Configuration¶
All PAC config lives on Settings. It is loaded from environment variables via Pydantic.
Environment variables¶
| Variable | Purpose | Example |
|---|---|---|
PAC_BASE_URL |
Base URL of the Alanube API. No trailing slash required (we strip one anyway). | https://api.alanube.co |
PAC_API_KEY |
Bearer token issued by Alanube. Sent as Authorization: Bearer <token> on every request. |
sk_live_... |
PAC_BILLING_POINT |
Default billing point code used when constructing DatosGenerales. Almost always 001. |
001 |
PAC_WEBHOOK_SECRET |
Shared secret used to validate the X-Pac-Signature header on incoming webhooks. |
whsec_... |
PAC_WEBHOOK_URL |
Public URL Alanube should call back. We pass this when we ask Alanube to push a webhook for a specific document. | https://api.cifras.io/webhooks/pac |
How they're consumed¶
| Setting | Used by |
|---|---|
pac_base_url |
All clients in app/wrappers/pac/ and PacWebhookService._get_pdf_url_from_pac |
pac_api_key |
PacService.pac_headers, PacWebhookService.pac_headers, PacPdfAttachmentService.pac_headers |
pac_billing_point |
PacInvoiceFactory._create_general_data |
pac_webhook_secret |
app/webhooks/router.py (signature check) and PacService.notify_webhook (passed to Alanube on demand) |
pac_webhook_url |
PacService.notify_webhook |
Local dev¶
For local development:
- Get sandbox credentials from Alanube.
- Put them in
.env.local(or your shell env). - Use a tunnel (ngrok, cloudflared, etc.) and set
PAC_WEBHOOK_URLto the tunnel URL when you need to receive webhooks.
Production¶
Production envs are managed in k8s/. Secrets are injected via Kubernetes secrets — never commit credentials to the repo. Staging and production each have their own pac_api_key and pac_webhook_secret.
Tenant-level configuration¶
Beyond the global env vars, each tenant must have:
tenant.pac_company_id— set during onboarding, see Tenant Onboarding.- At least one office with
pac_office_id— also set during onboarding.
These are stored in the database, not in env vars, because they are scoped per tenant.