DocsChangelog

Environment Variables

Configure your Penombre instance with environment variables.

See .example.env for a complete reference.

Core

General application settings that control the runtime identity, environment mode, and logging behavior.

ORIGIN must be set to the public URL where your instance is accessible. It is used to generate absolute URLs in OAuth callbacks and email links. In development this is typically http://localhost:3000.

VariableDescriptionDefault
APP_NAMEApplication name (used in UI and emails)Penombre
APP_VERSIONApplication version (used in metadata)/
APP_ENVEnvironment (dev/production)production
ORIGINPublic origin URL (used for OAuth callbacks)http://localhost:3000
LOG_LEVELdebug, info, warn, error, traceinfo
LOG_FORMATconsole or jsonconsole

Database

Penombre requires a PostgreSQL database. Provide a standard connection string including credentials, host, port, and database name.

VariableDescriptionDefault
DATABASE_URLPostgreSQL connection stringRequired

Initial Setup

These variables are only used during the first-time database seed to create the initial admin account. They have no effect after the database has been initialized and can be removed from your environment afterwards.

VariableDescriptionDefault
ADMIN_EMAILInitial admin account emailRequired
ADMIN_PASSWORDInitial admin account passwordRequired

Authentication

Controls how users authenticate. AUTH_SECRET must be a long, random string — you can generate one with openssl rand -hex 32. Keep it secret and do not rotate it without invalidating all existing sessions.

VariableDescriptionDefault
AUTH_SECRETSecret key for signing auth tokensRequired
ENABLE_EMAIL_SIGNINEnable email/password sign-intrue
ENABLE_OAUTH_SIGNINEnable OAuth sign-infalse
MIN_PASSWORD_LENGTHMinimum password length8

OAuth Providers (Optional)

Penombre supports any OIDC-compliant provider. Enable OAuth sign-in by setting ENABLE_OAUTH_SIGNIN=true and configuring at least one provider using the naming pattern OAUTH_<PROVIDER>_<SETTING>, where <PROVIDER> is an uppercase identifier of your choice (e.g. GOOGLE, GITHUB, POCKET_ID).

VariableDescriptionDefault
OAUTH_<PROVIDER>_ENABLEDEnable this providertrue
OAUTH_<PROVIDER>_CLIENT_IDOAuth client IDRequired
OAUTH_<PROVIDER>_CLIENT_SECRETOAuth client secretRequired
OAUTH_<PROVIDER>_DISCOVERY_URLOIDC discovery URLRequired
OAUTH_<PROVIDER>_PRETTY_NAMEDisplay name in the UIProvider name
OAUTH_<PROVIDER>_PKCEUse PKCEtrue
OAUTH_<PROVIDER>_SCOPESComma-separated scopesopenid,profile,email

SMTP (Optional)

Required for email features such as password reset and email verification. Set SMTP_ENABLED=true and provide the connection details for your mail server. If SMTP is disabled, email-dependent features will be unavailable.

VariableDescriptionDefault
SMTP_ENABLEDEnable SMTPfalse
SMTP_HOSTSMTP server hostnameRequired if enabled
SMTP_PORTSMTP server port587
SMTP_USERSMTP usernameRequired if enabled
SMTP_PASSWORDSMTP passwordRequired if enabled
SMTP_FROMSender email addressRequired if enabled
SMTP_SECUREUse TLS (true/false)false

Getting Started

Spin up a Penombre instance in minutes with Docker Compose

Deployment

Deploy Penombre to production with Docker.

On this page

CoreDatabaseInitial SetupAuthenticationOAuth Providers (Optional)SMTP (Optional)