Environment Variables
Complete reference of all environment variables.
Configuration
Rack Gateway is configured primarily through environment variables. This section covers all configuration options grouped by concern.
Configuration Sources
Section titled “Configuration Sources”Rack Gateway uses mise for environment variable management:
mise.toml- Project defaults (committed to git)mise.local.toml- Local overrides (gitignored)
Quick Reference
Section titled “Quick Reference”OAuth Setup
Google Workspace OAuth configuration guide.
Session Management
Session policies and timeout configuration.
Security Settings
MFA and security settings.
Essential Configuration
Section titled “Essential Configuration”For production deployment, you must configure:
1. OAuth Authentication
Section titled “1. OAuth Authentication”[env]GOOGLE_CLIENT_ID = "your-client-id.apps.googleusercontent.com"GOOGLE_CLIENT_SECRET = "your-client-secret"GOOGLE_ALLOWED_DOMAIN = "your-company.com"See OAuth Setup for detailed instructions.
2. Database
Section titled “2. Database”[env]DATABASE_URL = "postgres://user:pass@host:5432/rack_gateway?sslmode=require"Or using individual variables:
[env]PGHOST = "your-db-host"PGPORT = "5432"PGUSER = "rack_gateway"PGPASSWORD = "your-password"PGDATABASE = "rack_gateway"3. Security Keys
Section titled “3. Security Keys”[env]APP_SECRET_KEY = "your-32-byte-random-key" # Generate with: openssl rand -hex 324. Convox Rack Connection
Section titled “4. Convox Rack Connection”[env]RACK_HOST = "https://api.rack.convox.cloud"RACK_TOKEN = "your-rack-api-token"RACK_ALIAS = "production"Configuration Categories
Section titled “Configuration Categories”| Category | Purpose |
|---|---|
| Environment Variables | Complete reference of all options |
| OAuth Setup | Google Workspace authentication |
| Session Management | Session timeout and policies |
| Security Settings | MFA enforcement, timeouts |
| Email Notifications | Postmark email configuration |
Development vs Production
Section titled “Development vs Production”Development Defaults
Section titled “Development Defaults”In development mode (DEV_MODE=true), Rack Gateway:
- Uses non-secure cookies (no HTTPS required)
- Auto-generates
APP_SECRET_KEYif missing - Logs emails to stdout instead of sending
- Connects to mock services on localhost
Production Requirements
Section titled “Production Requirements”For production, you must explicitly set:
APP_SECRET_KEY(secure random value)COOKIE_SECURE=true(or use HTTPS)- OAuth credentials (real Google Workspace)
- Database URL (real PostgreSQL)
- Rack credentials (real Convox rack)
Database-Backed Settings
Section titled “Database-Backed Settings”Some settings can be configured via the web admin UI and stored in the database:
| Setting | Environment Variable | Database Setting |
|---|---|---|
| Session timeout | RGW_SETTING_SESSION_TIMEOUT_MINUTES | session_timeout_minutes |
| Require MFA | RGW_SETTING_MFA_REQUIRE_ALL_USERS | mfa_require_all_users |
| Step-up window | RGW_SETTING_MFA_STEP_UP_WINDOW_MINUTES | mfa_step_up_window_minutes |
| Trusted device TTL | RGW_SETTING_MFA_TRUSTED_DEVICE_TTL_DAYS | mfa_trusted_device_ttl_days |
Precedence: Database values take priority over environment variables when set.
Next Steps
Section titled “Next Steps”- Start with Environment Variables for the complete reference
- See OAuth Setup to configure authentication
- Review Production Checklist before going live