MediPact Docs← Back to App

Production Deployment

Production-ready configuration, security, monitoring, and deployment best practices for MediPact.

Production Configuration

MediPact is configured for production deployment with proper environment validation, structured logging, security headers, and error handling. The system supports both Hedera testnet (for development) and mainnet (for production).

Environment Variables

Required Variables

1# Hedera Configuration
2OPERATOR_ID="0.0.xxxxx"                    # Hedera operator account
3OPERATOR_KEY="0x..."                       # ECDSA private key (HEX)
4PLATFORM_HEDERA_ACCOUNT_ID="0.0.xxxxx"    # Platform account for payments
5
6# Production Settings
7NODE_ENV="production"
8LOG_LEVEL="INFO"                           # ERROR, WARN, INFO, DEBUG
9PORT=8080
10
11# Security
12JWT_SECRET="your-secret-min-32-chars"      # At least 32 characters
13
14# Database (PostgreSQL for production)
15DATABASE_URL="postgresql://user:pass@host:port/db"
16
17# Frontend URL (for CORS)
18FRONTEND_URL="https://www.medipact.space"

Optional Configuration

1# Hedera Network (defaults based on NODE_ENV)
2HEDERA_NETWORK="testnet"                   # or "mainnet"
3
4# Automatic Withdrawals
5AUTOMATIC_WITHDRAWAL_ENABLED="true"
6AUTOMATIC_WITHDRAWAL_INTERVAL_MINUTES=1440  # Daily
7
8# Exchange Rate
9EXCHANGE_RATE_UPDATE_INTERVAL_MINUTES=5
10EXCHANGE_RATE_FALLBACK=0.16
11
12# Smart Contracts
13REVENUE_SPLITTER_ADDRESS="0x..."
14CONSENT_MANAGER_ADDRESS="0x..."

Environment Validation

On server startup, the system validates all required environment variables and ensures proper configuration:

  • Required Variables: Validates presence of OPERATOR_ID, OPERATOR_KEY, PLATFORM_HEDERA_ACCOUNT_ID
  • Format Validation: Checks Hedera account ID format (0.0.xxxxx), JWT secret length
  • Production Warnings: Warns about DEBUG logging, testnet usage in production
  • Default Values: Sets sensible defaults for optional variables

Structured Logging

Production Logging

In production, logs are structured as JSON for easy parsing by log aggregation tools (Datadog, CloudWatch, etc.):

1{
2  "timestamp": "2024-01-15T10:30:00.000Z",
3  "level": "INFO",
4  "message": "MediPact Backend Server started",
5  "port": 8080,
6  "nodeEnv": "production",
7  "hederaNetwork": "testnet"
8}

Log Levels

LevelUsageProduction
ERRORCritical errors, exceptions✅ Always logged
WARNWarnings, deprecated usage✅ Always logged
INFOBusiness events, startup info✅ Default for production
DEBUGDetailed debugging information❌ Disabled in production

Specialized Logging

  • Security Events: Authentication failures, access violations, suspicious activity
  • Business Events: Dataset purchases, revenue distributions, withdrawals
  • Performance: Slow operations (>1s) logged with duration and context

Security Features

Security Headers

Production mode automatically enables security headers:

HeaderValuePurpose
X-Content-Type-OptionsnosniffPrevents MIME type sniffing
X-Frame-OptionsDENYPrevents clickjacking
X-XSS-Protection1; mode=blockXSS protection
Strict-Transport-Securitymax-age=31536000Forces HTTPS
Referrer-Policystrict-origin-when-cross-originControls referrer information

Error Handling

  • Structured Error Logging: All errors logged with context (path, method, IP, status code)
  • No Stack Traces: Stack traces only shown in development mode
  • Graceful Shutdown: Handles SIGINT and SIGTERM for clean shutdowns
  • Uncaught Exceptions: Logged and trigger graceful shutdown
  • Unhandled Rejections: Logged with promise context

CORS Configuration

In production, CORS is restricted to specific frontend URLs for security:

1# Production CORS (restricted)
2Allowed Origins:
3  - https://www.medipact.space
4  - https://medipact.space
5  - undefined (if set)
6
7# Development CORS (permissive)
8Allowed Origins: * (all origins)

Database Configuration

PostgreSQL (Production)

Production deployments should use PostgreSQL for:

  • Better concurrency and scalability
  • Built-in encryption (pgcrypto)
  • Row-level security (RLS)
  • HIPAA compliance features
  • Better performance at scale
1# PostgreSQL Connection
2DATABASE_URL="postgresql://user:password@host:port/database"
3
4# SSL Configuration (production)
5SSL: { rejectUnauthorized: false }

SQLite (Development)

SQLite is used for local development. The system automatically detects the database type from the DATABASE_URL environment variable.

Background Jobs

Automatic Withdrawal Job

Runs periodically to process automatic withdrawals for users who have reached their threshold:

  • Default Interval: 1440 minutes (24 hours / daily)
  • Configurable: Set via AUTOMATIC_WITHDRAWAL_INTERVAL_MINUTES
  • Disable: Set AUTOMATIC_WITHDRAWAL_ENABLED=false
  • Manual Trigger: Admin can trigger via API endpoint

Expiration Cleanup Job

Runs every 5 minutes to clean up expired temporary access records and consent records.

Exchange Rate Update

Exchange rates are cached and updated every 5 minutes from CoinGecko API. Initialized on server startup.

Health Check Endpoint

1GET /health
2
3Response:
4{
5  "status": "healthy",
6  "timestamp": "2024-01-15T10:30:00.000Z",
7  "service": "MediPact Backend API"
8}

Use this endpoint for monitoring and load balancer health checks. Returns 200 OK when the server is running.

Production Checklist

See backend/PRODUCTION_CHECKLIST.md for a complete deployment checklist covering environment variables, security, monitoring, testing, and compliance.

Monitoring & Observability

Log Aggregation

Structured JSON logs can be easily integrated with:

  • Datadog
  • AWS CloudWatch
  • Google Cloud Logging
  • Elasticsearch / ELK Stack
  • Any log aggregation service

Metrics to Monitor

  • API response times
  • Error rates by endpoint
  • Database connection pool usage
  • Hedera transaction success rates
  • Withdrawal processing times
  • Exchange rate update frequency