount. Since this table is the primary guidance for AI agents implementing custom pages, the missing call will cause agents to either guess the API name or leave the page incomplete.

Prompt To Fix With AI

This is a comment left during a code review.
Path: packages/stack-shared/src/interface/page-component-versions.ts
Line: 116

Comment:
**`magicLinkCallback` row missing its required SDK call**

The `oauthCallback` row specifies `await stackApp.callOAuthCallback()` and the `signOut` row specifies `await stackApp.signOut()` / `await stackApp.redirectToAfterSignOut(...)`. The `magicLinkCallback` row only says "Complete the magic-link exchange" without naming the SDK method to invoke on mount. Since this table is the primary guidance for AI agents implementing custom pages, the missing call will cause agents to either guess the API name or leave the page incomplete.

How can I resolve this? If you propose a fix, please make it concise.

[coderabbitai]

Actionable comments posted: 1

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (2)

packages/stack-shared/src/ai/prompts.ts (2)

166-172: ⚠️ Potential issue | 🔴 Critical | ⚡ Quick win

Critical inconsistency: Supabase example contradicts new env-var guidance.

The Supabase setup example still references NEXT_PUBLIC_STACK_PUBLISHABLE_CLIENT_KEY, but the updated cloud-project setup instructions (lines 543, 570) now explicitly state there is no separate publishable/client key—only STACK_PROJECT_ID is needed on the client. This contradicts the new documentation and will confuse users.

🔧 Proposed fix to align with new env-var guidance

       Also add the Stack Auth environment variables:

       ```.env .env.local
       NEXT_PUBLIC_STACK_PROJECT_ID=<your-stack-project-id>
-      NEXT_PUBLIC_STACK_PUBLISHABLE_CLIENT_KEY=<your-publishable-client-key>
       STACK_SECRET_SERVER_KEY=<your-secret-server-key>
       ```

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@packages/stack-shared/src/ai/prompts.ts` around lines 166 - 172, Update the
Supabase setup example to remove the now-incorrect
NEXT_PUBLIC_STACK_PUBLISHABLE_CLIENT_KEY and align it with the new env-var
guidance by showing only the client-facing NEXT_PUBLIC_STACK_PROJECT_ID and the
server secret STACK_SECRET_SERVER_KEY; specifically, edit the example block that
currently lists NEXT_PUBLIC_STACK_PUBLISHABLE_CLIENT_KEY so it instead shows
NEXT_PUBLIC_STACK_PROJECT_ID=<your-stack-project-id> and
STACK_SECRET_SERVER_KEY=<your-secret-server-key>, ensuring the docs consistently
reference NEXT_PUBLIC_STACK_PROJECT_ID (client) and STACK_SECRET_SERVER_KEY
(server).

---

299-299: ⚠️ Potential issue | 🔴 Critical | ⚡ Quick win

Critical inconsistency: CLI example contradicts new env-var guidance.

The CLI prompt_cli_login function signature includes a publishable_client_key parameter, but the updated cloud-project setup instructions (lines 543, 570) now explicitly state there is no separate publishable/client key—only the project ID is needed on the client. This example contradicts the new documentation.

🔧 Proposed fix to align with new env-var guidance

       refresh_token = prompt_cli_login(
         app_url="https://your-app-url.example.com",
         project_id="your-project-id-here",
-        publishable_client_key="your-publishable-client-key-here",
       )

Note: Verify that the CLI template implementation (stack_auth_cli_template.py) no longer requires the publishable_client_key parameter. If the template still expects it, the template itself needs updating too.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@packages/stack-shared/src/ai/prompts.ts` at line 299, The CLI example uses a
now-removed publishable/client key: update the prompt_cli_login signature and
any call sites to remove the publishable_client_key parameter and rely only on
project ID per the new env-var guidance; also verify and update the
stack_auth_cli_template.py template so it does not expect publishable_client_key
(remove its parameter and any references), and ensure any docs/examples calling
prompt_cli_login pass only the project ID (and adjust parameter names if needed)
to keep the examples consistent with the new cloud-project setup instructions.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@packages/stack-shared/src/interface/page-component-versions.ts`:
- Line 115: The guidance for the custom signOut page conflicts with the later
signOut prompt contract: instead of mandating an immediate redirect after
calling stackApp.signOut(), update the guidance for signOut (the line
referencing `stackApp.signOut()` and `stackApp.redirectToAfterSignOut({ replace:
true })`) to require that the page call `await stackApp.signOut()` and then
render a stable signed-out confirmation state (matching the dedicated `signOut`
prompt contract); only call `await stackApp.redirectToAfterSignOut({ replace:
true })` from the confirmation flow when you want to navigate away (or clarify
both places to accept immediate redirect). Ensure both the signOut guidance and
the signOut prompt text refer to the same behavior so they are consistent.

---

Outside diff comments:
In `@packages/stack-shared/src/ai/prompts.ts`:
- Around line 166-172: Update the Supabase setup example to remove the
now-incorrect NEXT_PUBLIC_STACK_PUBLISHABLE_CLIENT_KEY and align it with the new
env-var guidance by showing only the client-facing NEXT_PUBLIC_STACK_PROJECT_ID
and the server secret STACK_SECRET_SERVER_KEY; specifically, edit the example
block that currently lists NEXT_PUBLIC_STACK_PUBLISHABLE_CLIENT_KEY so it
instead shows NEXT_PUBLIC_STACK_PROJECT_ID=<your-stack-project-id> and
STACK_SECRET_SERVER_KEY=<your-secret-server-key>, ensuring the docs consistently
reference NEXT_PUBLIC_STACK_PROJECT_ID (client) and STACK_SECRET_SERVER_KEY
(server).
- Line 299: The CLI example uses a now-removed publishable/client key: update
the prompt_cli_login signature and any call sites to remove the
publishable_client_key parameter and rely only on project ID per the new env-var
guidance; also verify and update the stack_auth_cli_template.py template so it
does not expect publishable_client_key (remove its parameter and any
references), and ensure any docs/examples calling prompt_cli_login pass only the
project ID (and adjust parameter names if needed) to keep the examples
consistent with the new cloud-project setup instructions.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 6d678136-49b8-490c-ad85-cb90c724051d

📥 Commits

Reviewing files that changed from the base of the PR and between 049c557 and f6d8024.

📒 Files selected for processing (4)

• docs-mintlify/guides/getting-started/setup.mdx
• docs-mintlify/snippets/home-prompt-island.jsx
• packages/stack-shared/src/ai/prompts.ts
• packages/stack-shared/src/interface/page-component-versions.ts

[coderabbitai]

⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Sign-out guidance now conflicts with the existing signOut prompt contract.

Line 115 says the custom signOut page must redirect immediately after stackApp.signOut(), but the dedicated signOut prompt later in this file still requires a stable signed-out confirmation state. Please align these two contracts so generated guidance is consistent.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@packages/stack-shared/src/interface/page-component-versions.ts` at line 115,
The guidance for the custom signOut page conflicts with the later signOut prompt
contract: instead of mandating an immediate redirect after calling
stackApp.signOut(), update the guidance for signOut (the line referencing
`stackApp.signOut()` and `stackApp.redirectToAfterSignOut({ replace: true })`)
to require that the page call `await stackApp.signOut()` and then render a
stable signed-out confirmation state (matching the dedicated `signOut` prompt
contract); only call `await stackApp.redirectToAfterSignOut({ replace: true })`
from the confirmation flow when you want to navigate away (or clarify both
places to accept immediate redirect). Ensure both the signOut guidance and the
signOut prompt text refer to the same behavior so they are consistent.

[Copilot]

Copilot encountered an error and was unable to review this pull request. You can try again by re-requesting a review.

[vercel]

Documentation incorrectly claims there is "no separate publishable / client key" while the codebase contains a PUBLISHABLE_CLIENT_KEY_REQUIRED_FOR_PROJECT error and examples showing actual use of publishable client keys.