Skip to content
Breeze RMM

Environment Variables

All configuration is done through environment variables, defined in your .env.prod file. This page documents every variable.

Database

VariableDefaultRequiredDescription
POSTGRES_USERbreezePostgreSQL username
POSTGRES_PASSWORDYesPostgreSQL password
POSTGRES_DBbreezeDatabase name
POSTGRES_PORT5432PostgreSQL port
DATABASE_URLAutoFull connection string (constructed from above in Docker)

Redis

VariableDefaultRequiredDescription
REDIS_URLredis://localhost:6379Redis connection URL
REDIS_PORT6379Redis port

Authentication & Security

VariableDefaultRequiredDescription
JWT_SECRETYesJWT signing key (min 32 chars). Generate: openssl rand -base64 64
JWT_EXPIRES_IN15mAccess token lifetime
REFRESH_TOKEN_EXPIRES_IN7dRefresh token lifetime
AGENT_ENROLLMENT_SECRETYesShared secret for agent enrollment. Generate: openssl rand -hex 32
APP_ENCRYPTION_KEYYesAES encryption key for sensitive data at rest
MFA_ENCRYPTION_KEYYesEncryption key for MFA secrets
ENROLLMENT_KEY_PEPPERYesHMAC pepper for enrollment key hashing
MFA_RECOVERY_CODE_PEPPERYesHMAC pepper for recovery code hashing
ENROLLMENT_KEY_DEFAULT_TTL_MINUTES60Default enrollment key expiry
SESSION_SECRETYesExpress session signing secret
SESSION_MAX_AGE86400000Session max age in ms (24h)

Server

VariableDefaultRequiredDescription
NODE_ENVproductionEnvironment mode
API_PORT3001API server port
WEB_PORT4321Web dashboard port
PUBLIC_API_URLYesFull public API URL (e.g., https://breeze.example.com/api/v1)
BREEZE_DOMAINYes (prod)Domain for Caddy TLS provisioning
ACME_EMAILYes (prod)Email for Let’s Encrypt certificate notifications
CORS_ALLOWED_ORIGINSComma-separated allowed CORS origins
TRUST_PROXY_HEADERSfalseSet true when behind a reverse proxy
DASHBOARD_URLURL for links in emails
PUBLIC_APP_URLPublic-facing app URL

Email

VariableDefaultDescription
EMAIL_PROVIDERautoProvider: auto, resend, smtp, or mailgun
RESEND_API_KEYResend API key
EMAIL_FROM[email protected]Sender address
SMTP_HOSTSMTP server hostname
SMTP_PORT587SMTP port
SMTP_USERSMTP username
SMTP_PASSSMTP password
SMTP_SECUREfalseUse TLS for SMTP
MAILGUN_API_KEYMailgun API key
MAILGUN_DOMAINMailgun sending domain

Object Storage

VariableDefaultDescription
S3_ENDPOINThttp://localhost:9000S3-compatible endpoint (MinIO, R2, AWS)
S3_ACCESS_KEYminioadminAccess key
S3_SECRET_KEYminioadminSecret key
S3_BUCKETbreezeBucket name
S3_REGIONus-east-1Bucket region

WebRTC / TURN

VariableDefaultDescription
TURN_HOSTlocalhostTURN server hostname
TURN_PORT3478TURN listening port
TURN_SECRETTURN shared secret
TURN_REALMbreeze.localTURN realm

Monitoring

VariableDefaultDescription
METRICS_SCRAPE_TOKENBearer token for /metrics/scrape
METRICS_INCLUDE_ORG_IDfalseInclude org IDs in Prometheus labels
METRICS_SCRAPE_IP_ALLOWLISTRestrict metrics scraping by IP
LOG_LEVELinfoLog verbosity: debug, info, warn, error
LOG_JSONfalseStructured JSON logging
GRAFANA_ADMIN_PASSWORDGrafana admin password

Rate Limiting

VariableDefaultDescription
RATE_LIMIT_WINDOW_MS60000Sliding window duration (ms)
RATE_LIMIT_MAX_REQUESTS100Max requests per window

File Transfer

VariableDefaultDescription
TRANSFER_STORAGE_PATH./data/transfersFile transfer storage directory
MAX_TRANSFER_SIZE_MB100Max file transfer size
MAX_ACTIVE_TRANSFERS_PER_ORG20Concurrent transfer limit per org
MAX_ACTIVE_TRANSFERS_PER_USER10Concurrent transfer limit per user

Feature Flags

VariableDefaultDescription
ENABLE_REGISTRATIONtrueAllow new user registration
ENABLE_2FAtrueEnable two-factor authentication
ENABLE_API_DOCSfalseEnable Swagger API documentation
USE_AGENT_SDKUse Claude Agent SDK for AI chat

Cloudflare mTLS

VariableDefaultDescription
CLOUDFLARE_API_TOKENCloudflare API token with Client Certificates permission
CLOUDFLARE_ZONE_IDCloudflare zone ID for your domain

AI

VariableDefaultDescription
ANTHROPIC_API_KEYAnthropic API key for AI assistant (BYOK)