Environment Variables

Complete reference for all Aurora environment variables. Configuration is done via the .env file in the project root.

Quick Setup

# Create .env from template
cp .env.example .env

# Or use the init script (auto-generates secrets)
make init

Core Configuration

Application Environment

Variable	Default	Description
AURORA_ENV	dev	Environment mode: dev, staging, production

Database

PostgreSQL connection settings.

Variable	Default	Description
POSTGRES_USER	aurora	Database username
POSTGRES_PASSWORD	required	Database password (auto-generated by make init)
POSTGRES_DB	aurora_db	Database name
POSTGRES_HOST	postgres	Database host (container name in Docker)
POSTGRES_PORT	5432	Database port

POSTGRES_USER=aurora
POSTGRES_PASSWORD=your-secure-64-char-password
POSTGRES_DB=aurora_db
POSTGRES_HOST=postgres
POSTGRES_PORT=5432

Redis

Redis connection for Celery task queue and caching.

Variable	Default	Description
REDIS_URL	redis://redis:6379/0	Full Redis connection URL

REDIS_URL=redis://redis:6379/0

Object Storage

S3-compatible object storage configuration. SeaweedFS is included by default.

Variable	Default	Description
STORAGE_BUCKET	aurora-storage	Bucket name
STORAGE_ENDPOINT_URL	http://seaweedfs-filer:8333	S3 endpoint URL
STORAGE_ACCESS_KEY	admin	Access key
STORAGE_SECRET_KEY	admin	Secret key
STORAGE_REGION	us-east-1	AWS region (for S3 compatibility)
STORAGE_USE_SSL	false	Use HTTPS for storage
STORAGE_VERIFY_SSL	false	Verify SSL certificates
STORAGE_CACHE_ENABLED	true	Enable storage response caching
STORAGE_CACHE_TTL	60	Cache TTL in seconds

Default (SeaweedFS)

STORAGE_BUCKET=aurora-storage
STORAGE_ENDPOINT_URL=http://seaweedfs-filer:8333
STORAGE_ACCESS_KEY=admin
STORAGE_SECRET_KEY=admin
STORAGE_REGION=us-east-1
STORAGE_USE_SSL=false

AWS S3

STORAGE_BUCKET=your-bucket-name
STORAGE_ENDPOINT_URL=https://s3.amazonaws.com
STORAGE_ACCESS_KEY=AKIAXXXXXXXXXXXXXXXX
STORAGE_SECRET_KEY=your-secret-key
STORAGE_REGION=us-east-1
STORAGE_USE_SSL=true
STORAGE_VERIFY_SSL=true

Cloudflare R2

STORAGE_BUCKET=your-bucket-name
STORAGE_ENDPOINT_URL=https://accountid.r2.cloudflarestorage.com
STORAGE_ACCESS_KEY=your-access-key
STORAGE_SECRET_KEY=your-secret-key
STORAGE_REGION=auto
STORAGE_USE_SSL=true

URLs & Networking

Service URLs for internal and external communication.

Variable	Default	Description
FRONTEND_URL	http://localhost:3000	Public frontend URL
BACKEND_URL	http://aurora-server:5080	Internal backend URL (container-to-container)
NEXT_PUBLIC_BACKEND_URL	http://localhost:5080	Public backend URL (browser access)
NEXT_PUBLIC_WEBSOCKET_URL	ws://localhost:5006	Public WebSocket URL
CHATBOT_INTERNAL_URL	http://chatbot:5007	Internal chatbot URL

FRONTEND_URL=http://localhost:3000
BACKEND_URL=http://aurora-server:5080
NEXT_PUBLIC_BACKEND_URL=http://localhost:5080
NEXT_PUBLIC_WEBSOCKET_URL=ws://localhost:5006
CHATBOT_INTERNAL_URL=http://chatbot:5007

Remote / VM Deployment

When deploying on a remote server or VM, set the NEXT_PUBLIC_* and FRONTEND_URL variables to the machine's IP or hostname:

FRONTEND_URL=http://YOUR_IP:3000
NEXT_PUBLIC_BACKEND_URL=http://YOUR_IP:5080
NEXT_PUBLIC_WEBSOCKET_URL=ws://YOUR_IP:5006

These values are injected at container startup (not baked at build time), so you do not need to rebuild images after changing them. Just recreate the frontend container:

docker compose -f docker-compose.prod-local.yml up -d frontend

Authentication & Security

Variable	Default	Description
FLASK_SECRET_KEY	required	Flask session secret (auto-generated by make init)
FLASK_PORT	5080	Flask server port
AUTH_SECRET	required	Auth.js secret for session encryption
AUTH_URL	${FRONTEND_URL}	Auth.js canonical URL (set automatically in docker-compose from FRONTEND_URL)

FLASK_SECRET_KEY=your-secure-64-char-secret
FLASK_PORT=5080
AUTH_SECRET=your-secure-64-char-secret
# AUTH_URL is set from FRONTEND_URL in docker-compose — no need to set manually

Vault (Secrets Management)

HashiCorp Vault configuration for storing user credentials.

Variable	Default	Description
VAULT_ADDR	http://vault:8200	Vault server address
VAULT_TOKEN	required	Vault authentication token
VAULT_KV_MOUNT	aurora	KV secrets engine mount path
VAULT_KV_BASE_PATH	users	Base path for user secrets

VAULT_ADDR=http://vault:8200
VAULT_TOKEN=hvs.your-vault-token
VAULT_KV_MOUNT=aurora
VAULT_KV_BASE_PATH=users

Getting Vault Token

On first startup, get the root token from:

docker logs vault-init 2>&1 | grep "Root Token:"

LLM & AI Services

At least one LLM provider API key is required. See LLM Providers for detailed setup instructions.

Variable	Default	Description
OPENROUTER_API_KEY	-	OpenRouter API key (recommended)
OPENAI_API_KEY	-	OpenAI API key
ANTHROPIC_API_KEY	-	Anthropic API key
GOOGLE_AI_API_KEY	-	Google AI API key
LLM_PROVIDER_MODE	openrouter	Provider routing mode (see below)
AGENT_RECURSION_LIMIT	240	Max agent reasoning steps

LLM_PROVIDER_MODE

Controls how Aurora routes LLM requests. Three modes are available:

Mode	Description	Required key
openrouter	All requests go through OpenRouter. One key gives access to models from Anthropic, OpenAI, Google, and others.	OPENROUTER_API_KEY
direct	Requests go directly to each provider's API based on the model prefix (e.g. anthropic/... → Anthropic API). No OpenRouter account needed, but you need a separate API key for each provider you use.	Provider-specific key(s)
auto	Same behaviour as direct.	Provider-specific key(s)

openrouter is recommended for most deployments — a single key, broadest model selection, and no need to manage multiple provider accounts.

# Use one of these
OPENROUTER_API_KEY=sk-or-v1-your-key
OPENAI_API_KEY=sk-your-key
ANTHROPIC_API_KEY=sk-ant-your-key
GOOGLE_AI_API_KEY=your-key

LLM_PROVIDER_MODE=openrouter   # or: direct
AGENT_RECURSION_LIMIT=240

Vertex AI (Google Cloud)

Variable	Default	Description
VERTEX_AI_PROJECT	-	Google Cloud project ID
VERTEX_AI_LOCATION	global	Vertex AI location
VERTEX_AI_SERVICE_ACCOUNT_JSON	-	Service account key JSON string

VERTEX_AI_PROJECT=my-gcp-project
VERTEX_AI_LOCATION=global
VERTEX_AI_SERVICE_ACCOUNT_JSON={"type":"service_account",...}

Ollama (Local Models)

Variable	Default	Description
OLLAMA_BASE_URL	http://host.docker.internal:11434	Ollama server URL

OLLAMA_BASE_URL=http://host.docker.internal:11434

Web Search

Variable	Default	Description
TAVILY_API_KEY	-	Tavily search API key
SEARXNG_URL	http://searxng:8080	SearXNG internal URL
SEARXNG_BASE_URL	http://localhost:8082	SearXNG public URL
SEARXNG_SECRET	-	SearXNG secret key

AI Features

Variable	Default	Description
RCA_MODEL	-	Model for background RCA (format: provider/model). Overrides RCA_OPTIMIZE_COSTS when set.
RCA_OPTIMIZE_COSTS	true	Only used when RCA_MODEL is not set. true = anthropic/claude-3-haiku, false = anthropic/claude-opus-4.5
GEMINI_DISABLE_THINKING	-	Disable Gemini thinking mode

Cloud Providers

GCP (Google Cloud Platform)

Variable	Description
CLIENT_ID	GCP OAuth Client ID
CLIENT_SECRET	GCP OAuth Client Secret

CLIENT_ID=your-client-id.apps.googleusercontent.com
CLIENT_SECRET=your-client-secret

AWS (Amazon Web Services)

Variable	Default	Description
AWS_ACCESS_KEY_ID	-	Aurora's AWS access key
AWS_SECRET_ACCESS_KEY	-	Aurora's AWS secret key
AWS_DEFAULT_REGION	us-east-1	Default AWS region

AWS_ACCESS_KEY_ID=AKIAXXXXXXXXXXXXXXXX
AWS_SECRET_ACCESS_KEY=your-secret-key
AWS_DEFAULT_REGION=us-east-1

note

These are Aurora's own AWS credentials for STS AssumeRole calls, not end-user credentials.

Cloud Provider Cache

Variable	Default	Description
AURORA_SETUP_CACHE_ENABLED	true	Cache cloud provider setup data
AURORA_SETUP_CACHE_TTL	3600	Cache TTL in seconds
AURORA_VERIFY_CLI_IDENTITY	false	Verify CLI identity
AURORA_CACHE_TOKEN_IN_REDIS	false	Cache tokens in Redis

Third-Party Integrations

GitHub

Variable	Description
GH_OAUTH_CLIENT_ID	GitHub OAuth App Client ID
GH_OAUTH_CLIENT_SECRET	GitHub OAuth App Client Secret

GH_OAUTH_CLIENT_ID=your-client-id
GH_OAUTH_CLIENT_SECRET=your-client-secret

Slack

Variable	Description
SLACK_CLIENT_ID	Slack App Client ID
SLACK_CLIENT_SECRET	Slack App Client Secret
SLACK_SIGNING_SECRET	Slack App Signing Secret

SLACK_CLIENT_ID=your-client-id
SLACK_CLIENT_SECRET=your-client-secret
SLACK_SIGNING_SECRET=your-signing-secret

PagerDuty

Variable	Default	Description
NEXT_PUBLIC_ENABLE_PAGERDUTY_OAUTH	false	Enable PagerDuty OAuth in UI
PAGERDUTY_CLIENT_ID	-	PagerDuty OAuth Client ID
PAGERDUTY_CLIENT_SECRET	-	PagerDuty OAuth Client Secret

NEXT_PUBLIC_ENABLE_PAGERDUTY_OAUTH=true
PAGERDUTY_CLIENT_ID=your-client-id
PAGERDUTY_CLIENT_SECRET=your-client-secret

OVH

Variable	Default	Description
NEXT_PUBLIC_ENABLE_OVH	false	Enable OVH connector in UI
OVH_EU_CLIENT_ID	-	OVH EU region Client ID
OVH_EU_CLIENT_SECRET	-	OVH EU region Client Secret
OVH_CA_CLIENT_ID	-	OVH CA region Client ID
OVH_CA_CLIENT_SECRET	-	OVH CA region Client Secret
OVH_US_CLIENT_ID	-	OVH US region Client ID
OVH_US_CLIENT_SECRET	-	OVH US region Client Secret

NEXT_PUBLIC_ENABLE_OVH=true
OVH_EU_CLIENT_ID=your-eu-client-id
OVH_EU_CLIENT_SECRET=your-eu-client-secret

Scaleway

Variable	Default	Description
NEXT_PUBLIC_ENABLE_SCALEWAY	false	Enable Scaleway connector in UI

NEXT_PUBLIC_ENABLE_SCALEWAY=true

No additional server-side credentials required. Users connect via API key through the UI.

Confluence

Variable	Description
CONFLUENCE_CLIENT_ID	Confluence OAuth Client ID
CONFLUENCE_CLIENT_SECRET	Confluence OAuth Client Secret

CONFLUENCE_CLIENT_ID=your-client-id
CONFLUENCE_CLIENT_SECRET=your-client-secret

SharePoint

Variable	Default	Description
NEXT_PUBLIC_ENABLE_SHAREPOINT	false	Enable SharePoint connector in UI
SHAREPOINT_CLIENT_ID	-	Azure App Client ID
SHAREPOINT_CLIENT_SECRET	-	Azure App Client Secret
SHAREPOINT_TENANT_ID	common	Azure Tenant ID

NEXT_PUBLIC_ENABLE_SHAREPOINT=true
SHAREPOINT_CLIENT_ID=your-client-id
SHAREPOINT_CLIENT_SECRET=your-client-secret
SHAREPOINT_TENANT_ID=your-tenant-id

Email (SMTP)

Variable	Default	Description
SMTP_HOST	-	SMTP server hostname
SMTP_PORT	587	SMTP server port
SMTP_USER	-	SMTP username
SMTP_PASSWORD	-	SMTP password
SMTP_FROM_EMAIL	-	From email address
SMTP_FROM_NAME	Aurora	From display name

SMTP_HOST=smtp.example.com
SMTP_PORT=587
SMTP_USER=your-username
SMTP_PASSWORD=your-password
SMTP_FROM_EMAIL=aurora@example.com
SMTP_FROM_NAME=Aurora

Kubernetes & Pod Isolation

Variable	Default	Description
ENABLE_POD_ISOLATION	false	Enable Kubernetes pod isolation
TERMINAL_NAMESPACE	-	Namespace for terminal pods
TERMINAL_IMAGE	-	Container image for terminals
TERMINAL_POD_TTL	-	Pod time-to-live
TERMINAL_RUNTIME_CLASS	-	RuntimeClass for pods
CHATBOT_POD_TTL	-	Chatbot pod TTL
USE_UNTRUSTED_NODES	-	Allow untrusted nodes
NEXT_PUBLIC_KUBECTL_AGENT_CHART_URL	-	Helm chart URL for kubectl agent

Weaviate (Vector Database)

Variable	Default	Description
WEAVIATE_HOST	weaviate	Weaviate server host
WEAVIATE_PORT	8080	Weaviate HTTP port
WEAVIATE_GRPC_PORT	50051	Weaviate gRPC port

WEAVIATE_HOST=weaviate
WEAVIATE_PORT=8080
WEAVIATE_GRPC_PORT=50051

Rate Limiting

Variable	Default	Description
RATE_LIMITING_ENABLED	false	Enable rate limiting
RATE_LIMIT_BYPASS_TOKEN	-	Token to bypass rate limits
RATE_LIMIT_HEADERS_ENABLED	true	Include rate limit headers in responses

RATE_LIMITING_ENABLED=true
RATE_LIMIT_BYPASS_TOKEN=your-bypass-token
RATE_LIMIT_HEADERS_ENABLED=true

Development

Variable	Default	Description
NGROK_URL	-	ngrok tunnel URL for local development

Environment File Locations

File	Purpose
.env	Your local configuration (gitignored)
.env.example	Template with all variables and documentation

Docker Compose Files

File	Purpose
docker-compose.yaml	Development stack
docker-compose.prod-local.yml	Production-like testing and deployment

Keep Docker Compose Files in Sync

When adding new environment variables, update both Docker Compose files to ensure consistency.