Configuration
Environment variablesโ
Usageโ
Logto handles environment variables in the following order:
- System environment variables
- The
.envfile in the project root, which conforms with dotenv format
Thus the system environment variables will override the values in .env.
Variablesโ
If you run Logto via npm start in the project root, NODE_ENV will always be production.
In default values, protocol will be either http or https according to your HTTPS config.
| Key | Default Value | Type | Description |
|---|---|---|---|
| NODE_ENV | undefined | 'production' | 'test' | undefined | What kind of environment that Logto runs in. |
| PORT | 3001 | number | The local port that Logto listens to. |
| ADMIN_PORT | 3002 | number | The local port that Logto Admin Console listens to. |
| ADMIN_DISABLE_LOCALHOST | N/A | string | boolean | number | Set it to 1 or true to disable the port for Admin Console. With ADMIN_ENDPOINT unset, it'll completely disable the Admin Console. |
| DB_URL | N/A | string | The Postgres DSN for Logto database. |
| HTTPS_CERT_PATH | undefined | string | undefined | See Enabling HTTPS for details. |
| HTTPS_KEY_PATH | undefined | string | undefined | Ditto. |
| TRUST_PROXY_HEADER | false | boolean | Ditto. |
| ENDPOINT | 'protocol://localhost:$PORT' | string | You may specify a URL with your custom domain for online testing or production. This will also affect the value of the OIDC issuer identifier. |
| ADMIN_ENDPOINT | 'protocol://localhost:$ADMIN_PORT' | string | You may specify a URL with your custom domain for production (E.g. ADMIN_ENDPOINT=https://admin.domain.com). This will also affect the value of Admin Console Redirect URIs. |
| CASE_SENSITIVE_USERNAME | true | boolean | Specifies whether the username is case-sensitive. Exercise caution when modifying this value; changes will not automatically adjust existing database data, requiring manual management. |
Enabling HTTPSโ
Using Nodeโ
Node natively supports HTTPS. Provide BOTH HTTPS_CERT_PATH and HTTPS_KEY_PATH to enable HTTPS via Node.
HTTPS_CERT_PATH implies the path to your HTTPS certificate, while HTTPS_KEY_PATH implies the path to your HTTPS key.
Using a HTTPS proxyโ
Another common practice is to have an HTTPS proxy in front of Node (E.g. Nginx).
In this case, you're likely want to set TRUST_PROXY_HEADER to true which indicates if proxy header fields should be trusted. Logto will pass the value to Koa app settings.
See Trusting TLS offloading proxies for when to configure this field.
Database configsโ
Managing too many environment variables are not efficient and flexible, so most of our general configs are stored in the database table logto_configs.
The table is a simple key-value storage, and the key is enumerable as following:
| Key | Type | Description |
|---|---|---|
| oidc.cookieKeys | string[] | The string array of the signing cookie keys. |
| oidc.privateKeys | string[] | The string array of the private key content for OIDC JWT signing. |
Supported private key typesโ
- EC (P-256, secp256k1, P-384, and P-521 curves)
- RSA
- OKP (Ed25519, Ed448, X25519, X448 sub types)