# your domain, e.g https://example.com
APP_URL=http://localhost:3000
PORT=3000

# minimum of 32 characters. Generate one with: openssl rand -hex 32
APP_SECRET=REPLACE_WITH_LONG_SECRET

JWT_TOKEN_EXPIRES_IN=30d

DATABASE_URL="postgresql://postgres:password@localhost:5432/docmost?schema=public"
REDIS_URL=redis://127.0.0.1:6379

# options: local | s3
STORAGE_DRIVER=local

# S3 driver config
AWS_S3_ACCESS_KEY_ID=
AWS_S3_SECRET_ACCESS_KEY=
AWS_S3_REGION=
AWS_S3_BUCKET=
AWS_S3_ENDPOINT=
AWS_S3_FORCE_PATH_STYLE=

# default: 50mb
FILE_UPLOAD_SIZE_LIMIT=

# options: smtp | postmark
MAIL_DRIVER=smtp
MAIL_FROM_ADDRESS=hello@example.com
MAIL_FROM_NAME=Docmost

# SMTP driver config
SMTP_HOST=127.0.0.1
SMTP_PORT=587
SMTP_USERNAME=
SMTP_PASSWORD=
SMTP_SECURE=false
SMTP_IGNORETLS=false

# Postmark driver config
POSTMARK_TOKEN=

# for custom drawio server
DRAWIO_URL=

# Gotenberg URL for server-side PDF export
GOTENBERG_URL=

DISABLE_TELEMETRY=false

# Enable debug logging in production (default: false)
DEBUG_MODE=false

# Log database queries
DEBUG_DB=false

# Log http requests
LOG_HTTP=false

# ─── OIDC (Authentik) — Bloc 4b ──────────────────────────────────────
# Disabled by default. Set OIDC_ENABLED=true and fill the block below
# to expose /api/auth/oidc/login and the SSO button on the login page.
#
# OIDC_ENABLED=true
# OIDC_ISSUER=https://auth.example.com/application/o/docadenice/
# OIDC_CLIENT_ID=
# OIDC_CLIENT_SECRET=
# OIDC_REDIRECT_URI=http://localhost:3000/api/auth/oidc/callback
# OIDC_SCOPES=openid email profile groups
# OIDC_PROVIDER_NAME=Authentik
#
# Just-in-time provisioning for unknown emails. Strict by default — set
# to true to auto-create a user in the default workspace on first login.
# OIDC_AUTO_PROVISION=false
# OIDC_DEFAULT_WORKSPACE_ID=