Lumina Documentation

API Provider Registration and Keys

Step-by-step account registration, key retrieval, env mapping, admin settings, and safety checklist.

Lumina Docs HomeDocs Index

Standard Setup Workflow (Use for Every Provider)

  1. Create provider account and complete email/KYC/billing verification.
  2. Create app/project inside provider dashboard.
  3. Generate credentials (API key, secret, webhook secret, client ID/secret).
  4. Add keys to .env on server and local, then clear/rebuild cache.
  5. Map same credentials in admin system settings if your panel supports runtime overrides.
  6. Test in sandbox/test mode first, then switch to live credentials.

After changing provider keys, run:

php artisan optimize:clear
php artisan config:cache

AI Providers

Common flow for OpenAI, Anthropic, xAI, DeepSeek, ElevenLabs, Stability AI, Replicate, Fal.ai, Tavily:

Official portals:OpenAI,Anthropic,xAI,DeepSeek,ElevenLabs,Stability AI,Replicate,Fal.ai,Tavily.

  1. Sign up on the provider website and verify account/billing.
  2. Open dashboard sections usually named API Keys, Developers, or Credentials.
  3. Create a new API key and copy it immediately (many platforms only show it once).
  4. If needed, add allowed domain/IP restrictions and usage limits.
  5. Paste key into the matching env variable from your project .env.example.

Typical env variables (based on provider):

OPENAI_API_KEY=sk-xxxx
ANTHROPIC_API_KEY=sk-ant-xxxx
XAI_API_KEY=xxxx
DEEPSEEK_API_KEY=xxxx
ELEVENLABS_API_KEY=xxxx
  • Set default model/provider in admin settings after env update.
  • Run a small test prompt in admin or user panel before go-live.

Auth and Security Providers

Official portals:Google Cloud Console,Cloudflare Dashboard.

Google OAuth setup:

  1. Create/select project in Google Cloud Console.
  2. Enable required Google APIs and configure OAuth consent screen.
  3. Create OAuth Client ID (Web Application).
  4. Add authorized redirect URI exactly as used by your app route.
  5. Copy Client ID and Client Secret into env and admin settings.
GOOGLE_CLIENT_ID=xxxxxxxx.apps.googleusercontent.com
GOOGLE_CLIENT_SECRET=xxxxxxxx
GOOGLE_REDIRECT_URI=https://yourdomain.com/auth/google/callback

Cloudflare Turnstile setup:

  1. Open Cloudflare dashboard and create Turnstile widget for your domain.
  2. Copy site key (frontend) and secret key (backend).
  3. Add both keys in env and enable captcha from admin settings page.
TURNSTILE_SITE_KEY=0x4AAAA...
TURNSTILE_SECRET_KEY=0x4AAAA...
  • Always test callback URLs and login flow on production domain before launch.

Payment Gateways

Supported examples include Stripe, Flutterwave, Paystack, PayPal, Cryptomus, Airwallex, Razorpay, Mollie, CoinGate, YooKassa, Midtrans, Iyzico, Paddle, and 2Checkout.

Official portals:Stripe,Flutterwave,Paystack,PayPal,Cryptomus,Airwallex,Razorpay,Mollie,CoinGate,YooKassa,Midtrans,Iyzico,Paddle,2Checkout.

  1. Register merchant account and complete business verification.
  2. Open developer/API section and generate test keys first.
  3. Set webhook URL in provider dashboard (usually /webhooks/provider-name).
  4. Copy webhook signing secret and store in env.
  5. Map gateway mode (test/live), public key, secret key in admin settings.

Typical payment env keys:

STRIPE_KEY=pk_test_xxxx
STRIPE_SECRET=sk_test_xxxx
STRIPE_WEBHOOK_SECRET=whsec_xxxx
PAYSTACK_PUBLIC_KEY=pk_test_xxxx
PAYSTACK_SECRET_KEY=sk_test_xxxx
  • Do one successful payment and one failed/cancelled payment test before enabling live mode.

Storage Providers (S3 / R2)

Official portals:AWS Console,Cloudflare R2.

Amazon S3: create IAM user with programmatic access, grant least-privilege policy to target bucket, then copy access keys.

Cloudflare R2: create bucket, create API token/access keys, copy account endpoint.

FILESYSTEM_DISK=s3
AWS_ACCESS_KEY_ID=xxxx
AWS_SECRET_ACCESS_KEY=xxxx
AWS_DEFAULT_REGION=us-east-1
AWS_BUCKET=your-bucket-name
AWS_ENDPOINT=https://<accountid>.r2.cloudflarestorage.com
  • For R2, many setups use AWS_DEFAULT_REGION=auto.
  • Test upload, read, delete, and signed/private URL access from the app.

Project Env Key Reference (.env.example Mapped)

Use these exact variable names from your current project file. Replace sample values with your own secrets.

AI and Research

OPENAI_API_KEY=
ANTHROPIC_API_KEY=
XAI_API_KEY=
DEEPSEEK_API_KEY=
ELEVENLABS_API_KEY=
STABILITY_API_KEY=
REPLICATE_API_KEY=
FAL_KEY=
TAVILY_API_KEY=
JSEARCH_API_KEY=

Google and Auth Security

GOOGLE_CLIENT_ID=
GOOGLE_CLIENT_SECRET=
GOOGLE_REDIRECT_URI=https://yourdomain.com/auth/google/callback
GOOGLE_DRIVE_CLIENT_ID=
GOOGLE_DRIVE_CLIENT_SECRET=
GOOGLE_DRIVE_REDIRECT_URI=https://yourdomain.com/admin/integrations/google-drive/callback
TURNSTILE_SITE_KEY=
TURNSTILE_SECRET_KEY=

Payment Gateways

STRIPE_KEY=
STRIPE_SECRET=
STRIPE_WEBHOOK_SECRET=
FLUTTERWAVE_PUBLIC_KEY=
FLUTTERWAVE_SECRET_KEY=
FLUTTERWAVE_SECRET_HASH=
PAYSTACK_PUBLIC_KEY=
PAYSTACK_SECRET_KEY=
PAYPAL_CLIENT_ID=
PAYPAL_CLIENT_SECRET=
PAYPAL_MODE=sandbox
CRYPTOMUS_MERCHANT_ID=
CRYPTOMUS_PAYMENT_KEY=
AIRWALLEX_CLIENT_ID=
AIRWALLEX_API_KEY=
AIRWALLEX_ENV=demo
RAZORPAY_KEY_ID=
RAZORPAY_KEY_SECRET=
RAZORPAY_WEBHOOK_SECRET=
MOLLIE_KEY=
MOLLIE_WEBHOOK_SECRET=
COINGATE_API_TOKEN=
COINGATE_ENVIRONMENT=sandbox
COINGATE_RECEIVE_CURRENCY=USD
YOOKASSA_SHOP_ID=
YOOKASSA_SECRET_KEY=
MIDTRANS_SERVER_KEY=
MIDTRANS_CLIENT_KEY=
MIDTRANS_IS_PRODUCTION=false
IYZICO_API_KEY=
IYZICO_SECRET_KEY=
IYZICO_BASE_URL=https://sandbox-api.iyzipay.com
PADDLE_VENDOR_ID=
PADDLE_API_KEY=
PADDLE_ENV=sandbox
PADDLE_WEBHOOK_SECRET=
TWOCHECKOUT_MERCHANT_CODE=
TWOCHECKOUT_SECRET_KEY=
TWOCHECKOUT_BUY_LINK_SECRET=

Storage

FILESYSTEM_DISK=s3
AWS_ACCESS_KEY_ID=
AWS_SECRET_ACCESS_KEY=
AWS_DEFAULT_REGION=auto
AWS_BUCKET=
AWS_ENDPOINT=
AWS_URL=

How to Map Keys in Admin System Settings

  1. Log in to Filament admin as super admin.
  2. Open Settings area (usually API/Integrations/Payment/SMTP modules).
  3. Paste corresponding values from .env for each provider.
  4. Save settings, then run connection/test actions if available.
  5. If admin values are DB-stored overrides, document whether env or DB has priority in your project.
  • AI page: set default provider and model after entering API keys.
  • Payments page: keep gateway in test mode until webhook and callback tests pass.
  • Security page: enable Turnstile only after keys are valid for your domain.
  • Integrations page: verify OAuth redirect URI exactly matches provider dashboard.

Recommended: keep secrets in server .env and use admin settings mainly for toggles, labels, and non-secret config where possible.

What to Avoid (Security and Reliability)

  • Never commit real API keys into git repositories.
  • Never expose secret keys in frontend JavaScript or public responses.
  • Do not skip webhook signature verification for payment providers.
  • Do not use live keys directly without sandbox testing.
  • Do not mix old/new keys across env and admin settings without cache clear.
  • Rotate keys immediately if exposed in logs, screenshots, or support chats.