Configuration Reference

The backend is configured from environment variables. The canonical local list is backend/.env.example; the root compose file supplies defaults for the reference stack.

Core HTTP And Public URLs

VariableUse
DEPLOYMENT_MODEcloud, onprem, or airgapped; do not rely on it alone for network policy.
HTTP_ADDRESSAPI bind address, usually :8080.
HTTP_SHUTDOWN_TIMEOUTGraceful shutdown window.
HTTP_CORS_ALLOW_ORIGINSBrowser origins allowed to call the API directly.
HTTP_HSTS_ENABLEDEnables HSTS when TLS terminates at the API or trusted proxy chain.
PUBLIC_VERIFY_BASE_URLBase URL used in certificate QR and public verification links.
PUBLIC_INVITATION_BASE_URLBase URL used in invitation acceptance links.

Security Controls

VariableUse
ADMIN_API_ALLOWED_CIDRSExplicit IP/CIDR allowlist for /admin/api/v1.
ADMIN_API_ALLOW_INTERNAL_NETWORKSAllows loopback/private/link-local admin clients for internal deployments.
SENSITIVE_ACTION_MFA_MAX_AGERecent-MFA window for sensitive writes; 0 disables local-only checks.
SECURITY_OUTBOUND_ALLOWED_HOSTSHost allowlist for IdP metadata, branding URLs, and webhooks.
SECURITY_OUTBOUND_ALLOWED_CIDRSExplicit IP ranges allowed by outbound URL policy.
SECURITY_OUTBOUND_ALLOW_PRIVATE_NETWORKSOnly enable for controlled internal deployments.
VERIFY_RATE_LIMIT_PER_MINUTE / VERIFY_RATE_LIMIT_PER_HOURPublic verification rate limits.
VERIFY_CAPTCHA_SECRET / VERIFY_CAPTCHA_VERIFY_URLOptional Turnstile/hCaptcha-style siteverify integration.

Identity And Keycloak

VariableUse
KEYCLOAK_MASTER_ISSUER / KEYCLOAK_EXAWIPE_ISSUERPublic issuer URLs that must match JWT iss.
KEYCLOAK_MASTER_AUDIENCE / KEYCLOAK_EXAWIPE_AUDIENCEExpected JWT audiences.
KEYCLOAK_MASTER_JWKS_URL / KEYCLOAK_EXAWIPE_JWKS_URLJWKS endpoints used by the API.
KEYCLOAK_JWKS_CACHE_TTLJWKS cache duration.
KEYCLOAK_ADMIN_*Optional Admin API service-account configuration for provisioning users and IdPs.

For the new frontend BFF, configure APP_BASE_URL, API_INTERNAL_URL, KEYCLOAK_ISSUER_MASTER, KEYCLOAK_ISSUER_EXAWIPE, KEYCLOAK_INTERNAL_URL, web client IDs/secrets, and a 32-byte or longer SESSION_SECRET.

Database, Queue, And Migrations

VariableUse
DATABASE_DSNMain application DSN.
DATABASE_AUTOMIGRATEKept for developer compatibility; production should rely on SQL migrations.
DATABASE_SEED_DEVSeeds local demo data; disable outside local/dev.
QUEUE_BACKENDCurrent implementation is table.
MIGRATIONS_DATABASE_URLDSN for the migrator image.
MIGRATIONS_ACTIONversion, up, or other migrator command.

Ingest And Agent Trust

VariableUse
INGEST_EMBEDDEDtrue embeds /ingest/v1 in the API; false expects standalone cmd/ingest.
INGEST_HTTP_ADDRESSStandalone ingest bind address.
INGEST_DATABASE_DSNLeast-privilege ingest DB role; falls back to DATABASE_DSN when empty.
INGEST_RATE_LIMIT_UNIT_PER_HOUR / INGEST_RATE_LIMIT_BATCH_PER_HOURPer-agent-key proof submission limits.
AGENT_TRUST_MODEdev, ed25519, or x509 proof-signature verification mode.
AGENT_CA_CERT_FILE / AGENT_CA_KEY_FILEOperator CA for issued agent mTLS certificates.
AGENT_CLIENT_CERT_TTLLifetime for issued agent client certificates.
PROOF_MIN_AGENT_VERSIONMinimum accepted proof payload agent version.

Signer And PAdES

VariableUse
SIGNER_MODEtest locally; production depends on final remote signer protocol.
SIGNER_ENDPOINT / SIGNER_TIMEOUTRemote signer endpoint and timeout.
SIGNER_BEARER_TOKENOptional bearer credential when the remote protocol uses it.
SIGNER_TLS_CA_FILE, SIGNER_TLS_CLIENT_CERT_FILE, SIGNER_TLS_CLIENT_KEY_FILEmTLS material.
CONSUMPTION_RECEIPT_SIGNATURE_KEY_IDKey ID used for signed consumption receipts.
PADES_MODEdev or eidas.
PADES_TSA_URL and credentialsRFC 3161 timestamp authority integration.

LICENSE_DEV_MODE=true enables dev grant-signature bypasses and is refused when the environment declares production. Keep it disabled outside local test data.

Storage And Notifications

VariableUse
STORAGE_BACKENDs3 or filesystem.
STORAGE_FILESYSTEM_ROOTRoot path for filesystem storage.
S3_ENDPOINT, S3_REGION, S3_ACCESS_KEY_ID, S3_SECRET_ACCESS_KEYS3-compatible storage connection.
S3_BUCKET_PROOFS, S3_BUCKET_CERTIFICATES, S3_BUCKET_BINARIES, S3_BUCKET_EXPORTS, S3_BUCKET_BILLING_DROPRequired bucket names.
NOTIFICATION_TRANSPORTdisabled, smtp, or webhook-capable transport behavior.
NOTIFICATION_SMTP_*SMTP relay settings.

Observability, Retention, Reporting

VariableUse
OBSERVABILITY_ENABLEDEnables OTel logging/metrics/traces.
OBSERVABILITY_SERVICE_NAMEOptional override; binaries set useful defaults.
OBSERVABILITY_ENVIRONMENTEnvironment label for signals.
OBSERVABILITY_OTLP_ENDPOINT, OBSERVABILITY_OTLP_INSECURE, OBSERVABILITY_OTLP_HEADERSOTel exporter settings.
RETENTION_AUDIT_LOG_TTLAudit log retention, default intent 5 years.
RETENTION_VERIFICATION_LOG_TTLPublic verification log retention, default intent 5 years.
RETENTION_VERIFICATION_METADATA_TTLIP/user-agent hash anonymization, default intent 90 days.
RETENTION_CLEANUP_INTERVAL, RETENTION_BATCH_SIZEMaintenance worker cadence and batch size.
REPORTING_CO2_KG_PER_DEVICECO2 estimate factor used in usage/billing reporting.