Skip to Content
Polyant is open source under AGPL-3.0 — star us on GitHub.
ReferenceEnvironment Variables

Environment Variables Reference

Every environment variable Polyant reads is listed here. Variables marked required must be set before first boot; others have defaults or are optional features.

Database

VariableRequiredDefaultDescription
DATABASE_URLAltFull Postgres URL. Either this or the four POSTGRES_* vars below.
POSTGRES_HOSTAltlocalhostPostgres host.
POSTGRES_PORTAlt5432Postgres port.
POSTGRES_DBAltpolyantPostgres database name.
POSTGRES_USERAltpolyantPostgres user.
POSTGRES_PASSWORDYesPostgres password. Required by docker-compose and the engine.

Auth and crypto

VariableRequiredDefaultDescription
AUTH_SECRETYes32+ char random string. Encrypts session JWTs in both packages.
AUTH_INTERNAL_SECRETNoShared secret between web and engine for the credentials-verification endpoint.
ENCRYPTION_KEYYes64-character hex (32 bytes) for AES-256-GCM secret encryption.
INITIAL_ADMIN_EMAILNoadministrator@localEmail of the auto-created Superadmin on first boot.
INITIAL_ADMIN_PASSWORDNorandomPassword of the auto-created Superadmin (printed once if not set).

Server

VariableRequiredDefaultDescription
API_PORTNo4000HTTP port for the engine.
BASE_URLNoPublic base URL for the engine. Used in webhook deep links.
CORS_ORIGINSNoopen in dev, closed in productionComma-separated allowlist of origins (e.g. https://app.example.com,https://admin.example.com). When unset in NODE_ENV=production, all cross-origin requests are rejected. Setting it to * is refused at startup (a credentialed wildcard would let any origin read authenticated responses).
TRUST_PROXYNo0Number of trusted reverse-proxy hops between the engine and the public internet (e.g. 1 behind Render/Railway/nginx). Also accepts true / false. Controls whether X-Forwarded-Host / X-Forwarded-Proto are honored when reconstructing the request URL for the Twilio webhook signature check. Default 0 (trust nothing) — otherwise attackers can spoof Host/Proto and bypass the Twilio HMAC.
NODE_ENVNo(Node default)Standard Node.js mode. production activates the strict CORS default above and disables verbose error responses.

Web (Next.js)

VariableRequiredDefaultDescription
GOOGLE_CLIENT_IDNoGoogle OAuth client id (required only for Google login).
GOOGLE_CLIENT_SECRETNoGoogle OAuth client secret.
AUTH_TRUST_HOSTNoSet to true behind a reverse proxy.
AUTH_ALLOWED_DOMAINSNo— (allow any)Comma-separated list of email domains permitted via Google OAuth. Empty or unset means any verified Google account can sign in.
INTERNAL_ENGINE_URLNohttp://localhost:4000Base URL used by the web’s Credentials provider to call POST /api/auth/credentials/verify on the engine. Set to the engine’s internal address in production.
NEXT_PUBLIC_API_URLNohttp://localhost:4000Public URL of the engine used by the Next.js rewrite rules (browser-side proxy). Read in packages/web/next.config.ts.

Memory

VariableRequiredDefaultDescription
DEDUP_SIMILARITY_THRESHOLDNo0.90Cosine threshold above which a new memory updates an existing one.

Analytics retention

VariableRequiredDefaultDescription
ANALYTICS_RETENTION_DAYSNo90Daily housekeeping deletes rows older than this many days from ai_logs and pipeline_traces. Both tables grow at one row per LLM call / pipeline run, so unbounded retention is not recommended.

Datetime

VariableRequiredDefaultDescription
DATETIME_TIMEZONENoUTCTimezone used in the system prompt’s {{datetime}} substitution.
DATETIME_LOCALENoen-USLocale for date/time formatting.

Inbound message coordinator

VariableRequiredDefaultDescription
MESSAGE_SOFT_DEBOUNCE_MSNo2000Coalescence window for fragmented bursts.
MESSAGE_TYPING_DELAY_MSNo1500Delay before the typing indicator fires.
MESSAGE_MAX_RESTARTSNo3Cap on consecutive cancel-and-restart cycles per conversation.

Agent-to-agent

VariableRequiredDefaultDescription
AGENT_CALL_TIMEOUT_MSNo60000Max wall-clock duration of a single sub-agent invocation (virtual agent channel). On timeout the synthesised tool returns an error string to the caller.

Activity stream (SSE)

VariableRequiredDefaultDescription
SSE_MAX_CONNECTIONSNo50Global cap on concurrent subscribers of GET /api/activity-stream/live across all users. Excess connections receive HTTP 503 with Retry-After: 60.
SSE_MAX_CONNECTIONS_PER_USERNo5Per-authenticated-user cap on the same endpoint. Same 503 + Retry-After behaviour when exceeded.

Knowledge

VariableRequiredDefaultDescription
KNOWLEDGE_MAX_DOCS_PER_INSTANCENo500Hard cap on the number of knowledge documents an instance may hold. POST /api/instances/:slug/knowledge returns HTTP 400 when reached; POST .../knowledge/sync reports refused files in the response (refusedCap[]).

Workspace storage

VariableRequiredDefaultDescription
WORKSPACES_ROOTNopackages/engine/workspaces (resolved abs.)Filesystem root for per-conversation sandbox directories used by the readFile / writeFile / gitCloneRepo tools (<root>/<instance>/conversations/<conv>/). Knowledge documents and all other agent configuration live in PostgreSQL. One of the two documented process.env reads outside config.ts.

Platform S3 (optional, for attachments)

VariableRequiredDefaultDescription
PLATFORM_S3_BUCKETNoBucket where conversation attachments are persisted.
PLATFORM_S3_REGIONNoBucket region.
PLATFORM_S3_ACCESS_KEY_IDNoAWS access key.
PLATFORM_S3_SECRET_ACCESS_KEYNoAWS secret key.

Debug

VariableRequiredDefaultDescription
DEBUG_LLM_PAYLOADNounsetSet to 1 to log the full system prompt + message array sent to the LLM provider on every call. Forced off when NODE_ENV=production (logs a stderr warning if both are set) — would leak customer data via stdout. Verbose; development only.

Other

VariableRequiredDefaultDescription
DEFAULT_INSTANCE_IDNodefaultDefault instance for mono-instance deployments.
Last updated on
TroubleshootingREST API