Skip to content

Environment Variable Reference

This page summarizes the important environment variables currently visible in the Seamless Auth auth server, server adapter, local starters, and CLI-generated stack.

The values here are meant to explain ownership boundaries. For exact defaults, always check the source repo .env.example or generated project files.


These values belong to seamless-auth-api.

VariablePurpose
NODE_ENVRuntime environment
HOSTBind host for the auth server
PORTBind port for the auth server
APP_NAMEHuman-readable application name
APP_IDApplication identifier
APP_ORIGINSCORS origins allowed to call the auth server
ISSUERToken issuer value

APP_ORIGINS and WebAuthn ORIGINS are related but not identical. APP_ORIGINS controls CORS for the auth API; ORIGINS controls WebAuthn browser origins in system config.


These values seed the system_config table when missing.

VariablePurpose
DEFAULT_ROLESRoles assigned to newly created users
AVAILABLE_ROLESRoles allowed in the system
LOGIN_METHODSEnabled login methods: passkey, magic_link, email_otp, phone_otp, oauth
PASSKEY_LOGIN_FALLBACK_ENABLEDWhether fallback methods can appear alongside passkey login
OAUTH_PROVIDERSJSON array of OAuth provider configs
LOCKOUT_POLICYJSON login lockout policy
ACCESS_TOKEN_TTLAccess token lifetime, such as 30m
REFRESH_TOKEN_TTLRefresh token lifetime, such as 1h
RATE_LIMITBase request rate limit
DELAY_AFTERSlowdown threshold
RPIDWebAuthn relying party ID
ORIGINSComma-separated WebAuthn browser origins
APP_NAMEApplication name shown in auth experiences

OAUTH_PROVIDERS stores provider metadata, not provider client secrets. Each provider references a secret env var through clientSecretEnv.


The auth API can use a single DATABASE_URL or individual Postgres fields.

VariablePurpose
DATABASE_URLFull Postgres connection URL
DB_HOSTDatabase host
DB_PORTDatabase port
DB_NAMEDatabase name
DB_USERDatabase user
DB_PASSWORDDatabase password
DB_LOGGINGEnables SQL logging from app and migrations

Prefer DATABASE_URL in containers and hosted environments if your infrastructure already provides one.


VariablePurpose
API_SERVICE_TOKENShared service token for trusted server-to-auth calls
REFRESH_TOKEN_LOOKUP_SECRETSecret for indexed refresh-token lookup fingerprints
TOTP_SECRET_ENCRYPTION_KEYEncryption key for TOTP secrets at rest
OAUTH_STATE_SECRETSigning secret for OAuth state
SEAMLESS_BOOTSTRAP_ENABLEDEnables the first-admin bootstrap flow
SEAMLESS_BOOTSTRAP_SECRETSecret used to authorize bootstrap invite creation

Production should define stable dedicated values for REFRESH_TOKEN_LOOKUP_SECRET, TOTP_SECRET_ENCRYPTION_KEY, and OAUTH_STATE_SECRET. Development fallbacks exist, but they are not a production secret-rotation strategy.


VariablePurpose
RPIDRelying party ID used for passkeys
ORIGINSAllowed browser origins

These are especially important for local development. Mismatched hostnames or ports can break passkey flows even when the rest of the stack looks healthy.


VariablePurpose
LOGIN_METHODSMust include oauth to offer OAuth login
OAUTH_PROVIDERSJSON provider config array
OAUTH_STATE_SECRETOAuth state signing secret
Provider secret varsValues referenced by provider clientSecretEnv

Example provider configs reference secrets by name:

{
"id": "google",
"clientSecretEnv": "GOOGLE_CLIENT_SECRET"
}

GOOGLE_CLIENT_SECRET belongs in the deployed environment or secret manager, not in OAUTH_PROVIDERS or system_config.


The auth API can send OTPs, magic links, and bootstrap invites directly when delivery is enabled.

VariablePurpose
MESSAGING_ENABLE_IN_DEVEnables direct delivery in development
MESSAGING_AWS_REGIONAWS region for AWS-backed messaging
MESSAGING_EMAIL_FROMSender address for email delivery
MESSAGING_SMS_PROVIDERSMS provider selection, such as aws or twilio
MESSAGING_SMS_FROMSender number for SMS
MESSAGING_TWILIO_ACCOUNT_SIDTwilio account SID
MESSAGING_TWILIO_AUTH_TOKENTwilio auth token

When @seamless-auth/express owns delivery, the auth server can return external-delivery payloads to that trusted adapter instead of delivering messages itself.


Production access-token signing uses configured JWKS material.

VariablePurpose
SEAMLESS_JWKS_ACTIVE_KIDActive signing key ID
SEAMLESS_JWKS_KEY_<kid>_PRIVATEPrivate key for the active key ID
JWKS_PUBLIC_KEYSPublic JWKS key material

Keep retired public keys available until all tokens signed with them have expired.


The Express starter and @seamless-auth/express need their own backend environment.

VariablePurpose
AUTH_SERVER_URLBase URL for the private Seamless Auth API
COOKIE_SIGNING_KEYSecret for signed application auth cookies
API_SERVICE_TOKENShared service token for API-to-auth communication
APP_ORIGINIssuer/origin value for the application API
JWKS_KIDKey ID used by the adapter for cookie verification
UI_ORIGINSBrowser origins allowed by the Express starter CORS

The adapter is the browser-facing cookie boundary. Do not put browser cookie custody directly on the raw auth API.


The React starter and admin dashboard need the URL for the backend API where the auth adapter is mounted.

VariableUsed byPurpose
VITE_API_URLVite frontend and adminBackend API base URL
/config.jsAdmin dashboard imageRuntime config injection path

The admin dashboard reads runtime config first, then falls back to Vite env values for local development.


In the generated local stack, these values often line up like this:

ServiceCommon local URL
Auth APIhttp://localhost:5312
Backend APIhttp://localhost:3000
Web apphttp://localhost:5173
Admin dashboardhttp://localhost:5174

Inside Docker, service-to-service URLs use service names. For example, the API should call the auth server at http://auth:5312, not http://localhost:5312.


When documenting environment variables:

  • prefer .env.example, source config maps, or generated project files over older prose
  • label whether a variable belongs to the auth server, backend adapter, frontend, admin app, or CLI
  • keep raw secrets out of system config examples
  • distinguish required production secrets from development fallbacks