Skip to main content

Environment Variables

Complete reference for all Aurora environment variables. Configuration is done via the .env file in the project root.

Quick Setup

# Create .env from template
cp .env.example .env

# Or use the init script (auto-generates secrets)
make init

Core Configuration

Application Environment

VariableDefaultDescription
AURORA_ENVdevEnvironment mode: dev, staging, production

Database

PostgreSQL connection settings.

VariableDefaultDescription
POSTGRES_USERauroraDatabase username
POSTGRES_PASSWORDrequiredDatabase password (auto-generated by make init)
POSTGRES_DBaurora_dbDatabase name
POSTGRES_HOSTpostgresDatabase host (container name in Docker)
POSTGRES_PORT5432Database port
POSTGRES_USER=aurora
POSTGRES_PASSWORD=your-secure-64-char-password
POSTGRES_DB=aurora_db
POSTGRES_HOST=postgres
POSTGRES_PORT=5432

Redis

Redis connection for Celery task queue and caching.

VariableDefaultDescription
REDIS_URLredis://redis:6379/0Full Redis connection URL
REDIS_URL=redis://redis:6379/0

Object Storage

S3-compatible object storage configuration. SeaweedFS is included by default.

VariableDefaultDescription
STORAGE_BUCKETaurora-storageBucket name
STORAGE_ENDPOINT_URLhttp://seaweedfs-filer:8333S3 endpoint URL
STORAGE_ACCESS_KEYadminAccess key
STORAGE_SECRET_KEYadminSecret key
STORAGE_REGIONus-east-1AWS region (for S3 compatibility)
STORAGE_USE_SSLfalseUse HTTPS for storage
STORAGE_VERIFY_SSLfalseVerify SSL certificates
STORAGE_CACHE_ENABLEDtrueEnable storage response caching
STORAGE_CACHE_TTL60Cache TTL in seconds

Default (SeaweedFS)

STORAGE_BUCKET=aurora-storage
STORAGE_ENDPOINT_URL=http://seaweedfs-filer:8333
STORAGE_ACCESS_KEY=admin
STORAGE_SECRET_KEY=admin
STORAGE_REGION=us-east-1
STORAGE_USE_SSL=false

AWS S3

STORAGE_BUCKET=your-bucket-name
STORAGE_ENDPOINT_URL=https://s3.amazonaws.com
STORAGE_ACCESS_KEY=AKIAXXXXXXXXXXXXXXXX
STORAGE_SECRET_KEY=your-secret-key
STORAGE_REGION=us-east-1
STORAGE_USE_SSL=true
STORAGE_VERIFY_SSL=true

Cloudflare R2

STORAGE_BUCKET=your-bucket-name
STORAGE_ENDPOINT_URL=https://accountid.r2.cloudflarestorage.com
STORAGE_ACCESS_KEY=your-access-key
STORAGE_SECRET_KEY=your-secret-key
STORAGE_REGION=auto
STORAGE_USE_SSL=true

URLs & Networking

Service URLs for internal and external communication.

VariableDefaultDescription
FRONTEND_URLhttp://localhost:3000Public frontend URL
BACKEND_URLhttp://aurora-server:5080Internal backend URL (container-to-container)
NEXT_PUBLIC_BACKEND_URLhttp://localhost:5080Public backend URL (browser access)
NEXT_PUBLIC_WEBSOCKET_URLws://localhost:5006Public WebSocket URL
CHATBOT_INTERNAL_URLhttp://chatbot:5007Internal chatbot URL
FRONTEND_URL=http://localhost:3000
BACKEND_URL=http://aurora-server:5080
NEXT_PUBLIC_BACKEND_URL=http://localhost:5080
NEXT_PUBLIC_WEBSOCKET_URL=ws://localhost:5006
CHATBOT_INTERNAL_URL=http://chatbot:5007
Remote / VM Deployment

When deploying on a remote server or VM, set the NEXT_PUBLIC_* and FRONTEND_URL variables to the machine's IP or hostname:

FRONTEND_URL=http://YOUR_IP:3000
NEXT_PUBLIC_BACKEND_URL=http://YOUR_IP:5080
NEXT_PUBLIC_WEBSOCKET_URL=ws://YOUR_IP:5006

These values are injected at container startup (not baked at build time), so you do not need to rebuild images after changing them. Just recreate the frontend container:

docker compose -f docker-compose.prod-local.yml up -d frontend

Authentication & Security

VariableDefaultDescription
FLASK_SECRET_KEYrequiredFlask session secret (auto-generated by make init)
FLASK_PORT5080Flask server port
AUTH_SECRETrequiredAuth.js secret for session encryption
INTERNAL_API_SECRET(empty)Shared secret between Next.js and Flask. When set, Flask rejects requests without a valid X-Internal-Secret header. Auto-generated by make init.
AUTH_URL${FRONTEND_URL}Auth.js canonical URL (set automatically in docker-compose from FRONTEND_URL)
FLASK_SECRET_KEY=your-secure-64-char-secret
FLASK_PORT=5080
AUTH_SECRET=your-secure-64-char-secret
INTERNAL_API_SECRET=your-secure-64-char-secret
# AUTH_URL is set from FRONTEND_URL in docker-compose — no need to set manually

Vault (Secrets Management)

HashiCorp Vault configuration for storing user credentials.

VariableDefaultDescription
VAULT_ADDRhttp://vault:8200Vault server address
VAULT_TOKENrequiredVault authentication token
VAULT_KV_MOUNTauroraKV secrets engine mount path
VAULT_KV_BASE_PATHusersBase path for user secrets
VAULT_ADDR=http://vault:8200
VAULT_TOKEN=hvs.your-vault-token
VAULT_KV_MOUNT=aurora
VAULT_KV_BASE_PATH=users
Getting Vault Token

On first startup, get the root token from:

docker logs vault-init 2>&1 | grep "Root Token:"

LLM & AI Services

At least one LLM provider API key is required. See LLM Providers for detailed setup instructions.

VariableDefaultDescription
OPENROUTER_API_KEY-OpenRouter API key (recommended)
OPENAI_API_KEY-OpenAI API key
ANTHROPIC_API_KEY-Anthropic API key
GOOGLE_AI_API_KEY-Google AI API key
LLM_PROVIDER_MODEopenrouterProvider routing mode (see below)
AGENT_RECURSION_LIMIT240Max agent reasoning steps

LLM_PROVIDER_MODE

Controls how Aurora routes LLM requests. Three modes are available:

ModeDescriptionRequired key
openrouterAll requests go through OpenRouter. One key gives access to models from Anthropic, OpenAI, Google, and others.OPENROUTER_API_KEY
directRequests go directly to each provider's API based on the model prefix (e.g. anthropic/... → Anthropic API). No OpenRouter account needed, but you need a separate API key for each provider you use.Provider-specific key(s)
autoSame behaviour as direct.Provider-specific key(s)

openrouter is recommended for most deployments — a single key, broadest model selection, and no need to manage multiple provider accounts.

# Use one of these
OPENROUTER_API_KEY=sk-or-v1-your-key
OPENAI_API_KEY=sk-your-key
ANTHROPIC_API_KEY=sk-ant-your-key
GOOGLE_AI_API_KEY=your-key

LLM_PROVIDER_MODE=openrouter   # or: direct
AGENT_RECURSION_LIMIT=240

Vertex AI (Google Cloud)

VariableDefaultDescription
VERTEX_AI_PROJECT-Google Cloud project ID
VERTEX_AI_LOCATIONglobalVertex AI location
VERTEX_AI_SERVICE_ACCOUNT_JSON-Service account key JSON string
VERTEX_AI_PROJECT=my-gcp-project
VERTEX_AI_LOCATION=global
VERTEX_AI_SERVICE_ACCOUNT_JSON={"type":"service_account",...}

Ollama (Local Models)

VariableDefaultDescription
OLLAMA_BASE_URLhttp://host.docker.internal:11434Ollama server URL
OLLAMA_BASE_URL=http://host.docker.internal:11434
VariableDefaultDescription
SEARXNG_URLhttp://searxng:8080SearXNG internal URL
SEARXNG_SECRET-SearXNG secret key

AI Features

VariableDefaultDescription
RCA_MODEL-Model for background RCA (format: provider/model). Overrides RCA_OPTIMIZE_COSTS when set.
RCA_OPTIMIZE_COSTStrueOnly used when RCA_MODEL is not set. true = anthropic/claude-3-haiku, false = anthropic/claude-opus-4.5
GEMINI_DISABLE_THINKING-Disable Gemini thinking mode

AI Safety Guardrails

Three-layer safety: input rail + signature matcher + LLM safety judge. See Command Safety for details.

VariableDefaultDescription
GUARDRAILS_ENABLEDtrueMaster switch. When enabled (default), all three layers run and every LLM check fails closed on error. Set to false to disable all guardrails.
GUARDRAILS_LLM_MODEL(MAIN_MODEL)Model used by the safety judge and input rail. Same format and routing as MAIN_MODEL.
GUARDRAILS_SIGMA_ENABLEDtrueGates the vendored SigmaHQ rule corpus inside the signature matcher. Requires GUARDRAILS_ENABLED=true. Set to false to run only hand-written rules.

Cloud Providers

GCP (Google Cloud Platform)

VariableDescription
CLIENT_IDGCP OAuth Client ID
CLIENT_SECRETGCP OAuth Client Secret
CLIENT_ID=your-client-id.apps.googleusercontent.com
CLIENT_SECRET=your-client-secret

AWS (Amazon Web Services)

VariableDefaultDescription
AWS_ACCESS_KEY_ID-Aurora's AWS access key
AWS_SECRET_ACCESS_KEY-Aurora's AWS secret key
AWS_DEFAULT_REGIONus-east-1Default AWS region
AWS_ACCESS_KEY_ID=AKIAXXXXXXXXXXXXXXXX
AWS_SECRET_ACCESS_KEY=your-secret-key
AWS_DEFAULT_REGION=us-east-1
note

These are Aurora's own AWS credentials for STS AssumeRole calls, not end-user credentials.

Cloud Provider Cache

VariableDefaultDescription
AURORA_SETUP_CACHE_ENABLEDtrueCache cloud provider setup data
AURORA_SETUP_CACHE_TTL3600Cache TTL in seconds
AURORA_VERIFY_CLI_IDENTITYfalseVerify CLI identity
AURORA_CACHE_TOKEN_IN_REDISfalseCache tokens in Redis

Third-Party Integrations

GitHub

VariableDescription
GH_OAUTH_CLIENT_IDGitHub OAuth App Client ID
GH_OAUTH_CLIENT_SECRETGitHub OAuth App Client Secret
GH_OAUTH_CLIENT_ID=your-client-id
GH_OAUTH_CLIENT_SECRET=your-client-secret

Slack

VariableDescription
SLACK_CLIENT_IDSlack App Client ID
SLACK_CLIENT_SECRETSlack App Client Secret
SLACK_SIGNING_SECRETSlack App Signing Secret
SLACK_CLIENT_ID=your-client-id
SLACK_CLIENT_SECRET=your-client-secret
SLACK_SIGNING_SECRET=your-signing-secret

Google Chat

VariableDescription
GOOGLE_CHAT_CLIENT_IDOAuth client ID (used during setup to create the incidents space in the customer's workspace)
GOOGLE_CHAT_CLIENT_SECRETOAuth client secret
GOOGLE_CHAT_SERVICE_ACCOUNT_KEYJSON key for the Chat app service account (messages appear as "Aurora")
GOOGLE_CHAT_CLIENT_ID=your-client-id
GOOGLE_CHAT_CLIENT_SECRET=your-client-secret
GOOGLE_CHAT_SERVICE_ACCOUNT_KEY='{"type":"service_account",...}'

PagerDuty

VariableDefaultDescription
NEXT_PUBLIC_ENABLE_PAGERDUTY_OAUTHfalseEnable PagerDuty OAuth in UI
PAGERDUTY_CLIENT_ID-PagerDuty OAuth Client ID
PAGERDUTY_CLIENT_SECRET-PagerDuty OAuth Client Secret
NEXT_PUBLIC_ENABLE_PAGERDUTY_OAUTH=true
PAGERDUTY_CLIENT_ID=your-client-id
PAGERDUTY_CLIENT_SECRET=your-client-secret

OVH

VariableDefaultDescription
NEXT_PUBLIC_ENABLE_OVHfalseEnable OVH connector in UI
OVH_EU_CLIENT_ID-OVH EU region Client ID
OVH_EU_CLIENT_SECRET-OVH EU region Client Secret
OVH_CA_CLIENT_ID-OVH CA region Client ID
OVH_CA_CLIENT_SECRET-OVH CA region Client Secret
OVH_US_CLIENT_ID-OVH US region Client ID
OVH_US_CLIENT_SECRET-OVH US region Client Secret
NEXT_PUBLIC_ENABLE_OVH=true
OVH_EU_CLIENT_ID=your-eu-client-id
OVH_EU_CLIENT_SECRET=your-eu-client-secret

Scaleway

VariableDefaultDescription
NEXT_PUBLIC_ENABLE_SCALEWAYfalseEnable Scaleway connector in UI
NEXT_PUBLIC_ENABLE_SCALEWAY=true

No additional server-side credentials required. Users connect via API key through the UI.

Confluence

VariableDescription
CONFLUENCE_CLIENT_IDConfluence OAuth Client ID
CONFLUENCE_CLIENT_SECRETConfluence OAuth Client Secret
CONFLUENCE_CLIENT_ID=your-client-id
CONFLUENCE_CLIENT_SECRET=your-client-secret

SharePoint

VariableDefaultDescription
NEXT_PUBLIC_ENABLE_SHAREPOINTfalseEnable SharePoint connector in UI
SHAREPOINT_CLIENT_ID-Azure App Client ID
SHAREPOINT_CLIENT_SECRET-Azure App Client Secret
SHAREPOINT_TENANT_IDcommonAzure Tenant ID
NEXT_PUBLIC_ENABLE_SHAREPOINT=true
SHAREPOINT_CLIENT_ID=your-client-id
SHAREPOINT_CLIENT_SECRET=your-client-secret
SHAREPOINT_TENANT_ID=your-tenant-id

Email (SMTP)

VariableDefaultDescription
SMTP_HOST-SMTP server hostname
SMTP_PORT587SMTP server port
SMTP_USER-SMTP username
SMTP_PASSWORD-SMTP password
SMTP_FROM_EMAIL-From email address
SMTP_FROM_NAMEAuroraFrom display name
SMTP_HOST=smtp.example.com
SMTP_PORT=587
SMTP_USER=your-username
SMTP_PASSWORD=your-password
SMTP_FROM_EMAIL=aurora@example.com
SMTP_FROM_NAME=Aurora

Kubernetes & Pod Isolation

VariableDefaultDescription
ENABLE_POD_ISOLATIONfalseEnable Kubernetes pod isolation
TERMINAL_NAMESPACE-Namespace for terminal pods
TERMINAL_IMAGE-Container image for terminals
TERMINAL_POD_TTL-Pod time-to-live
TERMINAL_RUNTIME_CLASS-RuntimeClass for pods
CHATBOT_POD_TTL-Chatbot pod TTL
USE_UNTRUSTED_NODES-Allow untrusted nodes
NEXT_PUBLIC_KUBECTL_AGENT_CHART_URL-Helm chart URL for kubectl agent

Weaviate (Vector Database)

VariableDefaultDescription
WEAVIATE_HOSTweaviateWeaviate server host
WEAVIATE_PORT8080Weaviate HTTP port
WEAVIATE_GRPC_PORT50051Weaviate gRPC port
WEAVIATE_HOST=weaviate
WEAVIATE_PORT=8080
WEAVIATE_GRPC_PORT=50051

MCP Server

VariableDefaultDescription
MCP_PORT8811Port the MCP server listens on
BACKEND_URLhttp://aurora-server:5080Internal Aurora API URL (shared with other services)

The MCP server authenticates clients via Bearer tokens stored in the mcp_tokens database table. No additional environment variable is needed for token configuration -- see the MCP integration guide for details.

Rate Limiting

VariableDefaultDescription
RATE_LIMITING_ENABLEDfalseEnable rate limiting
RATE_LIMIT_BYPASS_TOKEN-Token to bypass rate limits
RATE_LIMIT_HEADERS_ENABLEDtrueInclude rate limit headers in responses
RATE_LIMITING_ENABLED=true
RATE_LIMIT_BYPASS_TOKEN=your-bypass-token
RATE_LIMIT_HEADERS_ENABLED=true

Development

VariableDefaultDescription
NGROK_URL-ngrok tunnel URL for local development

Environment File Locations

FilePurpose
.envYour local configuration (gitignored)
.env.exampleTemplate with all variables and documentation

Docker Compose Files

FilePurpose
docker-compose.yamlDevelopment stack
docker-compose.prod-local.ymlProduction-like testing and deployment
Keep Docker Compose Files in Sync

When adding new environment variables, update both Docker Compose files to ensure consistency.