All variables are read at boot from the process environment. Most string booleans
accept 1 | true | yes (case-insensitive for true/yes) as truthy; other
values are falsy. A few flags use their own rule (e.g. SUPACLOUD_SMTP_USE_TLS
is on unless set to 0|false|no). The abbreviated admin page covers deployment
essentials — see
Environment variables (admin).
dev relaxes prod-only guards (weaker JWT, no encryption-key requirement). Set to any other value — or omit — for production.
SERVER_HOST
0.0.0.0
Bind address.
SERVER_PORT
8080
Listen port.
PUBLIC_URL
http://localhost:<port> in dev, required in prod
Canonical public origin. Seeds the CORS allowlist and callback URL derivation.
CORS_ALLOWED_ORIGINS
—
Comma-separated origins permitted to call the API. When empty, the allowlist defaults to PUBLIC_URL (plus the standard localhost dev origins in dev mode).
Session-signing secret. ≥ 32 bytes required. The dev default is rejected for any non-loopback PUBLIC_URL. Also accepted as AUTH_JWT_SECRET (legacy).
SUPACLOUD_INITIAL_ADMIN_EMAILS
—
Comma-separated emails provisioned as workspace owner on first boot. Required in prod for builtin and oidc providers. Also accepted as SUPACLOUD_INITIAL_ADMIN_EMAIL.
AUTH_SESSION_TTL_MINUTES
480
Session lifetime (8 h).
AUTH_COOKIE_SECURE
true in prod, false in dev
Set false for local HTTP.
OIDC_ISSUER_URL
—
OIDC provider discovery URL (AUTH_PROVIDER=oidc).
OIDC_CLIENT_ID
—
OIDC client ID.
OIDC_CLIENT_SECRET
—
OIDC client secret. Vault-hydrated from supacloud/app.
OIDC_REDIRECT_URL
—
OIDC callback URL (/api/auth/oidc/callback).
OIDC_SCOPES
openid email profile
Space- or comma-separated. Must include openid.
OIDC_PKCE_ENABLED
true
Set false only for legacy providers that reject code_verifier.
OIDC_TOKEN_AUTH_METHOD
basic
basic or post (client_secret_post).
AUTH_PROXY_USER_HEADER
Remote-User
Trusted-proxy user header (authelia_proxy / oidc_proxy).
AUTH_PROXY_EMAIL_HEADER
Remote-Email
Trusted-proxy email header.
AUTH_PROXY_NAME_HEADER
Remote-Name
Trusted-proxy display-name header.
AUTH_PROXY_REQUIRED_HEADER
—
Required for proxy modes. Header name that must be present.
AUTH_PROXY_REQUIRED_VALUE
—
Required for proxy modes. Expected value of the required header.
AUTH_PROXY_LOGOUT_URL
—
Upstream proxy sign-out URL surfaced in /config. Only meaningful in proxy-auth modes.
SUPACLOUD_SSO_AUTOREDIRECT
derived
on forces the single-IdP standalone redirect; off suppresses it. Derived from edition + SSO-realm-count when unset.
DEFAULT_SSO_ORG
—
Bare org slug pinned as the standalone SSO redirect target.
openbao or env. Auto-detects openbao when vault auth is present; otherwise env. A typo is a hard boot error.
OPENBAO_ADDR
https://vault.blockworx.tech
OpenBao / Vault address. Also accepted as VAULT_ADDR.
VAULT_TOKEN
—
Direct token auth.
OPENBAO_ROLE_ID
—
AppRole role ID (used with OPENBAO_SECRET_ID).
OPENBAO_SECRET_ID
—
AppRole secret ID.
With SECRET_BACKEND=openbao the following are read from the supacloud/app
KV2 map (env wins; vault fills gaps): SUPACLOUD_JWT_SECRET,
SUPACLOUD_CREDENTIAL_ENCRYPTION_KEY, OIDC_CLIENT_SECRET,
SUPACLOUD_MCP_CONFIRMATION_SECRET, DISCORD_BOT_TOKEN,
SUPACLOUD_{LINEAR,NOTION}_OAUTH_CLIENT_{ID,SECRET},
STRIPE_SECRET_KEY, STRIPE_WEBHOOK_SECRET, SUPACLOUD_SMTP_PASSWORD,
BW_FINTS_WORKER_API_KEY, SUPACLOUD_OPERATOR_TOKEN,
SUPACLOUD_EDITION_LICENSE, SUPACLOUD_EDITION_SECRET.
AES-256 key for DB-resident credential material. Accepts raw 32 bytes, hex, base64, or hex:/base64: prefix. Required in prod. When vault-sourced, the decoded key is held in-process and never re-exported to the environment.
SUPACLOUD_MCP_CONFIRMATION_SECRET
—
HMAC secret for deploy-tier MCP confirmation tokens (app.deploy, app.migration.apply). ≥ 32 bytes. Without it those tools fail closed. Vault-hydrated from supacloud/app.
Opt-in to dispatching tasks to a registered remote runner fleet. When false, every task runs locally.
SUPACLOUD_HUB_EVENT_RELAY
false
Relay realtime hub events across server replicas over Postgres LISTEN/NOTIFY (the WS event fan-out, #623 P4). Inert on a single replica; enable for a multi-replica deployment.
Webhook secret for Telegram update validation. Vault-hydrated.
DISCORD_BOT_TOKEN
—
Discord control-bot token (ADR 0032). Vault-hydrated from supacloud/app. Bot is disabled when unset. Distinct from per-workspace Discord notify/trigger resources.
Enable serving of built React/Svelte App frontends. Requires SUPACLOUD_APPS_BASE_DOMAIN.
SUPACLOUD_APPS_BASE_DOMAIN
—
Bare domain (e.g. supacloud.net) on a different eTLD+1 than the control plane. Hosted Apps are served at <opaque-subdomain>.<apps_base_domain>. Boot fails if this shares a registrable domain with PUBLIC_URL.