Skip to main content

Environment variables

Every environment variable the SDK reads, what it does, and whether it is required.

The SDK itself reads no environment variables directly. Hosts construct identsphere_core::AuthServiceConfig, identsphere_axum::AppConfig, and the database URL programmatically. The variable names below are conventions — they're what the example app reads, what the CLI reads, and what these docs assume. Hosts that prefer different names can use them; the SDK doesn't care.

Keeping to these names means a customer can copy the example .env into their own deployment with a one-line dotenvy::dotenv() call and have things work.

Database

VariablePurposeRequiredDefaultRead by
DATABASE_URLPostgres connection URL. postgres://user:pw@host:port/db.yesidentsphere_axum::connect_postgres, CLI
IDENTSPHERE_SCHEMAPostgres schema name. Must be a plain ASCII identifier.noIdentSphereidentsphere_axum::connect_postgres, CLI

The schema name is interpolated into SET search_path TO <schema>, public on every connection acquired from the pool. Schema isolation is the supported multi-tenant model — production deployments should not share public with other applications.

JWT issuance

VariablePurposeRequiredDefault
IDENTSPHERE_JWT_SECRETHS256 signing key. Minimum 32 bytes (HMAC-SHA256 needs ≥256 bits of entropy).yes
IDENTSPHERE_ISSUERiss claim on every minted JWT.noIdentSphere
IDENTSPHERE_ACCESS_EXPIRY_SECSAccess-token TTL, seconds.no900 (15 min)
IDENTSPHERE_REFRESH_EXPIRY_SECSRefresh-token TTL, seconds.no2592000 (30 days)

::: warning Rotating IDENTSPHERE_JWT_SECRET invalidates every outstanding session. There is no grace-period second-key window yet. Plan for forced sign-out. :::

Application identity

VariablePurposeRequiredDefault
IDENTSPHERE_APP_NAMEUser-facing product name. Used in email subjects.noIdentSphere
IDENTSPHERE_PUBLIC_BASE_URLCanonical public URL of the host.yes (prod)http://localhost:3000
IDENTSPHERE_FROM_EMAILSender address for transactional emails.yes (prod)no-reply@example.com
IDENTSPHERE_COOKIES_SECUREToggle the Secure cookie attribute. Must be true in production.nofalse
IDENTSPHERE_ROUTE_PREFIXPath prefix the SDK routes are mounted under. Scopes the refresh-cookie.no/v1/auth
IDENTSPHERE_STEP_UP_TTL_SECSStep-up MFA assertion lifetime.no1800 (30 min)
IDENTSPHERE_TEST_MODESandbox mode: outbound email is suppressed, responses are tagged. See Test mode.nofalse

WebAuthn / passkeys

VariablePurposeRequiredDefault
IDENTSPHERE_RP_IDWebAuthn Relying Party ID. Host of public_base_url, no scheme/port.yes (passkeys)localhost
IDENTSPHERE_RP_ORIGINWebAuthn origin: full URL with scheme.yes (passkeys)http://localhost:3000
IDENTSPHERE_RP_NAMEUser-facing RP name.noIdentSphere

WebAuthn requires HTTPS in browsers; http://localhost is the only exception.

OAuth providers

Optional. Missing client IDs mean the provider's /start endpoint returns 404.

VariablePurpose
IDENTSPHERE_OAUTH_GOOGLE_CLIENT_IDGoogle OAuth 2.0 client ID
IDENTSPHERE_OAUTH_GOOGLE_CLIENT_SECRETGoogle OAuth 2.0 client secret
IDENTSPHERE_OAUTH_GITHUB_CLIENT_IDGitHub OAuth App client ID
IDENTSPHERE_OAUTH_GITHUB_CLIENT_SECRETGitHub OAuth App client secret

Provider callback URL: {public_base_url}/v1/auth/oauth/{provider}/callback.

Email transport

The SDK ships LogOnlySender for dev (prints to stdout). Production hosts swap in their own identsphere_core::providers::EmailSender implementation. The variables below are conventions; the SDK doesn't read them.

VariablePurposeDefault
IDENTSPHERE_SMTP_HOSTSMTP relay hostname
IDENTSPHERE_SMTP_PORTSMTP port587
IDENTSPHERE_SMTP_USERSMTP username
IDENTSPHERE_SMTP_PASSWORDSMTP password

Frontend (@identsphere/react)

The React SDK has no import.meta.env reads of its own. The host injects the API base URL via the provider's config prop:

<AuthProvider config={{ apiBaseUrl: import.meta.env.VITE_AUTH_API_URL }}>

By convention:

VariablePurposeRequired
VITE_AUTH_API_URLOrigin where the auth backend is mounted.yes

Logging

VariablePurpose
RUST_LOGtracing_subscriber filter. info,identsphere=debug is a good starting point.

See also