Env vars
Environment variables used to configure a self-hosted Proliferate deployment.
All configuration for a self-hosted Proliferate server lives in one file:
.env.static in your deploy directory (the extracted proliferate-deploy
bundle). You create it once from the template that ships with each release:
bootstrap.sh reads .env.static, generates any missing secrets, and derives
a .env.runtime file that the containers actually load. Edit .env.static,
never .env.runtime, then rerun ./bootstrap.sh to apply changes (it is safe
to rerun at any time).
The server ignores environment variables it does not recognize. Treat anything not in the template or on this page as unsupported: a typo or a removed override is silently ignored rather than raised as an error.
The required minimum
Three variables must be set before first bootstrap:
| Variable | What to set |
|---|---|
SITE_ADDRESS | Your public DNS name, for example proliferate.company.com. A scheme is optional; https is assumed when you leave it off. |
PROLIFERATE_TELEMETRY_MODE | self_managed. |
PROLIFERATE_SERVER_IMAGE_TAG | The server version you run: a pinned release tag, or stable. |
Three secrets should be left blank; the first ./bootstrap.sh run generates
strong values and persists them:
API_BASE_URL, the canonical public URL the server uses to build absolute
callback URLs and the configuration it pushes to workspaces, is derived from
SITE_ADDRESS by bootstrap when you do not set it, which is right for almost
every install. Set it explicitly only when the public URL differs from
https://<SITE_ADDRESS>; an explicit value always wins.
Core
| Variable | Required | Purpose |
|---|---|---|
SITE_ADDRESS | Yes | Public hostname Caddy serves, with or without a scheme. Point DNS at the host before first startup so Let's Encrypt can issue a certificate. |
API_BASE_URL | No | Canonical public API base URL, used for absolute auth callback generation. Derived from SITE_ADDRESS by bootstrap when unset; an explicit value wins. |
PROLIFERATE_TELEMETRY_MODE | Yes | self_managed on self-hosted installs. See Telemetry below. |
PROLIFERATE_SERVER_IMAGE | No | Server image source. Default ghcr.io/proliferate-ai/proliferate-server. |
PROLIFERATE_SERVER_IMAGE_TAG | Yes | The version you track: a pinned release tag for change-controlled environments, or stable. See Updates & versioning. |
POSTGRES_DB | No | Bundled Postgres database name. Default proliferate. |
POSTGRES_USER | No | Bundled Postgres user. Default proliferate. |
POSTGRES_PASSWORD | Leave blank | Secret. Auto-generated and persisted on first bootstrap. |
JWT_SECRET | Leave blank | Secret. Signs sessions and OAuth state. Auto-generated on first bootstrap. |
CLOUD_SECRET_KEY | Leave blank | Secret. Encrypts stored credentials at rest and signs cloud workspace flows. Auto-generated on first bootstrap. |
DATABASE_URL | Generated | Derived into .env.runtime from the POSTGRES_* values, pointing at the bundled db service. Set it yourself only if you run an external Postgres. |
CORS_ALLOW_ORIGINS | Preset | Browser and desktop webview origins allowed to call the API. The template default covers the desktop app; extend it only if you know you need to. |
PROLIFERATE_PUBLIC_HEALTHCHECK_URL | No | Optional public endpoint check that runs after the local API health check passes. The AWS stack sets it automatically. |
AWS_REGION | No | Only needed when pulling the server image from a private ECR registry. |
Sign-in
Email and password sign-in is on by default and needs no configuration. The
desktop app asks your server which methods are available
(GET /auth/desktop/methods) and shows the email and password form as the
default whenever GitHub OAuth is not configured.
| Variable | Required | Purpose |
|---|---|---|
PASSWORD_AUTH_ENABLED | No | Default true. Set to false to disable the whole password surface: password login, credential management, and account registration (the /register page and POST /auth/password/register return 404). See Email & password. |
GitHub sign-in (optional)
| Variable | Required | Purpose |
|---|---|---|
GITHUB_OAUTH_CLIENT_ID | No | Client ID of a GitHub OAuth app, if you want desktop GitHub sign-in. Set the app's callback URL to https://<SITE_ADDRESS>/auth/desktop/github/callback. |
GITHUB_OAUTH_CLIENT_SECRET | No | Secret. Client secret of the same app. |
See GitHub auth for the walkthrough.
OIDC SSO (optional)
| Variable | Required | Purpose |
|---|---|---|
PROLIFERATE_SSO_ENABLED | No | Enables deployment SSO. Default false. |
PROLIFERATE_SSO_OIDC_ISSUER_URL | With SSO | Your identity provider's OIDC issuer URL; endpoints are resolved via discovery. |
PROLIFERATE_SSO_OIDC_CLIENT_ID | With SSO | OIDC client ID registered with your provider. |
PROLIFERATE_SSO_OIDC_CLIENT_SECRET | With SSO | Secret. OIDC client secret. |
PROLIFERATE_SSO_LOGIN_POLICY | No | optional (default) shows SSO next to other methods. Setting required is rejected by the server; enforced SSO-only login is planned. |
PROLIFERATE_SSO_JIT_POLICY | No | Just-in-time provisioning for users who sign in via SSO without an invitation. Default disabled. |
PROLIFERATE_SSO_ALLOWED_DOMAINS | No | Comma-separated email domains allowed for SSO just-in-time provisioning. |
PROLIFERATE_SSO_DEFAULT_ROLE | No | Role granted to just-in-time provisioned users. Default member. |
PROLIFERATE_SSO_DISPLAY_NAME | No | Label shown on the SSO sign-in button. Default Company SSO. |
PROLIFERATE_SSO_OIDC_SCOPES | No | Requested scopes. Default openid email profile. |
PROLIFERATE_SSO_OIDC_CALLBACK_BASE_URL | No | Override when the SSO callback base URL differs from API_BASE_URL. |
For providers without OIDC discovery, explicit endpoint overrides exist:
PROLIFERATE_SSO_OIDC_DISCOVERY_URL,
PROLIFERATE_SSO_OIDC_AUTHORIZATION_ENDPOINT,
PROLIFERATE_SSO_OIDC_TOKEN_ENDPOINT, PROLIFERATE_SSO_OIDC_JWKS_URI, and
PROLIFERATE_SSO_OIDC_USERINFO_ENDPOINT. See
OIDC SSO.
Single-org mode and access control
Self-hosted installs run in single-org mode: the whole instance is one
organization, claimed once at https://<SITE_ADDRESS>/setup with the setup
token that bootstrap.sh prints. The default is derived, so a self-hosted
install needs no configuration here: single-org mode is on whenever
PROLIFERATE_TELEMETRY_MODE is anything other than hosted_product.
| Variable | Required | Purpose |
|---|---|---|
SINGLE_ORG_MODE | No | Explicit override for the membership mode; an explicit value wins over the derived default. Effectively fixed once the instance is claimed. |
ADMIN_EMAILS | Recommended | Comma-separated admin floor: these emails always hold at least the admin role, asserted at account creation and at every sign-in. This is also lockout recovery: add your email, restart the server, sign in. Removing an email from the list never demotes anyone, and the last admin is protected. Listed emails are reinstated as admin at their next sign-in even after removal from the organization, so offboarding a listed user means removing them from this list too and restarting. |
ALLOWED_EMAIL_DOMAINS | No | Comma-separated email domains invited users must belong to before they can self-register. A gate on top of invitations, never a grant: registration requires the invitation token from the invite link (POST /auth/password/register rejects anything else with a uniform 403), and it assigns no roles. |
PROLIFERATE_SETUP_TOKEN_FILE | No | Path inside the api container where the plaintext first-run setup token is written. Default /var/lib/proliferate/setup/setup-token, on a named volume so restarts do not rotate it. Never served over HTTP; bootstrap.sh prints it for you. |
RESEND_API_KEY | No | Secret. Resend API key for invitation email delivery. When set, invite emails link straight to the /register page with the invitation token prefilled. Invitations work without any email provider: the admin shares the invite link with the Copy invite link action in the members list. |
RESEND_FROM_EMAIL | No | Sender address for invitation emails, on a domain you have verified with Resend. |
Cloud sandboxes add-on
Only needed with the cloud sandboxes add-on. The add-on requires a publicly reachable HTTPS URL, a GitHub App you create, and an E2B account with a sandbox template built in your own E2B team.
E2B
| Variable | Required | Purpose |
|---|---|---|
E2B_API_KEY | With the add-on | Secret. E2B provisioning auth. Every sandbox runs in your own E2B team. |
E2B_TEMPLATE_NAME | With the add-on | The value printed at the end of the template build: the alias you chose, for example proliferate-runtime-cloud. E2B has no public templates, so you build this once in your own team and rebuild it after every server update. See E2B & sandbox template. |
E2B_WEBHOOK_SIGNATURE_SECRET | No | Secret. Verifies webhooks from E2B. |
GitHub App
The identity of the GitHub App you create for repository access. See GitHub App.
| Variable | Required | Purpose |
|---|---|---|
GITHUB_APP_ID | With the add-on | Numeric app ID. |
GITHUB_APP_SLUG | With the add-on | The app's URL slug. |
GITHUB_APP_CLIENT_ID | With the add-on | OAuth client ID of the app. |
GITHUB_APP_CLIENT_SECRET | With the add-on | Secret. OAuth client secret of the app. |
GITHUB_APP_WEBHOOK_SECRET | With the add-on | Secret. Verifies webhook deliveries from GitHub. |
GITHUB_APP_PRIVATE_KEY | With the add-on | Secret. Contents of the app's private key (.pem). Use the path variant below if you prefer mounting a file. |
GITHUB_APP_PRIVATE_KEY_PATH | Alternative | Path to the .pem file mounted into the container, instead of inlining the key. |
GITHUB_APP_CALLBACK_BASE_URL | No | Override when the app's OAuth callback base differs from API_BASE_URL. |
Runtime binaries
install-runtime.sh (run by bootstrap.sh and update.sh) places the Linux
runtime binaries on the host when the CLOUD_*_SOURCE_BINARY_PATH variables
are set; a base install skips it. The server uploads the binaries into
sandboxes, and the template build bakes them into your E2B template. The
E2B & sandbox template page
walks through setting these.
| Variable | Required | Purpose |
|---|---|---|
PROLIFERATE_HOST_BIN_DIR | No | Host directory for the runtime binaries. Default /opt/proliferate/bin, mounted read-only into the api container. |
RUNTIME_BINARY_URL | With the cloud sandboxes add-on | URL of a release tarball containing the three Linux binaries: the server-vX.Y.Z release asset, or a mirror you host (for example in restricted networks). |
RUNTIME_BINARY_SHA256 | No | Optional checksum for the downloaded runtime archive. |
RUNTIME_BINARY_SHA256_URL | No | Optional URL of a checksum file for the downloaded runtime archive. |
CLOUD_RUNTIME_SOURCE_BINARY_PATH | With the cloud sandboxes add-on | Host path of the Linux agent runtime binary uploaded into sandboxes. Also read by the template build script. |
CLOUD_WORKER_SOURCE_BINARY_PATH | With the cloud sandboxes add-on | Host path of the Linux worker binary. Also read by the template build script. |
CLOUD_SUPERVISOR_SOURCE_BINARY_PATH | With the cloud sandboxes add-on | Host path of the Linux supervisor binary. Also read by the template build script. |
Model gateway add-on
Only needed with the optional model gateway. Without it, users bring their own agent subscriptions and no gateway variables are set. Budgets are enforced at the gateway; self-hosted installs have no credits or billing UI.
The standard Compose stack can run the gateway for you: litellm and its own
Postgres database ship as an opt-in service group, off unless you turn on the
agent-gateway Compose profile.
Older copies of .env.production.example have an AGENT_GATEWAY_BIFROST_*
block left over from before the gateway moved to LiteLLM. The server does not
read those names at all; per the callout above, it just ignores them. Delete
that block and use only the AGENT_GATEWAY_LITELLM_* and LITELLM_*
variables below.
| Variable | Required | Purpose |
|---|---|---|
AGENT_GATEWAY_ENABLED | No | Enables the gateway integration. Default false. |
AGENT_GATEWAY_LITELLM_BASE_URL | With the gateway | Private LiteLLM admin URL the Proliferate server calls to mint and manage virtual keys. http://litellm:4000 for the bundled service; keep it unreachable from the public internet. |
AGENT_GATEWAY_LITELLM_PUBLIC_BASE_URL | With the gateway | Public LiteLLM inference URL written into sandbox configuration; this is what agents actually call. |
AGENT_GATEWAY_LITELLM_MASTER_KEY | With the gateway | Secret. Master key the server uses to manage virtual keys; must match LITELLM_MASTER_KEY on the LiteLLM container. Never sent to sandboxes. |
AGENT_GATEWAY_LITELLM_TIMEOUT_SECONDS | No | Timeout for calls to the LiteLLM admin API. Default 30. |
AGENT_GATEWAY_DEFAULT_USER_BUDGET_USD | No | Default monthly USD cap on a personal virtual key. Default 5. |
AGENT_GATEWAY_DEFAULT_ORG_BUDGET_USD | No | Default cap on organization-wide gateway usage (shared and automation sandboxes). Default 0, which LiteLLM treats as uncapped. |
Bundled LiteLLM service (optional)
Only needed if you use the bundled litellm service instead of pointing the
variables above at a LiteLLM instance you run elsewhere.
| Variable | Required | Purpose |
|---|---|---|
LITELLM_MASTER_KEY | With the bundled service | Secret. Master key set on the LiteLLM container itself; must match AGENT_GATEWAY_LITELLM_MASTER_KEY. |
LITELLM_POSTGRES_PASSWORD | With the bundled service | Secret. Password for the bundled litellm-db Postgres instance. |
LITELLM_POSTGRES_DB / LITELLM_POSTGRES_USER | No | Defaults to litellm / litellm. |
ANTHROPIC_API_KEY / OPENAI_API_KEY / XAI_API_KEY | With the bundled service | Secret. Provider keys passed into the LiteLLM container's environment. Set only the providers you use. |
PROLIFERATE_LITELLM_IMAGE / PROLIFERATE_LITELLM_IMAGE_TAG | No | Override the LiteLLM image or tag. Default ghcr.io/proliferate-ai/proliferate-litellm:stable. |
Bringing the bundled gateway up or down is a separate command from
./update.sh: Compose profiles are opt-in, so the plain pull/up that
bootstrap.sh and update.sh run never touches litellm or litellm-db.
See Model gateway for the exact
docker compose --profile agent-gateway commands.
Telemetry
| Variable | Required | Purpose |
|---|---|---|
PROLIFERATE_TELEMETRY_MODE | Yes | One of local_dev, self_managed, hosted_product. Self-hosted installs run self_managed; vendor telemetry only ever activates on hosted_product. |
PROLIFERATE_ANONYMOUS_TELEMETRY_DISABLED | No | Set to 1 for zero telemetry: no anonymous heartbeat leaves your server. |
PROLIFERATE_ANONYMOUS_TELEMETRY_ENDPOINT | No | Where the daily anonymous heartbeat is sent. Default https://app.proliferate.com/api/v1/telemetry/anonymous. |
Exactly what is sent, byte for byte, is documented in Telemetry & privacy.
Background jobs
The template also contains CELERY_* and REDBEAT_* variables. They are
dormant: automations and background jobs are not available on self-hosted
deployments yet, because the worker tier does not ship in v1. Leave them at
their template defaults.
Everything else
The template ships a few more optional integrations at safe defaults: cloud
MCP connectors (CLOUD_MCP_*), transactional email (CUSTOMERIO_*), AI
session-title generation (ANTHROPIC_API_KEY), and vendor observability
(SENTRY_*, which is inert outside hosted_product mode). Leave them at
their defaults unless a page in these docs tells you otherwise.
The only client-side configuration is the desktop config file
~/.proliferate/config.json with apiBaseUrl and the optional
telemetryDisabled; see Connect the desktop
app.