Environment Variables
All configuration is provided via environment variables. Copy .env.example to .env and fill in the values described below. Variables marked Required must be set or the API will refuse to start.
Generate cryptographic secrets with: openssl rand -hex 32 (produces 64 hex chars — suitable for JWT_SECRET and ENCRYPTION_KEY).
Core
These variables are required for the API to start in any environment.
| Variable | Required | Description | Example |
|---|---|---|---|
JWT_SECRET | Required | HMAC secret used to sign and verify JWT access tokens. Must be at least 32 characters. Rotate with care — existing sessions will be invalidated. | a3f8c2d1e9b047...(64 hex chars) |
ENCRYPTION_KEY | Optional | 64 lowercase hex characters (32 bytes). Used for AES-256-GCM encryption of secrets at rest (LLM API keys, webhook secrets). Strongly recommended for production. | 4a7d1ed414474e4033ac29ccb8653d9... |
DATABASE_URL | Optional | PostgreSQL connection URL. Defaults to the local dev database. Must be set in production. | postgresql://nestfleet:s3cr3t@localhost:5432/nestfleet |
PORT | Optional | Port the Hono API server listens on. Defaults to 3000. | 3000 |
NODE_ENV | Optional | Runtime environment. One of: development, test, production. Controls logging verbosity and error exposure. | production |
LLM
NestFleet uses your own LLM API key. The provider and model can also be overridden per-product from the Settings UI — these env vars act as the system-wide default.
| Variable | Required | Description | Example |
|---|---|---|---|
LLM_PROVIDER | Optional | Default LLM provider. One of: openai, anthropic, ollama, google. Defaults to anthropic. | anthropic |
LLM_API_KEY | Optional | API key for the selected LLM provider. Not required when using Ollama (local). | sk-ant-api03-... |
LLM_MODEL | Optional | Default model name. Used for standard-complexity tasks (auto-reply, knowledge capture). Defaults to claude-sonnet-4-6. | claude-sonnet-4-6 |
LLM_MODEL_FAST | Optional | Model for fast, low-cost tasks: triage, known-issue matching, outage routing. Defaults to LLM_MODEL when not set. | claude-haiku-3-5 |
LLM_MODEL_COMPLEX | Optional | Model for complex tasks: change preparation, PR draft generation. Defaults to LLM_MODEL when not set. | claude-opus-4-5 |
LLM_BASE_URL | Optional | Custom base URL for the LLM API. Useful for Ollama or compatible proxies. | http://localhost:11434 |
Embeddings
The embedding model powers vector search for known-issue matching and knowledge base retrieval. The embedding provider can differ from the chat LLM provider.
| Variable | Required | Description | Example |
|---|---|---|---|
EMBEDDING_PROVIDER | Optional | Provider for text embeddings. One of: openai, ollama. Defaults to openai. | openai |
EMBEDDING_API_KEY | Optional | API key for the embedding provider. Defaults to LLM_API_KEY when not set and provider is openai. | sk-... |
EMBEDDING_MODEL | Optional | Embedding model name. Defaults to text-embedding-3-small. | text-embedding-3-small |
EMBEDDING_DIMENSIONS | Optional | Vector dimensions. Must match the model output. Range: 64–3072. Defaults to 768. | 768 |
EMBEDDING_BASE_URL | Optional | Custom base URL for the embedding API. Required when using Ollama for embeddings. | http://localhost:11434 |
Features
| Variable | Required | Description | Example |
|---|---|---|---|
REGISTRATION_ENABLED | Optional | When true, POST /api/v1/auth/register is open to the public. Disable after creating the first admin on self-hosted installs. Defaults to false. | false |
BILLING_ENABLED | Optional | Enables the Stripe billing module. Set to true only after configuring Stripe keys. Defaults to false. | false |
BCRYPT_ROUNDS | Optional | bcrypt work factor for password hashing. Range: 10–14. Higher is slower but more secure. Defaults to 12. | 12 |
TELEMETRY_ENABLED | Optional | Opt-in anonymous usage telemetry sent to NestFleet. Defaults to false. | false |
GitHub
Required to receive GitHub webhooks and create pull requests as part of change requests. See the GitHub App Setup guide for how to obtain these values.
| Variable | Required | Description | Example |
|---|---|---|---|
GITHUB_APP_ID | Optional | Numeric App ID from GitHub App settings. Required for GitHub integration. | 12345678 |
GITHUB_APP_PRIVATE_KEY | Optional | PEM-encoded private key for the GitHub App. Newlines must be escaped as \n in the env var. | -----BEGIN RSA PRIVATE KEY-----\nMIIE... |
GITHUB_WEBHOOK_SECRET | Optional | Secret used to verify HMAC signatures on incoming GitHub webhook payloads. | whsec_abc123... |
GITHUB_TOKEN | Optional | Personal access token for GitHub API calls (fallback when GitHub App auth is not configured). | ghp_... |
Set exactly one email backend. Use either SMTP_HOST for generic SMTP, POSTMARK_API_KEY for Postmark, or RESEND_API_KEY for Resend.
| Variable | Required | Description | Example |
|---|---|---|---|
SMTP_HOST | Optional | SMTP server hostname. When set, SMTP is used as the email backend. | smtp.mailgun.org |
SMTP_PORT | Optional | SMTP server port. Typically 587 (STARTTLS) or 465 (SSL). | 587 |
SMTP_USER | Optional | SMTP authentication username. | [email protected] |
SMTP_PASS | Optional | SMTP authentication password. | s3cr3tpassword |
SMTP_FROM | Optional | From address used for outbound email. Must be a valid email address. | [email protected] |
POSTMARK_API_KEY | Optional | Postmark server API token. Mutually exclusive with SMTP_HOST and RESEND_API_KEY. | xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx |
RESEND_API_KEY | Optional | Resend API key. Mutually exclusive with SMTP_HOST and POSTMARK_API_KEY. | re_123abc... |
Messaging
| Variable | Required | Description | Example |
|---|---|---|---|
TELEGRAM_BOT_TOKEN | Optional | Telegram bot token from @BotFather. Required to receive Telegram messages and send alert notifications. | 7123456789:AAF... |
SLACK_BOT_TOKEN | Optional | Slack bot OAuth token (xoxb-...). Required for Slack integration. | xoxb-1234-56789-abcdef |
SLACK_WEBHOOK_URL | Optional | Slack Incoming Webhook URL for posting alert notifications to a channel. | https://hooks.slack.com/services/T.../B.../... |
SLACK_DEFAULT_CHANNEL | Optional | Default Slack channel ID for sending alerts when no product-level channel is configured. | C01234ABCDE |
Production
These variables are only relevant for production deployments (Docker Compose or bare metal).
| Variable | Required | Description | Example |
|---|---|---|---|
NESTFLEET_DOMAIN | Optional | The public domain name of your NestFleet instance. Used by Caddy for TLS certificate provisioning and by the API to construct absolute URLs. | nestfleet.example.com |
POSTGRES_PASSWORD | Optional | Password for the PostgreSQL superuser in the Docker Compose stack. Must match the password in DATABASE_URL. | s3cur3-db-password |
CONSOLE_ORIGIN | Optional | Full URL of the Next.js console. Used by the API to set CORS allowed origins. Example: https://nestfleet.example.com. | https://nestfleet.example.com |
NESTFLEET_LICENSE_KEY | Optional | License key for Scale-tier features (format: nf_lic_ followed by 32 hex chars). Not required for Community tier. | nf_lic_a1b2c3d4e5f6... |
Observability
| Variable | Required | Description | Example |
|---|---|---|---|
SENTRY_DSN | Optional | Sentry DSN for error monitoring. When set, uncaught exceptions are reported to Sentry. Get your DSN at sentry.io → Project Settings → Client Keys. | https://[email protected]/0 |
LOG_LEVEL | Optional | Minimum log level. One of: trace, debug, info, warn, error. Case-insensitive. Defaults to info. | info |
OTEL_EXPORTER_OTLP_ENDPOINT | Optional | OpenTelemetry OTLP endpoint for traces and metrics (e.g. Grafana Cloud, Honeycomb). | https://otlp.example.com:4318 |
OTEL_SERVICE_NAME | Optional | Service name reported in OpenTelemetry traces. Defaults to nestfleet. | nestfleet |
Stripe (Billing)
Only required when BILLING_ENABLED=true. Self-hosted Community tier installations do not need these.
| Variable | Required | Description | Example |
|---|---|---|---|
STRIPE_SECRET_KEY | Optional | Stripe secret key for the server-side API. | sk_live_... |
STRIPE_WEBHOOK_SECRET | Optional | Stripe webhook signing secret for verifying webhook payloads. | whsec_... |
STRIPE_PRICE_STARTER_MONTHLY | Optional | Stripe Price ID for the Starter plan (monthly billing). | price_1Abc... |
STRIPE_PRICE_STARTER_ANNUAL | Optional | Stripe Price ID for the Starter plan (annual billing). | price_1Def... |
STRIPE_PRICE_GROWTH_MONTHLY | Optional | Stripe Price ID for the Growth plan (monthly billing). | price_1Ghi... |
STRIPE_PRICE_GROWTH_ANNUAL | Optional | Stripe Price ID for the Growth plan (annual billing). | price_1Jkl... |
Never commit .env to version control. The repository includes .env in .gitignore. If you accidentally commit secrets, rotate them immediately — git history is public.