General
The base url where this instance is accessible, including the scheme (eg.
http://
or https://
), the domain name, and optionally a port.A random 32-character secret key used to encrypt user sessions
This email will be shown as the contact email for support queries.
NOREPLY_EMAIL
This email is used as the sender for all transactional emails. If not set,
SUPPORT_EMAIL
will be used instead.This name is used as the sender name for all transactional emails.
INITIAL_ADMIN_EMAIL
Specifies the email address of the first user who will be eligible to become an administrator. After the application starts, the user with this email address must navigate to
/control-panel
and click a button to claim their admin role.Database
Postgres database connection string
Email (SMTP)
SMTP_HOST
The host address of your SMTP server
SMTP_PORT
The port of your SMTP server. Common values: 587 (STARTTLS), 465 (SSL), 25 (plain).
Set to “true” if SSL is enabled for your SMTP connection (typically for port 465)
The username (if auth is enabled on your SMTP server)
The password (if auth is enabled on your SMTP server)
Validate TLS certificates. Set to
false
to ignore certificate errors (useful for self-signed certificates, not recommended for production)This option is only available from v4.4.0 and later.
SMTP_TLS_ENABLED
Deprecated: Use
SMTP_REJECT_UNAUTHORIZED=false
to disable certificate validationAuth
Set to “false” to disable email-based login (magic link authentication).
When disabled, users can only authenticate via configured OAuth providers
(Google, Microsoft, OIDC) and user registration is automatically disabled.
This option is only available from v4.4.0 and later.
Set to “false” to disable user registration globally. This environment variable
takes precedence over the database setting configured via the admin UI.
Registration requires email login to be enabled.
This option is only available from v4.4.0 and later.
ALLOWED_EMAILS
Comma separated list of email addresses that are allowed to register and
login. Wildcard characters are supported. Example: Setting it to
*@example.com
to allow anyone with a @example.com
email address.Setup
Setup
- Head over to the Credentials tab: https://console.developers.google.com/apis/credentials
-
Create a OAuth client ID. This will be your
GOOGLE_CLIENT_ID
andGOOGLE_CLIENT_SECRET
- Set “Authorized redirect URIs” to include your full domain and end in the callback path:
GOOGLE_CLIENT_ID
The client ID of your Google application
GOOGLE_CLIENT_SECRET
The client secret of your Google application
Microsoft
Setup
Setup
Follow the instructions here to create a Microsoft Entra ID application: https://docs.microsoft.com/en-us/entra/identity-platform/quickstart-register-appAfter creating the application, set the redirect URI to include your full domain and end in the callback path:
MICROSOFT_TENANT_ID
The tenant ID of your Microsoft application
MICROSOFT_CLIENT_ID
The client ID of your Microsoft application
MICROSOFT_CLIENT_SECRET
The client secret of your Microsoft application
Custom SSO (OIDC)
The following must be set for OIDC to work:OIDC_DISCOVERY_URL
OIDC_CLIENT_ID
OIDC_CLIENT_SECRET
OIDC_ISSUER_URL
Setup
Setup
Your OAuth 2.0 application needs to be configured with the following scopes:
openid
: Essential for OIDC to function, used to perform authentication.profile
: Access to the user’s personal information such as name and picture.email
: Access to the user’s email address.
The display name of your provider as it will be shown on the login page
OIDC_DISCOVERY_URL
URL of the
.well-known/openid-configuration
endpoint for your OIDC providerOIDC_ISSUER_URL
URL of the issuer for your OIDC provider. You can get this from your OpenId
Configuration endpoint.
OIDC_CLIENT_ID
The client ID of your OIDC application
OIDC_CLIENT_SECRET
The client secret of your OIDC application
The path to the claim that contains the user’s name
The path to the claim that contains the user’s email address
The path to the claim that contains the user’s profile picture
Use dot notation in
_CLAIM_PATH
fields to access nested objects.Storage (S3)
Storage configuration is optional but required to enable features like user avatar uploads. For self-hosted deployments, MinIO is the recommended S3-compatible storage solution. Alternatively, you can use cloud services like AWS S3, DigitalOcean Spaces, or Cloudflare R2.S3_BUCKET_NAME
The name of your S3 bucket
S3_ACCESS_KEY_ID
The access key ID of your S3 server
S3_SECRET_ACCESS_KEY
The secret access key of your S3 server
S3_REGION
The region of your S3 server
S3_ENDPOINT
The endpoint of your S3 server. Can be left empty if using AWS S3.