This page provides a complete reference of Rack Gateway environment variables.
For a shorter overview, see Configuration.
| Variable | Default | Description |
|---|
PORT | 8080 | TCP port the API listens on |
DOMAIN | (required) | Gateway domain for OAuth redirect URLs |
DEV_MODE | false | Enables development-friendly behavior |
APP_SECRET_KEY | (required) | Secret for sessions and CSRF |
COOKIE_SECURE | true | Set the Secure cookie attribute |
TRUSTED_PROXY_CIDRS | | Comma-separated proxy CIDRs |
LOG_LEVEL | info | Log level (debug, info, warn, error) |
DEBUG_TOPICS | | Comma-separated debug topics |
| Variable | Default | Description |
|---|
GOOGLE_CLIENT_ID | (required) | OAuth client ID |
GOOGLE_CLIENT_SECRET | (required) | OAuth client secret |
GOOGLE_ALLOWED_DOMAIN | (required) | Allowed email domain |
GOOGLE_OAUTH_BASE_URL | https://accounts.google.com | OAuth issuer URL |
| Variable | Description |
|---|
ADMIN_USERS | Comma-separated admin emails |
VIEWER_USERS | Comma-separated viewer emails |
DEPLOYER_USERS | Comma-separated deployer emails |
OPERATIONS_USERS | Comma-separated ops emails |
| Variable | Default | Description |
|---|
RACK_HOST | | Convox rack API URL |
RACK_TOKEN | | Convox rack API token |
RACK_USERNAME | convox | Basic auth username |
RACK | default | Rack name (internal identifier) |
RACK_ALIAS | RACK | Short alias (user-facing) |
RACK_DISPLAY_NAME | RACK_ALIAS | Human-friendly display name |
ENABLE_RACK_TLS_PINNING | false | Enable rack TLS pinning |
| Variable | Description |
|---|
RGW_DATABASE_URL | Preferred Postgres URL |
GATEWAY_DATABASE_URL | Alternate Postgres URL |
DATABASE_URL | Alternate Postgres URL |
ADMIN_DATABASE_URL | Admin URL for migrations/reset |
PGHOST / PGPORT / PGUSER / PGPASSWORD / PGDATABASE | libpq connection fields |
PGSSLMODE | SSL mode override |
| Variable | Default | Description |
|---|
DB_MAX_OPEN_CONNS | 25 | Max open connections |
DB_MAX_IDLE_CONNS | 5 | Max idle connections |
DB_CONN_MAX_LIFETIME | 30m | Connection lifetime |
DB_CONN_MAX_IDLE_TIME | 10m | Idle timeout |
| Variable | Description |
|---|
TEST_DATABASE_URL | Override database URL for tests |
| Variable | Description |
|---|
YUBICO_CLIENT_ID | YubiKey OTP client ID |
YUBICO_SECRET_KEY | YubiKey OTP secret |
WEBAUTHN_RP_ID | WebAuthn RPID |
WEBAUTHN_ORIGIN | WebAuthn origin |
Settings resolve in this order: DB value → env var → default.
| Variable | Description |
|---|
RGW_SETTING_SESSION_TIMEOUT_MINUTES | Browser session inactivity timeout |
RGW_SETTING_MFA_REQUIRE_ALL_USERS | Require MFA for all users |
RGW_SETTING_MFA_STEP_UP_WINDOW_MINUTES | Step-up window |
RGW_SETTING_MFA_TRUSTED_DEVICE_TTL_DAYS | Trusted device TTL |
RGW_SETTING_DEPLOY_APPROVALS_ENABLED | Enable deploy approvals |
RGW_SETTING_DEPLOY_APPROVAL_WINDOW_MINUTES | Approval window |
RGW_SETTING_ALLOW_DESTRUCTIVE_ACTIONS | Allow destructive actions |
RGW_SETTING_DEFAULT_CI_PROVIDER | Default CI provider |
RGW_SETTING_DEFAULT_VCS_PROVIDER | Default VCS provider |
Per-app overrides use:
RGW_APP_<APP>_SETTING_<KEY>=value
Example:
RGW_APP_MYAPP_SETTING_CI_PROVIDER=circleci
See Deploy Approvals for common keys.
| Variable | Default | Description |
|---|
AUDIT_HMAC_SECRET | (required in prod) | HMAC chain secret |
AUDIT_ANCHOR_BUCKET | | S3 bucket for anchors |
AUDIT_ANCHOR_CHAIN_ID | | Chain identifier |
AUDIT_ANCHOR_RETENTION_DAYS | 400 | Object Lock retention |
AUDIT_ANCHOR_INTERVAL_MINUTES | 60 | Anchor interval |
AWS_ENDPOINT_URL_S3 | | Custom S3 endpoint |
AWS_ACCESS_KEY_ID | | AWS access key |
AWS_SECRET_ACCESS_KEY | | AWS secret key |
AWS_REGION | us-east-1 | AWS region |
| Variable | Default | Description |
|---|
POSTMARK_API_TOKEN | | Postmark API token |
POSTMARK_FROM | no-reply@{domain} | Sender |
POSTMARK_STREAM | outbound | Message stream |
POSTMARK_API_BASE | https://api.postmarkapp.com | API base |
DEV_EMAIL_LOG | false | Log emails in dev |
| Variable | Description |
|---|
SLACK_CLIENT_ID | Slack OAuth client ID |
SLACK_CLIENT_SECRET | Slack OAuth client secret |
GITHUB_TOKEN | GitHub token for deploy approvals |
CIRCLECI_TOKEN | CircleCI token for deploy approvals |
| Variable | Default | Description |
|---|
SENTRY_DSN | | Backend DSN |
SENTRY_ENVIRONMENT | | Environment name |
SENTRY_RELEASE | | Release tag |
SENTRY_JS_DSN | | Frontend DSN |
SENTRY_JS_TRACES_SAMPLE_RATE | 0 | Frontend perf rate |
ENABLE_SENTRY_TEST_BUTTONS | false | Show test UI |
| Variable | Description |
|---|
RACK_GATEWAY_RACK | Default rack name |
RACK_GATEWAY_URL | Override gateway URL |
RACK_GATEWAY_API_TOKEN | API token for automation |
GATEWAY_CLI_CONFIG_DIR | Override CLI config dir |
| Variable | Description |
|---|
CONVOX_SECRET_ENV_VARS | Comma-separated env vars to redact |
Ports are defined in mise.toml:
| Variable | Default | Description |
|---|
GATEWAY_PORT | 8447 | Gateway API port (dev) |
WEB_PORT | 5223 | Web dev server |
MOCK_OAUTH_PORT | 3345 | Mock OAuth |
MOCK_CONVOX_PORT | 5443 | Mock Convox |
TEST_GATEWAY_PORT | 9447 | Test gateway |
TEST_MOCK_OAUTH_PORT | 9345 | Test OAuth |
TEST_MOCK_CONVOX_PORT | 6443 | Test Convox |
