Settings
Environment variables
The following environment variables can be configured in the backend .env file:
Database
DB_SYNCHRONIZE- Enable automatic schema synchronization (development only, default:false)DB_DROP_SCHEMA- Drop existing schema on startup (default:false)DB_USERNAME- Database username (default:zentik_user)DB_PASSWORD- Database password (default:zentik_password)DB_NAME- Database name (default:zentik)DB_HOST- Database host (default:localhost)DB_PORT- Database port (default:5432)DB_SSL- Enable SSL connection (default:false)
Server Configuration
PUBLIC_BACKEND_URL- Public backend URL
Administration
ADMIN_USERS- Comma-separated list of administrator users (default:admin)ADMIN_DEFAULT_PASSWORD- Default password for administrator users (default:admin)
Server settings
In addition to environment variables, Zentik provides a wide range of configurable settings through the ServerSetting entity. These settings are stored in the database and can be fully configured through the admin UI or GraphQL API.
JWT (JSON Web Tokens)
JwtAccessTokenExpiration- Access token durationJwtRefreshTokenExpiration- Refresh token durationJwtSecret- Secret key for JWT tokensJwtRefreshSecret- Secret key for refresh tokens
Push Notifications - APN (Apple Push Notification)
ApnPush- Enable APN push notificationsApnKeyId- APN key IDApnTeamId- APN team IDApnPrivateKeyPath- Path to APN private keyApnBundleId- Application bundle IDApnProduction- Production mode for APN
Push Notifications - Firebase
FirebasePush- Enable Firebase push notificationsFirebaseProjectId- Firebase project IDFirebasePrivateKey- Firebase private keyFirebaseClientEmail- Firebase client email
Push Notifications - Web Push
WebPush- Enable Web Push notificationsVapidSubject- Subject for VAPID keys
Push Notifications - Passthrough
PushNotificationsPassthroughServer- Passthrough server for notificationsPushPassthroughToken- Passthrough token
Attachments
AttachmentsEnabled- Enable attachmentsAttachmentsStoragePath- Path for attachment storage (default:/attachments)AttachmentsMaxFileSize- Maximum file sizeAttachmentsAllowedMimeTypes- Allowed MIME typesAttachmentsDeleteJobEnabled- Enable automatic deletion jobAttachmentsMaxAge- Maximum attachment age
Backup
BackupEnabled- Enable automatic backupsBackupExecuteOnStart- Execute backup on startupBackupStoragePath- Path for backup storage (default:/backups)BackupMaxToKeep- Maximum number of backups to keepBackupCronJob- Cron expression for backups
Server Files
ServerFilesDirectory- Directory for server file storage
Messages
MessagesMaxAge- Maximum message ageMessagesDeleteJobEnabled- Enable automatic deletion job
Email
EmailEnabled- Enable email sendingEmailType- Email service type (SMTP, Resend, etc.)EmailHost- SMTP hostEmailPort- SMTP portEmailSecure- Enable secure connectionEmailUser- SMTP usernameEmailPass- SMTP passwordEmailFrom- Sender email addressEmailFromName- Sender nameResendApiKey- Resend API key
Rate Limiting
RateLimitTrustProxyEnabled- Enable trust proxy for rate limitingRateLimitForwardHeader- Header for IP forwardingRateLimitTtlMs- Time-to-live for rate limitingRateLimitLimit- Maximum request limitRateLimitBlockMs- Block durationRateLimitMessagesRps- Requests per second for messagesRateLimitMessagesTtlMs- TTL for message rate limiting
CORS
CorsOrigin- Allowed origins for CORSCorsCredentials- Enable CORS credentials
Logging
LogLevel- Logging level (DEBUG, INFO, WARN, ERROR)LogStorageEnabled- Enable log storageLogRetentionDays- Log retention days
Prometheus Metrics
PrometheusEnabled- Enable Prometheus metrics
Advanced Configuration
ServerStableIdentifier- Stable server identifier (UUID generated at bootstrap)EnableSystemTokenRequests- Enable system token requestsSystemTokenUsageStats- System token usage statistics