withMercur() wraps defineConfig() and wires the marketplace layer in — you pass it the same shape you would pass to Medusa, plus one Mercur-specific field.
withMercur()
medusa-config.ts
InputConfigWithArrayModules extended with:
| Option | Type | Purpose |
|---|---|---|
projectConfig.http.vendorCors | string | CORS origins for the Vendor API (/vendor/*) — the only Mercur-specific option |
What withMercur applies
| Behavior | Detail |
|---|---|
| Registers the core plugin | Appends @mercurjs/core to plugins unless already present |
| Registers RBAC | Appends the @medusajs/medusa/rbac module and forces featureFlags.rbac = true, so vendor role scoping works out of the box |
| Disables the Medusa admin | admin.disable defaults to true — Mercur ships its own dashboards |
| Adjusts core middlewares | Replaces the Medusa middlewares that Mercur overrides (e.g. collections with media) |
defineConfig() unchanged, so any valid Medusa configuration remains valid here.
Environment variables
The starter (apps/api and projects created with create-mercur-app) reads:
| Variable | Purpose | Default |
|---|---|---|
DATABASE_URL | Postgres connection string | — (required) |
REDIS_URL | Redis for cache, event bus, workflow engine, locking | redis://localhost:6379 |
STORE_CORS | Storefront CORS origins | — (required) |
ADMIN_CORS | Admin panel CORS origins | — (required) |
VENDOR_CORS | Vendor panel CORS origins | — (required) |
AUTH_CORS | Auth endpoint CORS origins | — (required) |
JWT_SECRET | JWT signing secret | supersecret (change in production) |
COOKIE_SECRET | Cookie signing secret | supersecret (change in production) |
FILE_BACKEND_URL | Public origin baked into uploaded file URLs | http://localhost:9000/static |
MERCUR_VENDOR_URL | Vendor dashboard base URL used in member invite links | "" — can also be set via the seller module’s vendor_url option |
NODE_ENV | Environment selection | development |
Dashboard modules
The admin and vendor dashboards are served by two UI modules:| Option | Type | Purpose |
|---|---|---|
disable | boolean | Skip serving this dashboard from the API process |
path | string | Mount path (e.g. /dashboard, /seller) |
appDir | string | Directory of the dashboard Vite app |
viteDevServerPort / viteDevServerHost | number / string | Dev-mode proxy target (host defaults to localhost) |
Stripe Connect payout provider
Register@mercurjs/payout-stripe-connect as a provider of the payout module:
| Option | Type | Default | Purpose |
|---|---|---|---|
apiKey | string | — (required) | Stripe secret key |
webhookSecret | string | — (required) | Verifies incoming Stripe webhook signatures |
accountValidation.detailsSubmitted | boolean | true | Require onboarding details submitted before the account is active |
accountValidation.chargesEnabled | boolean | true | Require charges enabled |
accountValidation.payoutsEnabled | boolean | true | Require payouts enabled |
accountValidation.noOutstandingRequirements | boolean | true | Treat pending Stripe requirements as restricted |
accountValidation.requiredCapabilities | string[] | [] | Stripe capabilities that must be active |
authorizationWindowMs, sellerActionWindowMs, captureSafetyBufferMs, requiredFulfillmentStatus) — see the Payout module reference.
Search provider
The search module needs no configuration — when no provider is given, the built-in in-memory Orama provider registers automatically. To use a custom provider:AbstractSearchProvider — see the Search module reference.