Environment Variables

Complete reference for all environment variables used by TameFlare. All variables are optional unless marked required.

Tip
Copy apps/web/.env.example to apps/web/.env.local to get started. Most variables have sensible defaults for local development.

Database

| Variable | Default | Description | |---|---|---| | TURSO_DATABASE_URL | — | Turso/libSQL database URL. Omit for local SQLite (file:local.db). | | TURSO_AUTH_TOKEN | — | Auth token for Turso. Only needed with TURSO_DATABASE_URL. |

When both are omitted, TameFlare uses a local SQLite file at apps/web/local.db.

Authentication

| Variable | Default | Description | |---|---|---| | DASHBOARD_PASSWORD | — | Optional shared password for dashboard access. Legacy mode — prefer email/password auth. | | REGISTRATION_OPEN | false | Set to true to allow new user signups. Closed by default after the first user registers. | | DEFAULT_USER_ROLE | viewer | Role assigned to new users: owner, admin, member, or viewer. First user is always owner. |

Warning
If DASHBOARD_PASSWORD is set, anyone with the password can access the dashboard without a user account. For production, use email/password auth and keep DASHBOARD_PASSWORD unset.

Decision Token Signing

| Variable | Default | Description | |---|---|---| | SIGNING_KEY_PRIVATE | auto-generated | ES256 (ECDSA P-256) private key for signing decision tokens. PEM format, base64-encoded. | | SIGNING_KEY_PUBLIC | auto-generated | Corresponding public key for token verification. |

Generate a key pair:

openssl ecparam -genkey -name prime256v1 -noout -out private.pem
openssl ec -in private.pem -pubout -out public.pem
# Base64-encode for env var:
cat private.pem | base64 -w0
cat public.pem | base64 -w0
Warning
In production, always set explicit signing keys. Auto-generated keys change on restart, invalidating all outstanding decision tokens.

Integrations

These can also be configured via Settings > Integrations in the dashboard. Env vars take precedence when set.

Slack

| Variable | Default | Description | |---|---|---| | SLACK_BOT_TOKEN | — | Slack bot token (xoxb-...). Required for approval notifications. | | SLACK_SIGNING_SECRET | — | Slack signing secret for verifying interactive webhook payloads. | | SLACK_CHANNEL_ID | — | Channel ID where approval notifications are sent. |

GitHub

| Variable | Default | Description | |---|---|---| | GITHUB_PAT | — | GitHub Personal Access Token. Needs repo scope for the Gateway connector. | | GITHUB_ORG | — | GitHub organization name for the Gateway connector. |

Gateway

| Variable | Default | Description | |---|---|---| | GATEWAY_URL | http://localhost:8443 | URL of the Go gateway. In Docker Compose, use http://gateway:8443. | | GATEWAY_SERVICE_TOKEN | — | Shared token for control plane ↔ gateway authentication. |

Encryption

| Variable | Default | Description | |---|---|---| | SETTINGS_ENCRYPTION_KEY | — | AES-256-GCM key for encrypting secrets at rest (Slack tokens, GitHub PATs stored in DB). |

Generate:

openssl rand -hex 32
Warning
Critical for production. Without this key, integration secrets are stored in plaintext in the database.

Licensing

| Variable | Default | Description | |---|---|---| | TF_LICENSE_KEY | — | License key JWT. Omit for the free Starter tier (3 agents, 1,000 actions/month, 30-day audit). | | TF_LICENSE_SECRET | — | HMAC secret for license JWT verification. Change from default in production. |

Cross-App URLs

| Variable | Default | Description | |---|---|---| | NEXT_PUBLIC_DOCS_URL | http://localhost:3001/docs | Public URL of the docs site. Used for cross-app links from the dashboard. | | NEXT_PUBLIC_APP_URL | http://localhost:3000 | Public URL of the main app. Used for cross-app links from the docs site. |

Maintenance

| Variable | Default | Description | |---|---|---| | MAINTENANCE_SECRET | — | Bearer token for the POST /api/maintenance/cleanup endpoint. | | AUDIT_RETENTION_DAYS | 0 | Auto-purge audit events older than this many days. 0 = keep forever. |

Organization

| Variable | Default | Description | |---|---|---| | ORG_ID | auto-detected | Override the organization ID. Useful for multi-instance setups. |

Optional / Observability

Disabled by default. TameFlare sends zero telemetry unless you explicitly enable these.

| Variable | Default | Description | |---|---|---| | SENTRY_DSN | — (disabled) | Sentry DSN for error tracking. Opt-in only. | | POSTHOG_KEY | — (disabled) | PostHog project key for product analytics. Opt-in only. |

Gateway (Go binary)

These are set in the gateway's environment, not the web app:

| Variable | Default | Description | |---|---|---| | PORT | 8443 | Port the gateway listens on. | | CONTROL_PLANE_URL | http://localhost:3000 | URL of the TameFlare control plane for token verification. | | GATEWAY_SERVICE_TOKEN | — | Must match the control plane's GATEWAY_SERVICE_TOKEN. | | GITHUB_TOKEN | — | GitHub PAT for the GitHub connector (can also use the control plane's GITHUB_PAT). |

Docker Compose notes

When running via Docker Compose, service names replace localhost:

  • Gateway URL from the web container: http://gateway:8443 (not http://localhost:8443)
  • Control plane URL from the gateway container: http://web:3000 (not http://localhost:3000)

The docker-compose.yml file sets these automatically. Override with a .env file in the project root.