Skip to main content
Usertour uses environment variables to configure various application parameters. Here’s a detailed explanation of the environment variables:
Environment VariableRequiredDescription
Database Configuration
DATABASE_URLYesPostgreSQL database connection URL. Can be configured to use connection poolers like PgBouncer or Prisma Accelerate. This is the main connection URL used by your application. Both DATABASE_URL and DATABASE_DIRECT_URL must be configured.
DATABASE_DIRECT_URLYesDirect PostgreSQL database connection URL. Required when using connection poolers in DATABASE_URL. Used by Prisma CLI commands that need direct database access (like migrations, schema pushes, and introspection). Both DATABASE_URL and DATABASE_DIRECT_URL must be configured.
Server Configuration
NEST_SERVER_PORTNoNestJS server port, default is 3000
NODE_ENVYesNode.js environment
Email Service Configuration
EMAIL_HOSTYesEmail server address
EMAIL_PORTYesEmail server port
EMAIL_USERYesEmail service account
EMAIL_PASSYesEmail service password
Important: Email service configuration is required for user registration and member invitation features. Without proper email configuration, these features will not be available.
Redis Configuration
Redis_HOSTYesRedis server address
Redis_PORTYesRedis server port
Redis_PASSNoRedis server password
Application Configuration
APP_HOMEPAGE_URLYesApplication homepage URL
API_URLNoGraphQL API endpoint, default is /graphql
DOC_URLNoDocumentation URL for error responses, default is https://docs.usertour.com
USERTOUR_TOKENNoUsertour Environment token
AWS S3 Configuration
AWS_S3_REGIONYesAWS S3 region
AWS_S3_ENDPOINTYesAWS S3 endpoint
AWS_S3_ACCESS_KEY_IDYesAWS S3 access key ID
AWS_S3_SECRET_ACCESS_KEYYesAWS S3 secret access key
AWS_S3_BUCKETYesAWS S3 bucket name
AWS_S3_DOMAINYesAWS S3 domain
Analytics Configuration
POSTHOG_KEYNoPostHog API key
POSTHOG_HOSTNoPostHog host URL
OpenTelemetry Configuration
OTLP_TRACES_ENDPOINTNoOpenTelemetry traces endpoint URL for distributed tracing
OTLP_METRICS_ENDPOINTNoOpenTelemetry metrics endpoint URL for metrics collection
Encryption
ENCRYPTION_KEYYes (prod)64-character hex string (32 bytes) used as the AES-256-GCM key for encrypting sensitive data at rest (currently 2FA TOTP secrets). Generate with openssl rand -hex 32. If unset, the server falls back to a known-insecure development key and logs no warning — do not ship that to production. Once users have enrolled in 2FA, do not rotate this key: existing TOTP secrets won’t decrypt with a new value.
Authentication Configuration
JWT_SECRETYesJWT token secret key
JWT_EXPIRATION_TIMEYesJWT token expiration time (e.g. 1h)
JWT_REFRESH_EXPIRATION_TIMEYesJWT refresh token expiration time (e.g. 7d)
Email Authentication
EMAIL_AUTH_ENABLEDNoEnable/disable email authentication
EMAIL_SENDERNoEmail sender name and address
GitHub Authentication
GITHUB_AUTH_ENABLEDNoEnable/disable GitHub authentication
GITHUB_CLIENT_IDNoGitHub OAuth client ID
GITHUB_CLIENT_SECRETNoGitHub OAuth client secret
GITHUB_CALLBACK_URLNoGitHub OAuth callback URL. Optional — defaults to <API_URL>/api/auth/github/callback when unset.
Google Authentication
GOOGLE_AUTH_ENABLEDNoEnable/disable Google authentication
GOOGLE_CLIENT_IDNoGoogle OAuth client ID
GOOGLE_CLIENT_SECRETNoGoogle OAuth client secret
GOOGLE_CALLBACK_URLNoGoogle OAuth callback URL. Optional — defaults to <API_URL>/api/auth/google/callback when unset.
SSO (OIDC)
SSO_CALLBACK_URLNoOIDC redirect URI shown to admins and sent to the IdP. Optional — defaults to <API_URL>/api/auth/sso/callback when unset.
Other Configuration
LOGIN_REDIRECT_URLNoURL to redirect after login
USERTOUR_COOKIE_DOMAINNoDomain where cookies are valid and can be accessed
USERTOUR_COOKIE_SECURENoControls whether cookies can only be transmitted over HTTPS.
Outbound Security
ALLOW_PRIVATE_NETWORK_EGRESSNoWhen true, the server may make outbound requests — such as SSO issuer discovery — to private/internal addresses. Defaults to false: only public HTTPS targets are allowed, as an SSRF safeguard. Set to true if your identity provider is reachable only on an internal network (common for self-hosted IdPs such as Keycloak on localhost).
AI Provider (machine translation)
AI_PROVIDERNoWhich AI provider powers machine translation: anthropic (default), openai-compatible (any OpenAI-shaped gateway, e.g. the OpenAI API, Azure OpenAI, or a local gateway), or bedrock (AWS). The feature is enabled by providing the provider’s requirement below — no key/config means the AI translate buttons simply don’t appear.
AI_API_KEYNoAPI key for the provider. Required for anthropic; optional for openai-compatible (keyless gateways work); for bedrock it is treated as a Bedrock API key (Bearer auth).
AI_MODELNoModel identifier, in the provider’s own naming. Defaults to claude-opus-4-8. For bedrock, use a Bedrock model or inference-profile ID (e.g. us.anthropic.claude-sonnet-4-6).
AI_BASE_URLNoBase URL of the API. Required for openai-compatible (e.g. https://api.openai.com/v1); optional override for anthropic.
AI_AWS_REGIONNobedrock only. AWS region; falls back to AWS_REGION when unset.
AI_AWS_ACCESS_KEY_IDNobedrock only. Explicit SigV4 credentials. When neither this pair nor AI_API_KEY is set, the AWS default credential chain is used (env vars, profile, instance role) — so deployments on AWS can run keyless.
AI_AWS_SECRET_ACCESS_KEYNobedrock only. Secret half of the SigV4 key pair.

Important Notes

  • For local development, APP_HOMEPAGE_URL can be set to http://[ip]:[port]
  • For production environments, make sure to modify the default security-related configurations (such as JWT secrets)
  • DATABASE_URL includes the database connection parameters with SSL mode preference
  • Both DATABASE_URL and DATABASE_DIRECT_URL must be configured, regardless of whether you’re using connection poolers or not
  • When using connection poolers (like PgBouncer) in production, make sure to:
    • Configure DATABASE_URL to use the connection pooler
    • Set DATABASE_DIRECT_URL to point directly to your PostgreSQL database
    • Ensure both URLs have proper SSL configuration for production use
  • The DATABASE_DIRECT_URL is essential for Prisma CLI operations and should always be configured when using connection poolers
  • Email service configuration is required for user registration and member invitation features. Without proper email configuration, these features will not be available

Configuration Example (.env)

Create a .env file in the project root directory. You can refer to the following example:
Note: Do not use these example values directly. Configure them according to your actual environment. Make sure to use secure keys and passwords in production environments.