You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Single, authoritative reference for every env var. The copy-paste template is
../../.env.example (RU inline comments); this doc is the
English explanation grouped by concern, with required/optional and
fallback/per-tenant behaviour.
Local dev minimum:DATABASE_URL + PLATFORM_MASTER_KEY +
TELEGRAM_WEBHOOK_SECRET (+ ALLOW_PUBLIC_SIGNUP=1 to register, see
ONBOARDING.md). Almost everything else is prod-only.
Plan quotas (channels / KB docs / rate limits / prices) are code, not env —
source of truth is apps/api/src/lib/plans.ts (see README plan table).
Postgres
Var
Req
Description
DATABASE_URL
✅
Postgres connection string. In prod the apps must connect under a NOSUPERUSER NOBYPASSRLS role (RLS enforcement). Matches docker-compose.yml on :5434 for local dev.
Crypto / auth
Var
Req
Description
PLATFORM_MASTER_KEY
✅
32-byte hex (openssl rand -hex 32) for AES-256-GCM encryption of tenant_secrets.
PLATFORM_AUTH_SECRET
opt
HMAC secret for JWT-like auth tokens (signAuthToken). Falls back to PLATFORM_MASTER_KEY. Use a separate value so rotating the master key doesn't invalidate active sessions.
PARTNER_CALLBACK_SECRET
opt
HMAC secret for partner webhook callbacks (partner-ping). Falls back to PLATFORM_AUTH_SECRET, then PLATFORM_MASTER_KEY.
ALLOW_PUBLIC_SIGNUP
opt
1 opens public POST /api/auth/signup; closed by default (→ 403 signup_disabled). Needed for local dev and any self-serve signup. (Not present in .env.example — add manually.)
PLATFORM_SUPERADMIN_TOKEN
opt
Bearer token for platform /api/superadmin/* endpoints (openssl rand -hex 32).
Telegram
Var
Req
Description
TELEGRAM_WEBHOOK_SECRET
✅
Value of the X-Telegram-Bot-Api-Secret-Token header set on setWebhook and verified on inbound.
TELEGRAM_API_ID / TELEGRAM_API_HASH
opt
MTProto app credentials (my.telegram.org). Fallback only — userbot creds are per-tenant in tenant_secrets. If absent both per-tenant and in env, /userbot/start returns 400.
Externally-reachable base URL of apps/api for auto-setWebhook on Telegram channel create. Empty → set webhooks manually. Local dev: use ngrok / cloudflared.
PLATFORM_BASE_DOMAIN
opt
Tenant subdomain → tenantSlug for the legacy /admin/* routes. Empty → those routes off (SaaS /api/admin/* always on).
HEALTH_CHECK_TIMEOUT_MS
opt
/healthz dependency-check timeout (default 2000).
DRIP_DISPATCH_MS
opt
Outreach drip dispatcher tick in apps/api (default 10000; 0 = off — the send pace itself is per campaign).
LLM (env fallback)
Per-tenant LLM config lives in the DB (BYOK); these are boot fallbacks when a
tenant has no row. Without any LLM the pipeline persists but does not reply.
The admin UI/API support provider slots for chat, embed, vision, judge,
reranker, and transcribe; env fallback is intentionally minimal and covers
the legacy chat/embed path.
Directory where apps/api stores original KB uploads (.pdf, .md, .txt, .json). Default: data/kb-files under the API working directory. In production this should be a persistent volume.
KB_MAX_UPLOAD_BYTES
opt
Maximum original upload file size. Default: 26214400 (25 MiB).
RAG_FACT_CHECKER_FAIL_OPEN
opt
1 restores the legacy fail-open behaviour when the RAG fact-checker errors (default: fail-closed).
Channels
Var
Req
Description
WHATSAPP_VERIFY_TOKEN / WHATSAPP_APP_SECRET
opt
Meta webhook verify token + App Secret (HMAC-SHA256 of X-Hub-Signature-256). Fallback — also per-tenant in tenant_secrets. Empty app secret → signature check off (boot warning).
FACEBOOK_VERIFY_TOKEN / FACEBOOK_APP_SECRET
opt
Meta Messenger webhook verify token + App Secret. Fallback — also per-tenant in tenant_secrets; empty app secret disables signature verification with a boot warning.