Environment Variables
Configure the API container via environment variables (see Backend/internal/config/config.go). Required values must be set before the process starts.
Required
Section titled “Required”| Variable | Description |
|---|---|
SECRET_KEY | Signing key for tokens; minimum 32 characters |
Database
Section titled “Database”| Variable | Description |
|---|---|
DATABASE_URL | SQL connection string (dev / IS_DEV=true) |
SQL_SERVER | Azure SQL server host (production MI auth) |
SQL_DATABASE | Database name |
AZURE_CLIENT_ID | User-assigned managed identity (optional) |
DATABASE_URL_PLATFORM_ADMIN | Optional DSN bypassing RLS for platform jobs |
IS_DEV | When true, prefer DATABASE_URL over MI |
Application URLs
Section titled “Application URLs”| Variable | Description |
|---|---|
APP_BASE_URL | SPA origin for OAuth redirects (no trailing slash) |
API_PUBLIC_URL | Public API base for OAuth callbacks |
PORT | Listen port (default from platform) |
| Variable | Description |
|---|---|
AUTH_POLICY | standard or restricted (SSO-only + domain allowlist) |
AUTH_ALLOWED_EMAIL_DOMAINS | Comma-separated domains when restricted |
MS_CLIENT_ID / MS_CLIENT_SECRET | Platform Microsoft login |
ACCESS_TOKEN_EXPIRE_MINUTES | JWT access TTL (default 60) |
REFRESH_TOKEN_EXPIRE_DAYS | Refresh cookie TTL (default 7) |
REFRESH_COOKIE_SAMESITE | strict, lax, or none |
MFA_ISSUER | TOTP issuer name |
| Variable | Description |
|---|---|
ALLOW_ORIGINS | Comma-separated SPA origins (required in production) |
ALLOW_CREDENTIALS | true for cookie refresh |
ALLOW_METHODS / ALLOW_HEADERS | Override defaults if needed |
Email & jobs
Section titled “Email & jobs”| Variable | Description |
|---|---|
RESEND_API_KEY | Transactional email |
RESEND_FROM_ADDR | From address |
MAINTENANCE_NOTIFY_TICKER_MINUTES | Maintenance reminder poll interval |
Observability
Section titled “Observability”| Variable | Description |
|---|---|
APPLICATIONINSIGHTS_CONNECTION_STRING | Azure Monitor / App Insights |
LOG_LEVEL | debug, info, warn, error |
LOG_FORMAT | logfmt, json, text |
SERVICE_NAME / SERVICE_VERSION | OTEL resource attributes |
Vulnerability feeds (platform)
Section titled “Vulnerability feeds (platform)”| Variable | Description |
|---|---|
NVD_API_KEY | NVD rate limits |
SHODAN_API_KEY | Shodan lookups |
CISCO_PSIRT_CLIENT_ID / CISCO_PSIRT_CLIENT_SECRET | Cisco advisories |
Edge snaps (optional)
Section titled “Edge snaps (optional)”| Variable | Description |
|---|---|
SNAP_PUBLISH_TOKEN | CI publish to /admin/publish |
AZURE_STORAGE_ACCOUNT / AZURE_STORAGE_CONTAINER | Snap blobs |
AZURE_STORAGE_KEY | Or use managed identity |
SNAP_BLOB_LOCAL_ROOT | Local dev blob path |
Feature flags
Section titled “Feature flags”| Variable | Description |
|---|---|
ADMIN_PANEL_ENABLED | Register /api/v1/admin/* platform routes |
PLATFORM_ADMIN_EMAIL_DOMAINS | Who may access platform admin |
RATE_LIMIT_ENABLED | HTTP rate limiting |