configuration-reference
Core & database configuration
Server, networking, PostgreSQL, Redis, observability, and egress variables — the foundation every VaultTerm instance needs to boot.
Updated Jun 23, 2026
These variables wire VaultTerm to its runtime, its datastores, and the network. At minimum a working
instance needs DATABASE_URL and REDIS_URL; everything else has a sensible default. PostgreSQL holds
all durable state (encrypted secrets, tenants, audit trail) and Redis backs sessions, rate limiting,
and ephemeral broker state. See Configuration overview for how these fit
together and where the .env lives.
NODE_ENV=production
PORT=4000
LOG_LEVEL=info
APP_BASE_URL=https://vault.example.com
DATABASE_URL=postgres://vaultterm:[email protected]:5432/vaultterm
REDIS_URL=redis://cache.example.com:6379
METRICS_ENABLED=true
METRICS_TOKEN=replace-with-a-scrape-token
CORS_ORIGINS=https://vault.example.com
Server & networking
| Variable | Type | Default | Description |
|---|---|---|---|
NODE_ENV | string | development | Runtime mode (development or production); production enables the boot guards. |
PORT | number | 4000 | Tenant API + web portal port. |
LOG_LEVEL | string | info | Pino log level (trace, debug, info, warn, error, fatal, silent). |
WEB_DIST | path | (empty) | Built web portal directory to serve; empty means the portal is not served (dev uses Vite). |
APP_BASE_URL | URL | http://localhost:5173 | Public origin (including any base path) for user-facing links (invites, verification); WebAuthn and cookies pin to it. |
API_PUBLIC_URL | URL | (APP_BASE_URL origin) | Override when the API is on a different host than APP_BASE_URL. |
Database, cache & observability
| Variable | Type | Default | Description |
|---|---|---|---|
DATABASE_URL | string (required) | (empty) | PostgreSQL connection URL. |
PG_POOL_MAX | number | 8 | Max Postgres connections per pool. |
PG_IDLE_TIMEOUT_MS | number | 10000 | Idle connection timeout. |
REDIS_URL | string (required) | (empty) | Redis connection URL. |
METRICS_ENABLED | boolean | true | Enable the Prometheus /metrics endpoint. |
METRICS_TOKEN | string | (empty) | Bearer token required to scrape /metrics; under production the endpoint fails closed without it. |
DATABASE_URL and REDIS_URL are both required — the server will not serve traffic without them.
Tune PG_POOL_MAX to your database’s connection budget; the value is per pool, so account for multiple
application processes. For the metrics endpoint and scrape setup, see Observability.
Security and egress
These control how the instance treats cross-origin browser requests and server-side outbound fetches. The egress guard is part of the production hardening described in Configuration overview: it prevents a server-side request (a webhook, an SSO metadata fetch, an AI call) from reaching internal infrastructure unless you have explicitly allowed it.
| Variable | Type | Default | Description |
|---|---|---|---|
EGRESS_ALLOW_PRIVATE | boolean (0/1) | auto | Allow outbound fetches to RFC1918/loopback targets (internal SSO, webhooks); disabled by default under production to prevent SSRF. |
CORS_ORIGINS | comma-separated | (empty) | Cross-origin allowlist; empty denies cross-origin in production. |
CSP_DIRECTIVES | string | (built-in) | Override the default Content-Security-Policy directives. |
If you run your SSO provider, webhook receivers, or Ollama on a private network reachable only from the
VaultTerm host, set EGRESS_ALLOW_PRIVATE=1 so those legitimate internal calls succeed. Leave it at
the default if all your integrations are reachable over the public internet. For how tenant boundaries
are enforced once a request is inside the server, see Tenant isolation.