General

NEXT_PUBLIC_BASE_URL
required
The base url where this instance is accessible, including the scheme (eg. http:// or https://), the domain name, and optionally a port.
SECRET_PASSWORD
required
A random 32-character secret key used to encrypt user sessions
SUPPORT_EMAIL
required
This email will be shown as the contact email for support queries.
NOREPLY_EMAIL
This email is used as the sender for all transactional emails. If not set, SUPPORT_EMAIL will be used instead.
NOREPLY_EMAIL_NAME
default:"Rallly"
This name is used as the sender name for all transactional emails.
INITIAL_ADMIN_EMAIL
Specifies the email address of the first user who will be eligible to become an administrator. After the application starts, the user with this email address must navigate to /control-panel and click a button to claim their admin role.

Database

DATABASE_URL
required
Postgres database connection string

Email (SMTP)

SMTP_HOST
The host address of your SMTP server
SMTP_PORT
The port of your SMTP server. Common values: 587 (STARTTLS), 465 (SSL), 25 (plain).
SMTP_SECURE
default:"false"
Set to “true” if SSL is enabled for your SMTP connection (typically for port 465)
SMTP_USER
default:""
The username (if auth is enabled on your SMTP server)
SMTP_PWD
default:""
The password (if auth is enabled on your SMTP server)
SMTP_REJECT_UNAUTHORIZED
default:"true"
Validate TLS certificates. Set to false to ignore certificate errors (useful for self-signed certificates, not recommended for production)
This option is only available from v4.4.0 and later.
SMTP_TLS_ENABLED
Deprecated: Use SMTP_REJECT_UNAUTHORIZED=false to disable certificate validation
Legacy option that is no longer used

Auth

EMAIL_LOGIN_ENABLED
default:"true"
Set to “false” to disable email-based login (magic link authentication). When disabled, users can only authenticate via configured OAuth providers (Google, Microsoft, OIDC) and user registration is automatically disabled.
This option is only available from v4.4.0 and later.
REGISTRATION_ENABLED
default:"true"
Set to “false” to disable user registration globally. This environment variable takes precedence over the database setting configured via the admin UI. Registration requires email login to be enabled.
This option is only available from v4.4.0 and later.
ALLOWED_EMAILS
Comma separated list of email addresses that are allowed to register and login. Wildcard characters are supported. Example: Setting it to *@example.com to allow anyone with a @example.com email address.

Google

  1. Head over to the Credentials tab: https://console.developers.google.com/apis/credentials
  2. Create a OAuth client ID. This will be your GOOGLE_CLIENT_ID and GOOGLE_CLIENT_SECRET
  3. Set “Authorized redirect URIs” to include your full domain and end in the callback path:
https://<YOUR_DOMAIN>/api/auth/callback/google
GOOGLE_CLIENT_ID
The client ID of your Google application
GOOGLE_CLIENT_SECRET
The client secret of your Google application

Microsoft

Follow the instructions here to create a Microsoft Entra ID application: https://docs.microsoft.com/en-us/entra/identity-platform/quickstart-register-appAfter creating the application, set the redirect URI to include your full domain and end in the callback path:
https://<YOUR_DOMAIN>/api/auth/callback/microsoft-entra-id
MICROSOFT_TENANT_ID
The tenant ID of your Microsoft application
MICROSOFT_CLIENT_ID
The client ID of your Microsoft application
MICROSOFT_CLIENT_SECRET
The client secret of your Microsoft application

Custom SSO (OIDC)

The following must be set for OIDC to work:
  • OIDC_DISCOVERY_URL
  • OIDC_CLIENT_ID
  • OIDC_CLIENT_SECRET
  • OIDC_ISSUER_URL
Your OAuth 2.0 application needs to be configured with the following scopes:
  • openid: Essential for OIDC to function, used to perform authentication.
  • profile: Access to the user’s personal information such as name and picture.
  • email: Access to the user’s email address.
Your identity provider should redirect the user back to the following URL:
https://<YOUR-DOMAIN>/api/auth/callback/oidc
OIDC_NAME
default:"OpenID Connect"
The display name of your provider as it will be shown on the login page
OIDC_DISCOVERY_URL
URL of the .well-known/openid-configuration endpoint for your OIDC provider
OIDC_ISSUER_URL
URL of the issuer for your OIDC provider. You can get this from your OpenId Configuration endpoint.
OIDC_CLIENT_ID
The client ID of your OIDC application
OIDC_CLIENT_SECRET
The client secret of your OIDC application
OIDC_NAME_CLAIM_PATH
default:"name"
The path to the claim that contains the user’s name
OIDC_EMAIL_CLAIM_PATH
default:"email"
The path to the claim that contains the user’s email address
OIDC_PICTURE_CLAIM_PATH
default:"picture"
The path to the claim that contains the user’s profile picture
Use dot notation in _CLAIM_PATH fields to access nested objects.

Storage (S3)

Storage configuration is optional but required to enable features like user avatar uploads. For self-hosted deployments, MinIO is the recommended S3-compatible storage solution. Alternatively, you can use cloud services like AWS S3, DigitalOcean Spaces, or Cloudflare R2.
S3_BUCKET_NAME
The name of your S3 bucket
S3_ACCESS_KEY_ID
The access key ID of your S3 server
S3_SECRET_ACCESS_KEY
The secret access key of your S3 server
S3_REGION
The region of your S3 server
S3_ENDPOINT
The endpoint of your S3 server. Can be left empty if using AWS S3.