Open Connector
Self-Hosting

Environment Variables

Purpose, requirement, and ownership for every server and browser build variable.

Open Connector validates server variables at startup and browser variables at build time. An empty value is treated as unset. Required server variables fail startup; VITE_* values are compiled into the browser bundle and therefore require a rebuild to change.

Never commit .env files or put secrets in a VITE_* variable. Use a secrets manager in production. In the AWS topology, secrets are in Secrets Manager and public configuration is in SSM Parameter Store.

Required server variables

VariablePurposeRequirement
DATABASE_URLPostgres connection string used by the API and migrations.Required
BETTER_AUTH_SECRETSigns and encrypts Better Auth session material. Generate a random value of at least 32 characters.Required
BETTER_AUTH_URLPublic API origin used by Better Auth links and as the default OAuth callback origin.Required URL
CORS_ORIGINAllowed console application origin for credentialed cross-origin requests.Required URL
CONNECTOR_ENCRYPTION_KEYMaster secret from which the credential-vault AES key is derived. Loss prevents recovery of stored credentials; rotate only through a re-encryption migration.Required, at least 32 characters
WEB_URLMarketing-site origin used in waitlist confirmation links.Required URL

Runtime controls and defaults

VariableDefaultPurpose
NODE_ENVdevelopmentSelects development, production, or test runtime behavior. Set production when deployed.
SIGNUP_ENABLEDtrueSet false to stop new account registration while preserving sign-in for existing users.
CONNECTOR_CALLBACK_BASE_URLBETTER_AUTH_URLOptional public callback origin when local API traffic and third-party OAuth callbacks use different origins.
OIDC_DISCOVERY_TTL_MS86400000Cache lifetime, in milliseconds, for OIDC discovery documents.
S3_REGIONus-east-1AWS region used by S3-compatible blob storage.
S3_FORCE_PATH_STYLEfalseUse path-style S3 URLs; set true for typical MinIO deployments.

OAuth application credentials

These pairs enable managed OAuth for the matching provider. They are optional: a provider can instead receive credentials through an auth configuration. Keep every *_SECRET in the secret store.

VariablesPurpose
GITHUB_CLIENT_ID, GITHUB_CLIENT_SECRETGitHub OAuth application.
NOTION_CLIENT_ID, NOTION_CLIENT_SECRETNotion OAuth application.
SLACK_CLIENT_ID, SLACK_CLIENT_SECRETSlack OAuth application.
GOOGLE_CLIENT_ID, GOOGLE_CLIENT_SECRETShared Google OAuth application for Google-backed connectors, including Gmail and YouTube.
TWITTER_CLIENT_ID, TWITTER_CLIENT_SECRETX/Twitter OAuth application.
LINKEDIN_CLIENT_ID, LINKEDIN_CLIENT_SECRETLinkedIn OAuth application.
REDDIT_CLIENT_ID, REDDIT_CLIENT_SECRETReddit OAuth application.
DISCORD_CLIENT_ID, DISCORD_CLIENT_SECRETDiscord OAuth application.
FACEBOOK_CLIENT_ID, FACEBOOK_CLIENT_SECRETFacebook OAuth application.
LOGO_DEV_PUBLISHABLE_KEYOptional public Logo.dev pk_... key used only to construct provider-logo image URLs. It is intentionally publishable, not a secret.

Feature-gated server variables

The API starts without these values; the corresponding feature is disabled or returns an explicit configuration error.

VariablesPurpose
RESEND_API_KEY, EMAIL_FROMSend transactional email. Without the API key, development uses a log mailer that prints the link.
OTLP_ENDPOINT, OTLP_HEADERSExport logs and traces to an OTLP/HTTP collector. Headers are comma-separated key=value pairs, commonly an authorization header.
STRIPE_SECRET_KEY, STRIPE_WEBHOOK_SECRETEnable hosted billing and verify Stripe webhooks. Self-hosted free-tier operation does not need them.
OPENROUTER_API_KEY, OPENROUTER_MODEL, DOCS_URLEnable the documentation site's Ask AI service, choose its model, and supply the docs origin used for CORS and grounding.
S3_ENDPOINT, S3_BUCKET, S3_ACCESS_KEY_ID, S3_SECRET_ACCESS_KEY, S3_PUBLIC_URLEnable S3-compatible blob storage. S3_BUCKET is the feature switch; omit the endpoint for AWS S3, and omit static keys when the instance role supplies credentials. S3_PUBLIC_URL rewrites presigned URLs for a client-visible host.
LICENSE_PUBLIC_KEY, LICENSE_KEYEnable offline verification of an EE license. Without either value, the instance runs the free AGPL tier. PEM values may be raw PEM locally or base64-encoded through the production secret pipeline.
LICENSE_SIGNING_KEYPrivate EE license issuer key for the hosted license-issuing service only. Do not set it in normal self-hosted installations.

Browser build variables

These values are public by design because Vite embeds them in browser assets. They are not API-server runtime variables.

VariablePurposeRequirement
VITE_SERVER_URLPublic API origin used by the console and browser telemetry.Required URL at build time
VITE_APP_URLPublic console origin used by marketing CTAs.Required URL at build time
VITE_GTM_IDOptional Google Tag Manager container identifier.Optional
VITE_MANAGED_OAUTH_PROVIDERSComma-separated provider slugs whose managed OAuth credentials are present; marketing uses it to label eligible catalog cards.Optional

Example local .env

DATABASE_URL=postgres://postgres:postgres@localhost:5432/open_connector
BETTER_AUTH_SECRET=replace-with-a-random-32-character-secret
BETTER_AUTH_URL=http://localhost:3000
CORS_ORIGIN=http://localhost:3001
CONNECTOR_ENCRYPTION_KEY=replace-with-a-separate-random-32-character-secret
WEB_URL=http://localhost:3002

Generate the two required secrets independently:

openssl rand -base64 48
openssl rand -base64 48

On this page