Environment variables (self-hosted)
How to configure a self-hosted deployment. Every setting is an environment variable on the API container — set them in your .env.selfhost (the reference stack) or your orchestrator.
Core settings
| Variable | Description |
|---|---|
SECRET_ISOLATION | Set to dedicated for a self-hosted deployment. Required in production. |
JWT_SECRET | Signs dashboard session tokens. A long random value (openssl rand -hex 48). |
ACTION_SIGNING_SECRET | Signs action warrants, approval links, and ledger anchors. A distinct random value. |
ENCRYPTION_KEY | Encrypts stored secrets at rest. Optional; falls back to the action secret. Set a distinct key. |
CORS_ORIGINS | Comma-separated dashboard origin(s). No * in production. |
TRUST_PROXY | Number of proxy hops in front of the API (usually 1), so rate limiting sees the real client IP. |
STORE_DRIVER / DATABASE_URL | Use postgres with a connection string (recommended); the embedded store needs PROVENANT_ALLOW_EMBEDDED_STORE=true. |
PROVENANT_LICENSE_KEY | Your license key (the self-hosted subscription). Optional — none = Free limits. See Self-hosting & licensing. |
CONNECTOR_TRANSPORT | http (real downstream forwarding) or mock. Production requires http unless mock execution is acknowledged. |
CREDENTIAL_BROKER | mock | stripe_issuing | oauth_token_exchange | aws_sts — the deployment-level broker (a per-connector profile always wins). |
EMAIL_PROVIDER | console (logs — a solo admin can reset via the datastore), resend (HTTP), or smtp (any relay) — powers password reset. With resend/smtp also set the provider's vars + EMAIL_FROM. |
METRICS_TOKEN | When set, GET /metrics requires a bearer token. Set it whenever the API port is reachable. |
Full operator reference
Custom variables for connectors
Any secret field on a connector — an API key, bearer token, basic password, OAuth client secret — accepts a literal or a reference resolved at call time. On a self-hosted deployment you can reference your own environment variables with env:NAME, so the raw secret lives in your deployment config, never in the database:
# In .env.selfhost (or your orchestrator's secret store):
OPENAI_API_KEY=sk-...
ACME_WEBHOOK_TOKEN=what-ever
# Then in the connector's auth field, enter the reference instead of the literal:
env:OPENAI_API_KEY
env:ACME_WEBHOOK_TOKENThe variable name is yours to choose — define it alongside the other settings and reference it by that name. env: reads from the deployment's own process environment, so it is a self-hosted capability (the hosted platform rejects it — there, secrets come from each organization's own configured secret managers). A reference that can't resolve fails closed: the action fails rather than dispatching a blank credential.
Managed secret providers (alternative)
Instead of (or alongside) env:, connectors can pull secrets from a managed provider — HashiCorp Vault, AWS Secrets Manager, Azure Key Vault, or GCP Secret Manager. Configure one per deployment, then reference secrets by name (vault:…, awssm:…, azkv:…, gsm:…). The provider credentials and the exact variables are in the operator guide; the reference schemes themselves are covered under Connectors & secrets.