Env vars

Environment variables used to configure a self-hosted Proliferate deployment.

All configuration for a self-hosted Proliferate server lives in one file: .env.static in your deploy directory (the extracted proliferate-deploy bundle). You create it once from the template that ships with each release:

curl -fsSL https://github.com/proliferate-ai/proliferate/releases/download/server-vX.Y.Z/proliferate-deploy.tar.gz | tar xz
cd proliferate-deploy
cp .env.production.example .env.static

bootstrap.sh reads .env.static, generates any missing secrets, and derives a .env.runtime file that the containers actually load. Edit .env.static, never .env.runtime, then rerun ./bootstrap.sh to apply changes (it is safe to rerun at any time).

Info:

The server ignores environment variables it does not recognize. Treat anything not in the template or on this page as unsupported: a typo or a removed override is silently ignored rather than raised as an error.

The required minimum

Three variables must be set before first bootstrap:

VariableWhat to set
SITE_ADDRESSYour public DNS name, for example proliferate.company.com. A scheme is optional; https is assumed when you leave it off.
PROLIFERATE_TELEMETRY_MODEself_managed.
PROLIFERATE_SERVER_IMAGE_TAGThe server version you run: a pinned release tag, or stable.

Three secrets should be left blank; the first ./bootstrap.sh run generates strong values and persists them:

JWT_SECRET=
CLOUD_SECRET_KEY=
POSTGRES_PASSWORD=
Info:

API_BASE_URL, the canonical public URL the server uses to build absolute callback URLs and the configuration it pushes to workspaces, is derived from SITE_ADDRESS by bootstrap when you do not set it, which is right for almost every install. Set it explicitly only when the public URL differs from https://<SITE_ADDRESS>; an explicit value always wins.

Core

VariableRequiredPurpose
SITE_ADDRESSYesPublic hostname Caddy serves, with or without a scheme. Point DNS at the host before first startup so Let's Encrypt can issue a certificate.
API_BASE_URLNoCanonical public API base URL, used for absolute auth callback generation. Derived from SITE_ADDRESS by bootstrap when unset; an explicit value wins.
PROLIFERATE_TELEMETRY_MODEYesself_managed on self-hosted installs. See Telemetry below.
PROLIFERATE_SERVER_IMAGENoServer image source. Default ghcr.io/proliferate-ai/proliferate-server.
PROLIFERATE_SERVER_IMAGE_TAGYesThe version you track: a pinned release tag for change-controlled environments, or stable. See Updates & versioning.
POSTGRES_DBNoBundled Postgres database name. Default proliferate.
POSTGRES_USERNoBundled Postgres user. Default proliferate.
POSTGRES_PASSWORDLeave blankSecret. Auto-generated and persisted on first bootstrap.
JWT_SECRETLeave blankSecret. Signs sessions and OAuth state. Auto-generated on first bootstrap.
CLOUD_SECRET_KEYLeave blankSecret. Encrypts stored credentials at rest and signs cloud workspace flows. Auto-generated on first bootstrap.
DATABASE_URLGeneratedDerived into .env.runtime from the POSTGRES_* values, pointing at the bundled db service. Set it yourself only if you run an external Postgres.
CORS_ALLOW_ORIGINSPresetBrowser and desktop webview origins allowed to call the API. The template default covers the desktop app; extend it only if you know you need to.
PROLIFERATE_PUBLIC_HEALTHCHECK_URLNoOptional public endpoint check that runs after the local API health check passes. The AWS stack sets it automatically.
AWS_REGIONNoOnly needed when pulling the server image from a private ECR registry.

Sign-in

Email and password sign-in is on by default and needs no configuration. The desktop app asks your server which methods are available (GET /auth/desktop/methods) and shows the email and password form as the default whenever GitHub OAuth is not configured.

VariableRequiredPurpose
PASSWORD_AUTH_ENABLEDNoDefault true. Set to false to disable the whole password surface: password login, credential management, and account registration (the /register page and POST /auth/password/register return 404). See Email & password.

GitHub sign-in (optional)

VariableRequiredPurpose
GITHUB_OAUTH_CLIENT_IDNoClient ID of a GitHub OAuth app, if you want desktop GitHub sign-in. Set the app's callback URL to https://<SITE_ADDRESS>/auth/desktop/github/callback.
GITHUB_OAUTH_CLIENT_SECRETNoSecret. Client secret of the same app.

See GitHub auth for the walkthrough.

OIDC SSO (optional)

VariableRequiredPurpose
PROLIFERATE_SSO_ENABLEDNoEnables deployment SSO. Default false.
PROLIFERATE_SSO_OIDC_ISSUER_URLWith SSOYour identity provider's OIDC issuer URL; endpoints are resolved via discovery.
PROLIFERATE_SSO_OIDC_CLIENT_IDWith SSOOIDC client ID registered with your provider.
PROLIFERATE_SSO_OIDC_CLIENT_SECRETWith SSOSecret. OIDC client secret.
PROLIFERATE_SSO_LOGIN_POLICYNooptional (default) shows SSO next to other methods. Setting required is rejected by the server; enforced SSO-only login is planned.
PROLIFERATE_SSO_JIT_POLICYNoJust-in-time provisioning for users who sign in via SSO without an invitation. Default disabled.
PROLIFERATE_SSO_ALLOWED_DOMAINSNoComma-separated email domains allowed for SSO just-in-time provisioning.
PROLIFERATE_SSO_DEFAULT_ROLENoRole granted to just-in-time provisioned users. Default member.
PROLIFERATE_SSO_DISPLAY_NAMENoLabel shown on the SSO sign-in button. Default Company SSO.
PROLIFERATE_SSO_OIDC_SCOPESNoRequested scopes. Default openid email profile.
PROLIFERATE_SSO_OIDC_CALLBACK_BASE_URLNoOverride when the SSO callback base URL differs from API_BASE_URL.

For providers without OIDC discovery, explicit endpoint overrides exist: PROLIFERATE_SSO_OIDC_DISCOVERY_URL, PROLIFERATE_SSO_OIDC_AUTHORIZATION_ENDPOINT, PROLIFERATE_SSO_OIDC_TOKEN_ENDPOINT, PROLIFERATE_SSO_OIDC_JWKS_URI, and PROLIFERATE_SSO_OIDC_USERINFO_ENDPOINT. See OIDC SSO.

Single-org mode and access control

Self-hosted installs run in single-org mode: the whole instance is one organization, claimed once at https://<SITE_ADDRESS>/setup with the setup token that bootstrap.sh prints. The default is derived, so a self-hosted install needs no configuration here: single-org mode is on whenever PROLIFERATE_TELEMETRY_MODE is anything other than hosted_product.

VariableRequiredPurpose
SINGLE_ORG_MODENoExplicit override for the membership mode; an explicit value wins over the derived default. Effectively fixed once the instance is claimed.
ADMIN_EMAILSRecommendedComma-separated admin floor: these emails always hold at least the admin role, asserted at account creation and at every sign-in. This is also lockout recovery: add your email, restart the server, sign in. Removing an email from the list never demotes anyone, and the last admin is protected. Listed emails are reinstated as admin at their next sign-in even after removal from the organization, so offboarding a listed user means removing them from this list too and restarting.
ALLOWED_EMAIL_DOMAINSNoComma-separated email domains invited users must belong to before they can self-register. A gate on top of invitations, never a grant: registration requires the invitation token from the invite link (POST /auth/password/register rejects anything else with a uniform 403), and it assigns no roles.
PROLIFERATE_SETUP_TOKEN_FILENoPath inside the api container where the plaintext first-run setup token is written. Default /var/lib/proliferate/setup/setup-token, on a named volume so restarts do not rotate it. Never served over HTTP; bootstrap.sh prints it for you.
RESEND_API_KEYNoSecret. Resend API key for invitation email delivery. When set, invite emails link straight to the /register page with the invitation token prefilled. Invitations work without any email provider: the admin shares the invite link with the Copy invite link action in the members list.
RESEND_FROM_EMAILNoSender address for invitation emails, on a domain you have verified with Resend.

Cloud sandboxes add-on

Only needed with the cloud sandboxes add-on. The add-on requires a publicly reachable HTTPS URL, a GitHub App you create, and an E2B account with a sandbox template built in your own E2B team.

E2B

VariableRequiredPurpose
E2B_API_KEYWith the add-onSecret. E2B provisioning auth. Every sandbox runs in your own E2B team.
E2B_TEMPLATE_NAMEWith the add-onThe value printed at the end of the template build: the alias you chose, for example proliferate-runtime-cloud. E2B has no public templates, so you build this once in your own team and rebuild it after every server update. See E2B & sandbox template.
E2B_WEBHOOK_SIGNATURE_SECRETNoSecret. Verifies webhooks from E2B.

GitHub App

The identity of the GitHub App you create for repository access. See GitHub App.

VariableRequiredPurpose
GITHUB_APP_IDWith the add-onNumeric app ID.
GITHUB_APP_SLUGWith the add-onThe app's URL slug.
GITHUB_APP_CLIENT_IDWith the add-onOAuth client ID of the app.
GITHUB_APP_CLIENT_SECRETWith the add-onSecret. OAuth client secret of the app.
GITHUB_APP_WEBHOOK_SECRETWith the add-onSecret. Verifies webhook deliveries from GitHub.
GITHUB_APP_PRIVATE_KEYWith the add-onSecret. Contents of the app's private key (.pem). Use the path variant below if you prefer mounting a file.
GITHUB_APP_PRIVATE_KEY_PATHAlternativePath to the .pem file mounted into the container, instead of inlining the key.
GITHUB_APP_CALLBACK_BASE_URLNoOverride when the app's OAuth callback base differs from API_BASE_URL.

Runtime binaries

install-runtime.sh (run by bootstrap.sh and update.sh) places the Linux runtime binaries on the host when the CLOUD_*_SOURCE_BINARY_PATH variables are set; a base install skips it. The server uploads the binaries into sandboxes, and the template build bakes them into your E2B template. The E2B & sandbox template page walks through setting these.

VariableRequiredPurpose
PROLIFERATE_HOST_BIN_DIRNoHost directory for the runtime binaries. Default /opt/proliferate/bin, mounted read-only into the api container.
RUNTIME_BINARY_URLWith the cloud sandboxes add-onURL of a release tarball containing the three Linux binaries: the server-vX.Y.Z release asset, or a mirror you host (for example in restricted networks).
RUNTIME_BINARY_SHA256NoOptional checksum for the downloaded runtime archive.
RUNTIME_BINARY_SHA256_URLNoOptional URL of a checksum file for the downloaded runtime archive.
CLOUD_RUNTIME_SOURCE_BINARY_PATHWith the cloud sandboxes add-onHost path of the Linux agent runtime binary uploaded into sandboxes. Also read by the template build script.
CLOUD_WORKER_SOURCE_BINARY_PATHWith the cloud sandboxes add-onHost path of the Linux worker binary. Also read by the template build script.
CLOUD_SUPERVISOR_SOURCE_BINARY_PATHWith the cloud sandboxes add-onHost path of the Linux supervisor binary. Also read by the template build script.

Model gateway add-on

Only needed with the optional model gateway. Without it, users bring their own agent subscriptions and no gateway variables are set. Budgets are enforced at the gateway; self-hosted installs have no credits or billing UI.

The standard Compose stack can run the gateway for you: litellm and its own Postgres database ship as an opt-in service group, off unless you turn on the agent-gateway Compose profile.

Warning:

Older copies of .env.production.example have an AGENT_GATEWAY_BIFROST_* block left over from before the gateway moved to LiteLLM. The server does not read those names at all; per the callout above, it just ignores them. Delete that block and use only the AGENT_GATEWAY_LITELLM_* and LITELLM_* variables below.

VariableRequiredPurpose
AGENT_GATEWAY_ENABLEDNoEnables the gateway integration. Default false.
AGENT_GATEWAY_LITELLM_BASE_URLWith the gatewayPrivate LiteLLM admin URL the Proliferate server calls to mint and manage virtual keys. http://litellm:4000 for the bundled service; keep it unreachable from the public internet.
AGENT_GATEWAY_LITELLM_PUBLIC_BASE_URLWith the gatewayPublic LiteLLM inference URL written into sandbox configuration; this is what agents actually call.
AGENT_GATEWAY_LITELLM_MASTER_KEYWith the gatewaySecret. Master key the server uses to manage virtual keys; must match LITELLM_MASTER_KEY on the LiteLLM container. Never sent to sandboxes.
AGENT_GATEWAY_LITELLM_TIMEOUT_SECONDSNoTimeout for calls to the LiteLLM admin API. Default 30.
AGENT_GATEWAY_DEFAULT_USER_BUDGET_USDNoDefault monthly USD cap on a personal virtual key. Default 5.
AGENT_GATEWAY_DEFAULT_ORG_BUDGET_USDNoDefault cap on organization-wide gateway usage (shared and automation sandboxes). Default 0, which LiteLLM treats as uncapped.

Bundled LiteLLM service (optional)

Only needed if you use the bundled litellm service instead of pointing the variables above at a LiteLLM instance you run elsewhere.

VariableRequiredPurpose
LITELLM_MASTER_KEYWith the bundled serviceSecret. Master key set on the LiteLLM container itself; must match AGENT_GATEWAY_LITELLM_MASTER_KEY.
LITELLM_POSTGRES_PASSWORDWith the bundled serviceSecret. Password for the bundled litellm-db Postgres instance.
LITELLM_POSTGRES_DB / LITELLM_POSTGRES_USERNoDefaults to litellm / litellm.
ANTHROPIC_API_KEY / OPENAI_API_KEY / XAI_API_KEYWith the bundled serviceSecret. Provider keys passed into the LiteLLM container's environment. Set only the providers you use.
PROLIFERATE_LITELLM_IMAGE / PROLIFERATE_LITELLM_IMAGE_TAGNoOverride the LiteLLM image or tag. Default ghcr.io/proliferate-ai/proliferate-litellm:stable.
Warning:

Bringing the bundled gateway up or down is a separate command from ./update.sh: Compose profiles are opt-in, so the plain pull/up that bootstrap.sh and update.sh run never touches litellm or litellm-db. See Model gateway for the exact docker compose --profile agent-gateway commands.

Telemetry

VariableRequiredPurpose
PROLIFERATE_TELEMETRY_MODEYesOne of local_dev, self_managed, hosted_product. Self-hosted installs run self_managed; vendor telemetry only ever activates on hosted_product.
PROLIFERATE_ANONYMOUS_TELEMETRY_DISABLEDNoSet to 1 for zero telemetry: no anonymous heartbeat leaves your server.
PROLIFERATE_ANONYMOUS_TELEMETRY_ENDPOINTNoWhere the daily anonymous heartbeat is sent. Default https://app.proliferate.com/api/v1/telemetry/anonymous.

Exactly what is sent, byte for byte, is documented in Telemetry & privacy.

Background jobs

Warning:

The template also contains CELERY_* and REDBEAT_* variables. They are dormant: automations and background jobs are not available on self-hosted deployments yet, because the worker tier does not ship in v1. Leave them at their template defaults.

Everything else

The template ships a few more optional integrations at safe defaults: cloud MCP connectors (CLOUD_MCP_*), transactional email (CUSTOMERIO_*), AI session-title generation (ANTHROPIC_API_KEY), and vendor observability (SENTRY_*, which is inert outside hosted_product mode). Leave them at their defaults unless a page in these docs tells you otherwise.

The only client-side configuration is the desktop config file ~/.proliferate/config.json with apiBaseUrl and the optional telemetryDisabled; see Connect the desktop app.

On this page