Environment Variables

Complete reference for all host environment variables.

Host runtime

Variable	Default	Effect
PORT	3000	Host listen port
RPC_AUTH_TOKEN	—	Enables static-token auth mode
DFS_VALIDATE_ACCESS_TOKEN	false	Enables DFS JWT verification mode when DFS config exists
DIPS_TRUST_CLUSTER_AUTH	false	Enables trusted-cluster mode
TRUST_CLUSTER_REQUIRE_INGRESS_HEADER	true	Require trusted ingress marker header
TRUST_CLUSTER_INGRESS_HEADER	x-ingress-authenticated	Ingress assertion header name
TRUST_CLUSTER_INGRESS_VALUE	1	Expected ingress assertion value
ADMIN_AUTH_TOKEN	—	Dedicated admin bearer token
ALLOW_UNAUTHENTICATED_ADMIN	false	Bypasses admin auth (blocked in prod by config validation)
TRUST_PROXY_HEADERS	false	Makes rate limiter trust forwarded IP headers
FALLBACK_CACHE_ENABLED	true	Enables in-memory fallback HTML cache for feature shell responses
FALLBACK_CACHE_MAX_ENTRIES	100	Max fallback cache entries

API proxy

Variable	Default	Effect
API_PROXY_BASE_URL	—	Required to enable /api/* proxy
API_PROXY_TIMEOUT_MS	15000	Upstream timeout
API_PROXY_FORWARD_IDENTITY_TICKET	true	Optional plugin hint for ticket forwarding semantics
API_PROXY_FORWARD_DIPS_TICKET	API_PROXY_FORWARD_IDENTITY_TICKET	Legacy alias for identity-ticket forwarding flag
API_PROXY_STRICT_IDENTITY_ENRICHMENT	false	Fail closed on enrichment failure
API_PROXY_ALLOWED_PATHS	—	Comma-separated path prefix allowlist
CIRCUIT_BREAKER_FAILURE_THRESHOLD	5	Open breaker after N failures
CIRCUIT_BREAKER_RESET_TIMEOUT_MS	30000	Open to half-open cooldown

RPC hardening

Variable	Default	Effect
RPC_MAX_BODY_BYTES	1048576	Body size limit
RPC_MAX_EXECUTION_MS	30000	Execution timeout (local and proxy)
RATE_LIMIT_RPC_MAX	100	RPC requests per window per IP
RATE_LIMIT_RPC_WINDOW_MS	60000	RPC window size
RATE_LIMIT_API_MAX	200	API requests per window per IP
RATE_LIMIT_API_WINDOW_MS	60000	API window size

Discovery and refresh

Variable	Default	Effect
HOT_REFRESH_WATCH	false	Filesystem watcher on artifacts dir
HOT_REFRESH_DEBOUNCE_MS	2000	Watcher debounce
FEATURE_REMOTE_INDEX_URL	—	Enables remote CDN discovery
FEATURE_REMOTE_TIMEOUT_MS	10000	Remote fetch timeout
FEATURE_REMOTE_POLL_MS	30000 if remote index set, else 0	Periodic remote refresh interval

Release control (Admin UI)

Variable	Default	Effect
RELEASE_CONTROL_URL	—	External release-control API endpoint used by Admin UI actions
RELEASE_CONTROL_AUTH_TOKEN	—	Bearer token for RELEASE_CONTROL_URL calls
RELEASE_CONTROL_TIMEOUT_MS	15000	Timeout for external release-control calls
ADMIN_ENABLE_LOCAL_RELEASE_CONTROL	false	Allows host Admin UI to run local workflow command fallback
RELEASE_CONTROL_LOCAL_TIMEOUT_MS	180000	Timeout for local release-control command fallback
RELEASE_CONTROL_LOCAL_SKIP_VERIFY	false	Skip post-upload verification in local release-control mode

Signing and trust

Variable	Default	Effect
FEATURE_ALLOW_INSECURE_DEV_KEYS	false	Permits built-in dev key fallback (blocked in prod)
FEATURE_SIGNING_PRIVATE_KEY	—	Private key PEM for signing
FEATURE_SIGNING_PRIVATE_KEY_PATH	—	Private key file path
FEATURE_SIGNING_KEY_ID	dev key id fallback	Key id attached when signing
FEATURE_TRUST_PUBLIC_KEYS_JSON	—	Trusted pubkeys map JSON
FEATURE_TRUST_PUBLIC_KEYS_PATH	—	Trusted pubkeys file path
FEATURE_TRUST_PUBLIC_KEY	—	Single trusted public key PEM
FEATURE_TRUST_PUBLIC_KEY_ID	dev key id fallback	Key id for single trusted key

DFS and plugins

Variable	Default	Effect
DFS_WELL_KNOWN_ENDPOINT	—	Enables DFS OIDC config loading
DFS_AUDIENCE	—	JWT audience check
DFS_ISSUER	—	Issuer override
DFS_CLOCK_TOLERANCE_SECONDS	30	JWT clock tolerance
DFS_ALLOW_X_AUTH_REQUEST_ACCESS_TOKEN	true	Accept forwarded token header
DFS_OIDC_CACHE_TTL_MS	300000	OIDC/JWKS config cache
HOST_AUTH_PLUGIN	—	Custom auth plugin module path or specifier

Observability

Variable	Default	Effect
LOG_LEVEL	info	Structured logger level
OTEL_EXPORTER_OTLP_ENDPOINT	—	Enables OTEL export
OTEL_SERVICE_NAME	thin-host	OTEL service name
OTEL_DEPLOYMENT_ENVIRONMENT	development	OTEL env label