Skip to content
Gatewyse

Environment Variables Reference

All environment variables are validated at startup using Zod schemas defined in packages/server/src/config/env.ts. The server will exit with descriptive errors if validation fails.

Core

VariableRequiredDefaultDescription
NODE_ENVNodevelopmentdevelopment, production, or test
PORTNo3000HTTP server listen port
HOSTNo0.0.0.0HTTP server bind address
LOG_LEVELNoinfoerror, warn, info, http, verbose, debug, silly

Database

VariableRequiredDefaultValidation
MONGODB_URINomongodb://localhost:27017/ai-gateway?replicaSet=rs0Must be a valid URL
MONGODB_DB_NAMENoai-gatewayNon-empty string
REDIS_HOSTNolocalhostString
REDIS_PORTNo6379Positive integer
REDIS_PASSWORDProd(empty)Required in production
REDIS_DBNo0Non-negative integer

Authentication

VariableRequiredDefaultValidation
JWT_SECRETYesMinimum 16 characters. Must not contain placeholder values in production.
JWT_REFRESH_SECRETYesMinimum 16 characters. Must not contain placeholder values in production.
JWT_ACCESS_EXPIRYNo15mDuration string (e.g., 15m, 1h)
JWT_REFRESH_EXPIRYNo7dDuration string (e.g., 7d, 30d)
ENCRYPTION_KEYYesExactly 64 hex characters (256-bit AES key). Sequential patterns rejected in production.

Super Admin Seed

Used by pnpm seed to create the initial administrator account.

VariableRequiredDefaultValidation
SUPER_ADMIN_EMAILNoadmin@ai-gateway.localValid email address
SUPER_ADMIN_PASSWORDYes12+ characters, must include uppercase, lowercase, digit, and special character

Semantic Cache

VariableRequiredDefaultDescription
CACHE_EMBEDDING_MODELNonomic-embed-textEmbedding model for cache similarity
CACHE_SIMILARITY_THRESHOLDNo0.96Cosine similarity threshold (0.0-1.0)
CACHE_DEFAULT_TTL_SECONDSNo86400Cache entry TTL in seconds (default: 24 hours)

Rate Limiting

VariableRequiredDefaultDescription
RATE_LIMIT_WINDOW_MSNo60000Window duration in milliseconds
RATE_LIMIT_MAX_PER_WINDOWNo60Max requests per window

CORS and Networking

VariableRequiredDefaultDescription
CORS_ORIGINSNo(empty)Comma-separated allowed origins (each must be a valid URL)
SOCKET_CORS_ORIGINNohttp://localhost:3001Socket.io CORS origin
ADMIN_URLNohttp://localhost:3001Admin dashboard URL
SSO_CALLBACK_BASE_URLNo(optional)Base URL for SSO callback endpoints

Background Workers

VariableRequiredDefaultDescription
BULLMQ_PREFIXNoaigwRedis key prefix for BullMQ queues

S3 Backup

All S3 variables are optional. When not configured, audit log backups are stored locally.

VariableRequiredDefaultDescription
S3_BUCKETNoS3 bucket name
S3_REGIONNous-east-1AWS region
S3_ACCESS_KEY_IDNoAWS access key ID
S3_SECRET_ACCESS_KEYNoAWS secret access key
S3_PREFIXNobackupsKey prefix within the S3 bucket

SIEM Export

All SIEM variables are optional. When not configured, SIEM export is disabled.

VariableRequiredDefaultDescription
SIEM_TYPENoExport type: splunk, elk, or webhook
SIEM_URLNoSIEM endpoint URL
SIEM_TOKENNoAuthentication token
SIEM_BATCH_SIZENo100Events per batch

Provider API Keys

Provider API keys are typically managed through the admin dashboard. They can also be set as environment variables, though dashboard-configured keys are encrypted at rest with AES-256-GCM.

Terminal window
OPENAI_API_KEY=sk-...
ANTHROPIC_API_KEY=sk-ant-...
GOOGLE_AI_API_KEY=AIza...
AZURE_OPENAI_API_KEY=...
AZURE_OPENAI_ENDPOINT=https://your-resource.openai.azure.com
GROQ_API_KEY=gsk_...
MISTRAL_API_KEY=...
COHERE_API_KEY=...
DEEPSEEK_API_KEY=...
TOGETHER_API_KEY=...
FIREWORKS_API_KEY=...
PERPLEXITY_API_KEY=pplx-...
AI21_API_KEY=...
HUGGINGFACE_API_KEY=hf_...
XAI_API_KEY=...
CEREBRAS_API_KEY=...
SAMBANOVA_API_KEY=...
REPLICATE_API_TOKEN=r8_...
ELEVENLABS_API_KEY=...
ASSEMBLYAI_API_KEY=...

Production Security Checks

When NODE_ENV=production, the server enforces additional validation at startup:

  1. JWT_SECRET must not contain known placeholder strings
  2. JWT_REFRESH_SECRET must not contain known placeholder strings
  3. ENCRYPTION_KEY must not use sequential hex patterns (e.g., 0123456789abcdef repeated)
  4. REDIS_PASSWORD must be set (non-empty)

If any check fails, the server exits with a descriptive error message.