Environment Variables
Copy .env.example to .env and fill in values.
Required Variables
| Variable | Description |
|---|---|
DB_PASSWORD | PostgreSQL password for the authsec user |
JWT_DEF_SECRET | JWT signing secret (32+ chars) |
JWT_SECRET | JWT signing secret (32+ chars) |
JWT_SDK_SECRET | SDK JWT signing secret (32+ chars) |
TOTP_ENCRYPTION_KEY | AES key for encrypting TOTP secrets (32+ chars) |
SYNC_CONFIG_ENCRYPTION_KEY | Config sync encryption key (32+ chars) |
SESSION_SECRET | Session signing key (32+ chars) |
HYDRA_SECRETS_SYSTEM | Hydra system secret (32+ chars) |
HYDRA_SECRETS_COOKIE | Hydra cookie secret (32+ chars) |
HYDRA_DSN | Hydra postgres DSN (must match DB_PASSWORD) |
Generate secrets:
for var in JWT_DEF_SECRET JWT_SECRET JWT_SDK_SECRET TOTP_ENCRYPTION_KEY \
SYNC_CONFIG_ENCRYPTION_KEY SESSION_SECRET \
HYDRA_SECRETS_SYSTEM HYDRA_SECRETS_COOKIE; do
echo "$var=$(openssl rand -hex 32)"
done
Service URL Defaults
| Variable | Default | Notes |
|---|---|---|
BASE_URL | http://localhost | Public-facing root URL |
HYDRA_PUBLIC_URL | http://localhost:4444 | Hydra public OAuth2 URL |
REACT_APP_URL | http://localhost:3000 | Frontend SPA URL |
TENANT_DOMAIN_SUFFIX | localhost | Suffix for tenant workspace domains |
Optional Features
| Variable | Feature |
|---|---|
GOOGLE_CLIENT_SECRET | Google social login |
GITHUB_CLIENT_SECRET | GitHub social login |
MICROSOFT_CLIENT_SECRET | Microsoft social login |
SMTP_HOST / SMTP_PORT / SMTP_USER / SMTP_PASSWORD | Email OTP and account flows |
VAULT_ADDR / VAULT_TOKEN | HashiCorp Vault for OIDC provider secrets |
ICP_SERVICE_URL | SPIFFE/SPIRE workload identity |
SPIFFE_OIDC_ISSUER and related SPIFFE_* | JWT-SVID OIDC issuer configuration |
OKTA_* | Okta CIBA integration |
Next step: First-Time Setup.