Skip to main content


Environment variablesโ€‹


Logto handles environment variables in the following order:

  • System environment variables
  • The .env file in the project root, which conforms with dotenv format

Thus the system environment variables will override the values in .env.



If you run Logto via npm start in the project root, NODE_ENV will always be production.

In default values, protocol will be either http or https according to your HTTPS config.

KeyDefault ValueTypeDescription
NODE_ENVundefined'production' | 'test' | undefinedWhat kind of environment that Logto runs in.
PORT3001numberThe local port that Logto listens to.
ADMIN_PORT3002numberThe local port that Logto Admin Console listens to.
ADMIN_DISABLE_LOCALHOSTN/Astring | boolean | numberSet it to 1 or true to disable the port for Admin Console. With ADMIN_ENDPOINT unset, it'll completely disable the Admin Console.
DB_URLN/AstringThe Postgres DSN for Logto database.
HTTPS_CERT_PATHundefinedstring | undefinedSee Enabling HTTPS for details.
HTTPS_KEY_PATHundefinedstring | undefinedDitto.
ENDPOINT'protocol://localhost:$PORT'stringYou may specify a URL with your custom domain for online testing or production. This will also affect the value of the OIDC issuer identifier.
ADMIN_ENDPOINT'protocol://localhost:$ADMIN_PORT'stringYou may specify a URL with your custom domain for production (E.g. ADMIN_ENDPOINT= This will also affect the value of Admin Console Redirect URIs.
CASE_SENSITIVE_USERNAMEtruebooleanSpecifies whether the username is case-sensitive. Exercise caution when modifying this value; changes will not automatically adjust existing database data, requiring manual management.

Enabling HTTPSโ€‹

Using Nodeโ€‹

Node natively supports HTTPS. Provide BOTH HTTPS_CERT_PATH and HTTPS_KEY_PATH to enable HTTPS via Node.

HTTPS_CERT_PATH implies the path to your HTTPS certificate, while HTTPS_KEY_PATH implies the path to your HTTPS key.

Using a HTTPS proxyโ€‹

Another common practice is to have an HTTPS proxy in front of Node (E.g. Nginx).

In this case, you're likely want to set TRUST_PROXY_HEADER to true which indicates if proxy header fields should be trusted. Logto will pass the value to Koa app settings.

See Trusting TLS offloading proxies for when to configure this field.

Database configsโ€‹

Managing too many environment variables are not efficient and flexible, so most of our general configs are stored in the database table logto_configs.

The table is a simple key-value storage, and the key is enumerable as following:

oidc.cookieKeysstring[]The string array of the signing cookie keys.
oidc.privateKeysstring[]The string array of the private key content for OIDC JWT signing.

Supported private key typesโ€‹

  • EC (P-256, secp256k1, P-384, and P-521 curves)
  • RSA
  • OKP (Ed25519, Ed448, X25519, X448 sub types)