Environment Variables
Purpose, requirement, and ownership for every server and browser build variable.
Open Connector validates server variables at startup and browser variables at build time. An empty value is treated as unset. Required server variables fail startup; VITE_* values are compiled into the browser bundle and therefore require a rebuild to change.
Never commit .env files or put secrets in a VITE_* variable. Use a secrets manager in production. In the AWS topology, secrets are in Secrets Manager and public configuration is in SSM Parameter Store.
Required server variables
| Variable | Purpose | Requirement |
|---|---|---|
DATABASE_URL | Postgres connection string used by the API and migrations. | Required |
BETTER_AUTH_SECRET | Signs and encrypts Better Auth session material. Generate a random value of at least 32 characters. | Required |
BETTER_AUTH_URL | Public API origin used by Better Auth links and as the default OAuth callback origin. | Required URL |
CORS_ORIGIN | Allowed console application origin for credentialed cross-origin requests. | Required URL |
CONNECTOR_ENCRYPTION_KEY | Master secret from which the credential-vault AES key is derived. Loss prevents recovery of stored credentials; rotate only through a re-encryption migration. | Required, at least 32 characters |
WEB_URL | Marketing-site origin used in waitlist confirmation links. | Required URL |
Runtime controls and defaults
| Variable | Default | Purpose |
|---|---|---|
NODE_ENV | development | Selects development, production, or test runtime behavior. Set production when deployed. |
SIGNUP_ENABLED | true | Set false to stop new account registration while preserving sign-in for existing users. |
CONNECTOR_CALLBACK_BASE_URL | BETTER_AUTH_URL | Optional public callback origin when local API traffic and third-party OAuth callbacks use different origins. |
OIDC_DISCOVERY_TTL_MS | 86400000 | Cache lifetime, in milliseconds, for OIDC discovery documents. |
S3_REGION | us-east-1 | AWS region used by S3-compatible blob storage. |
S3_FORCE_PATH_STYLE | false | Use path-style S3 URLs; set true for typical MinIO deployments. |
OAuth application credentials
These pairs enable managed OAuth for the matching provider. They are optional: a provider can instead receive credentials through an auth configuration. Keep every *_SECRET in the secret store.
| Variables | Purpose |
|---|---|
GITHUB_CLIENT_ID, GITHUB_CLIENT_SECRET | GitHub OAuth application. |
NOTION_CLIENT_ID, NOTION_CLIENT_SECRET | Notion OAuth application. |
SLACK_CLIENT_ID, SLACK_CLIENT_SECRET | Slack OAuth application. |
GOOGLE_CLIENT_ID, GOOGLE_CLIENT_SECRET | Shared Google OAuth application for Google-backed connectors, including Gmail and YouTube. |
TWITTER_CLIENT_ID, TWITTER_CLIENT_SECRET | X/Twitter OAuth application. |
LINKEDIN_CLIENT_ID, LINKEDIN_CLIENT_SECRET | LinkedIn OAuth application. |
REDDIT_CLIENT_ID, REDDIT_CLIENT_SECRET | Reddit OAuth application. |
DISCORD_CLIENT_ID, DISCORD_CLIENT_SECRET | Discord OAuth application. |
FACEBOOK_CLIENT_ID, FACEBOOK_CLIENT_SECRET | Facebook OAuth application. |
LOGO_DEV_PUBLISHABLE_KEY | Optional public Logo.dev pk_... key used only to construct provider-logo image URLs. It is intentionally publishable, not a secret. |
Feature-gated server variables
The API starts without these values; the corresponding feature is disabled or returns an explicit configuration error.
| Variables | Purpose |
|---|---|
RESEND_API_KEY, EMAIL_FROM | Send transactional email. Without the API key, development uses a log mailer that prints the link. |
OTLP_ENDPOINT, OTLP_HEADERS | Export logs and traces to an OTLP/HTTP collector. Headers are comma-separated key=value pairs, commonly an authorization header. |
STRIPE_SECRET_KEY, STRIPE_WEBHOOK_SECRET | Enable hosted billing and verify Stripe webhooks. Self-hosted free-tier operation does not need them. |
OPENROUTER_API_KEY, OPENROUTER_MODEL, DOCS_URL | Enable the documentation site's Ask AI service, choose its model, and supply the docs origin used for CORS and grounding. |
S3_ENDPOINT, S3_BUCKET, S3_ACCESS_KEY_ID, S3_SECRET_ACCESS_KEY, S3_PUBLIC_URL | Enable S3-compatible blob storage. S3_BUCKET is the feature switch; omit the endpoint for AWS S3, and omit static keys when the instance role supplies credentials. S3_PUBLIC_URL rewrites presigned URLs for a client-visible host. |
LICENSE_PUBLIC_KEY, LICENSE_KEY | Enable offline verification of an EE license. Without either value, the instance runs the free AGPL tier. PEM values may be raw PEM locally or base64-encoded through the production secret pipeline. |
LICENSE_SIGNING_KEY | Private EE license issuer key for the hosted license-issuing service only. Do not set it in normal self-hosted installations. |
Browser build variables
These values are public by design because Vite embeds them in browser assets. They are not API-server runtime variables.
| Variable | Purpose | Requirement |
|---|---|---|
VITE_SERVER_URL | Public API origin used by the console and browser telemetry. | Required URL at build time |
VITE_APP_URL | Public console origin used by marketing CTAs. | Required URL at build time |
VITE_GTM_ID | Optional Google Tag Manager container identifier. | Optional |
VITE_MANAGED_OAUTH_PROVIDERS | Comma-separated provider slugs whose managed OAuth credentials are present; marketing uses it to label eligible catalog cards. | Optional |
Example local .env
DATABASE_URL=postgres://postgres:postgres@localhost:5432/open_connector
BETTER_AUTH_SECRET=replace-with-a-random-32-character-secret
BETTER_AUTH_URL=http://localhost:3000
CORS_ORIGIN=http://localhost:3001
CONNECTOR_ENCRYPTION_KEY=replace-with-a-separate-random-32-character-secret
WEB_URL=http://localhost:3002Generate the two required secrets independently:
openssl rand -base64 48
openssl rand -base64 48