Environment variables (self-hosted)

How to configure a self-hosted deployment. Every setting is an environment variable on the API container — set them in your .env.selfhost (the reference stack) or your orchestrator.

Core settings

VariableDescription
SECRET_ISOLATIONSet to dedicated for a self-hosted deployment. Required in production.
JWT_SECRETSigns dashboard session tokens. A long random value (openssl rand -hex 48).
ACTION_SIGNING_SECRETSigns action warrants, approval links, and ledger anchors. A distinct random value.
ENCRYPTION_KEYEncrypts stored secrets at rest. Optional; falls back to the action secret. Set a distinct key.
CORS_ORIGINSComma-separated dashboard origin(s). No * in production.
TRUST_PROXYNumber of proxy hops in front of the API (usually 1), so rate limiting sees the real client IP.
STORE_DRIVER / DATABASE_URLUse postgres with a connection string (recommended); the embedded store needs PROVENANT_ALLOW_EMBEDDED_STORE=true.
PROVENANT_LICENSE_KEYYour license key (the self-hosted subscription). Optional — none = Free limits. See Self-hosting & licensing.
CONNECTOR_TRANSPORThttp (real downstream forwarding) or mock. Production requires http unless mock execution is acknowledged.
CREDENTIAL_BROKERmock | stripe_issuing | oauth_token_exchange | aws_sts — the deployment-level broker (a per-connector profile always wins).
EMAIL_PROVIDERconsole (logs — a solo admin can reset via the datastore), resend (HTTP), or smtp (any relay) — powers password reset. With resend/smtp also set the provider's vars + EMAIL_FROM.
METRICS_TOKENWhen set, GET /metrics requires a bearer token. Set it whenever the API port is reachable.

Full operator reference

This page covers the settings most deployments touch. For the exhaustive variable list, the production configuration guard, backup/restore drills, upgrades, TLS, and database-enforced tenant isolation, the full operator guide is available on request — [email protected].

Custom variables for connectors

Any secret field on a connector — an API key, bearer token, basic password, OAuth client secret — accepts a literal or a reference resolved at call time. On a self-hosted deployment you can reference your own environment variables with env:NAME, so the raw secret lives in your deployment config, never in the database:

# In .env.selfhost (or your orchestrator's secret store):
OPENAI_API_KEY=sk-...
ACME_WEBHOOK_TOKEN=what-ever

# Then in the connector's auth field, enter the reference instead of the literal:
env:OPENAI_API_KEY
env:ACME_WEBHOOK_TOKEN

The variable name is yours to choose — define it alongside the other settings and reference it by that name. env: reads from the deployment's own process environment, so it is a self-hosted capability (the hosted platform rejects it — there, secrets come from each organization's own configured secret managers). A reference that can't resolve fails closed: the action fails rather than dispatching a blank credential.

Managed secret providers (alternative)

Instead of (or alongside) env:, connectors can pull secrets from a managed provider — HashiCorp Vault, AWS Secrets Manager, Azure Key Vault, or GCP Secret Manager. Configure one per deployment, then reference secrets by name (vault:…, awssm:…, azkv:…, gsm:…). The provider credentials and the exact variables are in the operator guide; the reference schemes themselves are covered under Connectors & secrets.