[{"data":1,"prerenderedAt":1067},["ShallowReactive",2],{"navigation_docs":3,"-reference-environment":136,"-reference-environment-surround":1064},[4,26,47,68,89,110,123],{"title":5,"path":6,"stem":7,"children":8,"page":25},"Getting Started","\u002Fgetting-started","1.getting-started",[9,13,17,21],{"title":10,"path":11,"stem":12},"What you are running","\u002Fgetting-started\u002Fwhat-you-are-running","1.getting-started\u002F1.what-you-are-running",{"title":14,"path":15,"stem":16},"Architecture","\u002Fgetting-started\u002Farchitecture","1.getting-started\u002F2.architecture",{"title":18,"path":19,"stem":20},"Prerequisites","\u002Fgetting-started\u002Fprerequisites","1.getting-started\u002F3.prerequisites",{"title":22,"path":23,"stem":24},"Quickstart","\u002Fgetting-started\u002Fquickstart","1.getting-started\u002F4.quickstart",false,{"title":27,"path":28,"stem":29,"children":30,"page":25},"Install","\u002Finstall","2.install",[31,35,39,43],{"title":32,"path":33,"stem":34},"Install the chart","\u002Finstall\u002Finstall-the-chart","2.install\u002F1.install-the-chart",{"title":36,"path":37,"stem":38},"Activation","\u002Finstall\u002Factivation","2.install\u002F2.activation",{"title":40,"path":41,"stem":42},"DNS and TLS","\u002Finstall\u002Fdns-and-tls","2.install\u002F3.dns-and-tls",{"title":44,"path":45,"stem":46},"Verify your install","\u002Finstall\u002Fverify-your-install","2.install\u002F4.verify-your-install",{"title":48,"path":49,"stem":50,"children":51,"page":25},"Configure","\u002Fconfigure","3.configure",[52,56,60,64],{"title":53,"path":54,"stem":55},"Data services","\u002Fconfigure\u002Fdata-services","3.configure\u002F1.data-services",{"title":57,"path":58,"stem":59},"Secrets","\u002Fconfigure\u002Fsecrets","3.configure\u002F2.secrets",{"title":61,"path":62,"stem":63},"Registry and air-gapped installs","\u002Fconfigure\u002Fregistry-and-airgap","3.configure\u002F3.registry-and-airgap",{"title":65,"path":66,"stem":67},"Integrations","\u002Fconfigure\u002Fintegrations","3.configure\u002F4.integrations",{"title":69,"path":70,"stem":71,"children":72,"page":25},"Licensing","\u002Flicensing","4.licensing",[73,77,81,85],{"title":74,"path":75,"stem":76},"How licensing works","\u002Flicensing\u002Fhow-licensing-works","4.licensing\u002F1.how-licensing-works",{"title":78,"path":79,"stem":80},"Your key never leaves","\u002Flicensing\u002Fyour-key-never-leaves","4.licensing\u002F2.your-key-never-leaves",{"title":82,"path":83,"stem":84},"What phones home","\u002Flicensing\u002Fwhat-phones-home","4.licensing\u002F3.what-phones-home",{"title":86,"path":87,"stem":88},"Revoke and recover","\u002Flicensing\u002Frevoke-and-recover","4.licensing\u002F4.revoke-and-recover",{"title":90,"path":91,"stem":92,"children":93,"page":25},"Operate","\u002Foperate","5.operate",[94,98,102,106],{"title":95,"path":96,"stem":97},"Upgrade","\u002Foperate\u002Fupgrade","5.operate\u002F1.upgrade",{"title":99,"path":100,"stem":101},"Backup and restore","\u002Foperate\u002Fbackup-and-restore","5.operate\u002F2.backup-and-restore",{"title":103,"path":104,"stem":105},"Observability","\u002Foperate\u002Fobservability","5.operate\u002F3.observability",{"title":107,"path":108,"stem":109},"High availability","\u002Foperate\u002Fhigh-availability","5.operate\u002F4.high-availability",{"title":111,"path":112,"stem":113,"children":114,"page":25},"Troubleshooting","\u002Ftroubleshooting","6.troubleshooting",[115,119],{"title":116,"path":117,"stem":118},"Install failures","\u002Ftroubleshooting\u002Finstall-failures","6.troubleshooting\u002F1.install-failures",{"title":120,"path":121,"stem":122},"Licensing failures","\u002Ftroubleshooting\u002Flicensing-failures","6.troubleshooting\u002F2.licensing-failures",{"title":124,"path":125,"stem":126,"children":127,"page":25},"Reference","\u002Freference","9.reference",[128,132],{"title":129,"path":130,"stem":131},"Helm values","\u002Freference\u002Fhelm-values","9.reference\u002F1.helm-values",{"title":133,"path":134,"stem":135},"Environment variables","\u002Freference\u002Fenvironment","9.reference\u002F2.environment",{"id":137,"title":133,"body":138,"description":1057,"extension":1058,"links":1059,"meta":1060,"navigation":1061,"path":134,"seo":1062,"stem":135,"__hash__":1063},"docs\u002F9.reference\u002F2.environment.md",{"type":139,"value":140,"toc":1052},"minimark",[141,145,158,161,179,192,203],[142,143,133],"h1",{"id":144},"environment-variables",[146,147,148,149,153,154,157],"p",{},"The chart sets all of these for you. You will only meet them if you bring your own Secret through ",[150,151,152],"code",{},"secrets.existingSecret",", or if you are reading a pod to work out why it will not start. Everything an operator normally turns is a Helm value, listed on the ",[155,156,129],"a",{"href":130}," page.",[146,159,160],{},"A variable marked as a secret lands in a Kubernetes Secret rather than a ConfigMap.",[146,162,163,164,167,168,167,171,174,175,178],{},"Four of the variables in this table are written by the license agent, not by you: ",[150,165,166],{},"SIGNING_SEED",", ",[150,169,170],{},"PARENT_LEASE_TOKEN",[150,172,173],{},"PARENT_BASE_URL"," and ",[150,176,177],{},"REQUIRE_PARENT_LEASE",". The agent generates the signing key inside your cluster and keeps the license renewed. Setting any of them by hand breaks enrollment, and the descriptions below say so again where it counts.",[146,180,181,182,174,185,188,189,191],{},"The agent owns six keys in the platform Secret in total. The other two, ",[150,183,184],{},"POP_SIGNING_SEED",[150,186,187],{},"ACTIVATION_CODE_CONSUMED",", are not environment variables the platform reads, so they are not in this table. ",[155,190,57],{"href":58}," covers the full set and what your secret store must do about it.",[146,193,194,195,198,199,202],{},"Optional integrations are not listed here. Supplier credentials, payment keys, object storage and error reporting are all read with empty defaults, and the feature behind each one stays off until you configure it. Pass them through ",[150,196,197],{},"api.env"," for plain settings and ",[150,200,201],{},"api.secretEnv"," for credentials.",[204,205,206,225],"table",{},[207,208,209],"thead",{},[210,211,212,216,219,222],"tr",{},[213,214,215],"th",{},"Variable",[213,217,218],{},"Required",[213,220,221],{},"Secret",[213,223,224],{},"What it does",[226,227,228,244,258,272,286,300,314,329,343,357,371,385,399,413,427,441,455,469,483,497,511,525,539,553,567,581,595,609,623,637,651,665,679,693,707,720,733,747,760,773,786,800,814,828,842,856,870,884,898,912,926,940,954,968,982,996,1010,1024,1038],"tbody",{},[210,229,230,236,239,241],{},[231,232,233],"td",{},[150,234,235],{},"ENV",[231,237,238],{},"No",[231,240,238],{},[231,242,243],{},"The name of the runtime environment. It shows up in logs and error reports. Set production on a real install. It defaults to development. Error reporting stays off until you add SENTRY_DSN to api.env. Two more go beside it there: SENTRY_ENV, which labels which install an error came from and falls back to this value, and SENTRY_RELEASE, which labels which build.",[210,245,246,251,253,255],{},[231,247,248],{},[150,249,250],{},"LOG_LEVEL",[231,252,238],{},[231,254,238],{},[231,256,257],{},"How much the platform logs: debug, info, warn or error. The chart ships debug. Move to info or warn once an install has settled, and drop back to debug when you are chasing something.",[210,259,260,265,267,269],{},[231,261,262],{},[150,263,264],{},"DEMO_MODE",[231,266,238],{},[231,268,238],{},[231,270,271],{},"Reserved for demo installs, where some content edits are blocked. Nothing in the platform reads it today, so leave it false.",[210,273,274,279,281,283],{},[231,275,276],{},[150,277,278],{},"SERVER_PORT",[231,280,238],{},[231,282,238],{},[231,284,285],{},"The port the API listens on inside its container. The chart derives it from api.port, and the Service, the Ingress and the web tier all follow that one value, so change api.port rather than this.",[210,287,288,293,295,297],{},[231,289,290],{},[150,291,292],{},"SERVER_HOST",[231,294,238],{},[231,296,238],{},[231,298,299],{},"The address the API binds to inside its container. It is 0.0.0.0 so the kubelet and the Service can reach it. There is no reason to change it.",[210,301,302,307,309,311],{},[231,303,304],{},[150,305,306],{},"SERVER_RATE_LIMIT",[231,308,238],{},[231,310,238],{},[231,312,313],{},"How many requests one client may make before the API starts turning them away. The chart sets 2000, well above the built-in default, because a freshly opened console polls hard enough to trip a lower ceiling.",[210,315,316,321,324,326],{},[231,317,318],{},[150,319,320],{},"AUTH_ENABLED",[231,322,323],{},"Yes",[231,325,238],{},[231,327,328],{},"Turns on the authentication middleware that every account-scoped route sits behind. Leave it true. With it off the platform has no notion of who is calling.",[210,330,331,336,338,340],{},[231,332,333],{},[150,334,335],{},"DB_DSN",[231,337,323],{},[231,339,323],{},[231,341,342],{},"The Postgres connection string, and the one value the API cannot boot without. The chart composes it for the bundled database, or passes postgres.external.dsn through untouched. It carries the password, so it lives in the Secret.",[210,344,345,350,352,354],{},[231,346,347],{},[150,348,349],{},"DB_NAME",[231,351,238],{},[231,353,238],{},[231,355,356],{},"The database name, for the few code paths that want it on its own rather than parsed out of the connection string. The DSN already names the database, so this rarely matters. It defaults to postgres.",[210,358,359,364,366,368],{},[231,360,361],{},[150,362,363],{},"JWT_SECRET",[231,365,323],{},[231,367,323],{},[231,369,370],{},"The key that signs and verifies session tokens. It has to match the auth container GOTRUE_JWT_SECRET byte for byte or every authenticated request comes back 401. The chart generates one value and gives it to both. The API refuses to boot while this is empty.",[210,372,373,378,380,382],{},[231,374,375],{},[150,376,377],{},"AUTH_URL",[231,379,323],{},[231,381,238],{},[231,383,384],{},"Where the API reaches the auth service. The chart points it at the in-cluster Service, so the traffic never leaves the cluster.",[210,386,387,392,394,396],{},[231,388,389],{},[150,390,391],{},"AUTH_URL_INTERNAL",[231,393,238],{},[231,395,238],{},[231,397,398],{},"A second name for the same in-cluster auth address. It survives as an alias because callers written against the older key still look the auth service up under it, so the chart writes the same Service URL into this key and into AUTH_URL. Keep the two equal. A pod that reads this one and finds a different address is talking to a different auth service than the rest of the platform is.",[210,400,401,406,408,410],{},[231,402,403],{},[150,404,405],{},"GOTRUE_URL",[231,407,238],{},[231,409,238],{},[231,411,412],{},"The same auth address again, under the name the user-management client reads. Leave it empty and that client is never built, which takes the user administration endpoints offline.",[210,414,415,420,422,424],{},[231,416,417],{},[150,418,419],{},"AUTH_COOKIE_NAME",[231,421,238],{},[231,423,238],{},[231,425,426],{},"The name of the browser cookie that carries the session. Change it only if a cookie of that name on the same domain already belongs to something else.",[210,428,429,434,436,438],{},[231,430,431],{},[150,432,433],{},"GOTRUE_HOOK_SEND_EMAIL_SECRETS",[231,435,238],{},[231,437,323],{},[231,439,440],{},"The shared secret the auth service signs its send-email webhook with, so the platform can tell a real call from a forged one. It matters only when auth.emailHook.enabled is true, which routes confirmation and recovery mail through your own branded templates instead of the auth service's plain ones. Turning that on gives the auth container three keys of its own: GOTRUE_HOOK_SEND_EMAIL_ENABLED, GOTRUE_HOOK_SEND_EMAIL_URI, which is the platform endpoint the auth service calls, and its own copy of GOTRUE_HOOK_SEND_EMAIL_SECRETS carrying this same value. The chart generates the secret and writes it to both sides.",[210,442,443,448,450,452],{},[231,444,445],{},[150,446,447],{},"APP_URL",[231,449,323],{},[231,451,238],{},[231,453,454],{},"The public URL of the console or storefront. Links in outbound email point here, so a wrong value sends your users somewhere that does not exist. The chart builds it from your app host, falling back to the API host when the web tier is off.",[210,456,457,462,464,466],{},[231,458,459],{},[150,460,461],{},"API_URL",[231,463,323],{},[231,465,238],{},[231,467,468],{},"The public URL of the API. It is also the URL the platform advertises in its own OAuth and OpenAPI metadata, so it has to be the address clients really reach, not an internal one.",[210,470,471,476,478,480],{},[231,472,473],{},[150,474,475],{},"INTERNAL_HOST",[231,477,238],{},[231,479,238],{},[231,481,482],{},"The in-cluster address of the API, for the parts of the platform that would rather not leave through the Ingress and come back in. Empty means they all take the public URL.",[210,484,485,490,492,494],{},[231,486,487],{},[150,488,489],{},"CACHE_ENABLED",[231,491,238],{},[231,493,238],{},[231,495,496],{},"Whether the platform uses Redis at all. With it off the platform still serves, and it does more work per request.",[210,498,499,504,506,508],{},[231,500,501],{},[150,502,503],{},"CACHE_ADDR",[231,505,323],{},[231,507,238],{},[231,509,510],{},"The Redis endpoint as host:port. The chart derives it from redis.mode. Get it wrong and the binary quietly falls back to localhost:6379, which is nothing at all once the platform runs on more than one pod, so treat it as required.",[210,512,513,518,520,522],{},[231,514,515],{},[150,516,517],{},"CACHE_PASSWORD",[231,519,238],{},[231,521,323],{},[231,523,524],{},"The Redis password. The chart generates one for the bundled Redis and passes yours through for a managed one. An empty value is dropped rather than sent, which is how a Redis that wants no password is addressed.",[210,526,527,532,534,536],{},[231,528,529],{},[150,530,531],{},"CACHE_NAMESPACE",[231,533,238],{},[231,535,238],{},[231,537,538],{},"A prefix on every cache key. The chart sets it to the release name, so two installs sharing one Redis cannot read one another's keys.",[210,540,541,546,548,550],{},[231,542,543],{},[150,544,545],{},"KAFKA_ENABLED",[231,547,238],{},[231,549,238],{},[231,551,552],{},"Whether the platform publishes and consumes events. With it off the live browser stream and templated email stop, and the rest of the platform carries on.",[210,554,555,560,562,564],{},[231,556,557],{},[150,558,559],{},"KAFKA_BROKERS",[231,561,238],{},[231,563,238],{},[231,565,566],{},"Comma-separated host:port brokers. Empty means no event bus: event streaming, the live browser stream and templated email all switch themselves off, and the API still boots and serves.",[210,568,569,574,576,578],{},[231,570,571],{},[150,572,573],{},"KAFKA_CLIENT_ID",[231,575,238],{},[231,577,238],{},[231,579,580],{},"The name this platform gives itself on the broker, mvne or mvno. It shows up in broker-side logs and metrics and changes nothing else.",[210,582,583,588,590,592],{},[231,584,585],{},[150,586,587],{},"KAFKA_GROUP_ID",[231,589,238],{},[231,591,238],{},[231,593,594],{},"The consumer group the platform joins. Installs sharing one broker are kept apart by their topic names rather than by this, so there is rarely a reason to move off the default.",[210,596,597,602,604,606],{},[231,598,599],{},[150,600,601],{},"DOMAIN_EVENTS_TOPIC",[231,603,238],{},[231,605,238],{},[231,607,608],{},"The Kafka topic carrying this install's events. The chart derives a name scoped to the release, which is what stops two installs on one shared broker from consuming each other's events. The realtime service has to read the same topic, and the chart points it there.",[210,610,611,616,618,620],{},[231,612,613],{},[150,614,615],{},"EMAIL_TOPIC_NAMESPACE",[231,617,238],{},[231,619,238],{},[231,621,622],{},"A suffix on the email job topic, so each install has its own email queue on a shared broker. The API, the email worker and the auth email hook all have to agree on it, and the chart derives one value for all three.",[210,624,625,630,632,634],{},[231,626,627],{},[150,628,629],{},"STORAGE_PROVIDER",[231,631,238],{},[231,633,238],{},[231,635,636],{},"Which object store holds uploaded files such as CMS media. It defaults to r2. Four settings travel with it in api.env: R2_ACCOUNT_ID, R2_ACCESS_KEY_ID, R2_BUCKET_NAME and R2_PUBLIC_URL, the last being the host your uploaded files are served from. The fifth, R2_SECRET_ACCESS_KEY, is a credential and goes in api.secretEnv.",[210,638,639,644,646,648],{},[231,640,641],{},[150,642,643],{},"R2_SECRET_ACCESS_KEY",[231,645,238],{},[231,647,323],{},[231,649,650],{},"The secret half of your object-storage credentials, and the only one of the set that belongs in api.secretEnv. Its four companions go in api.env: R2_ACCOUNT_ID, R2_ACCESS_KEY_ID, R2_BUCKET_NAME and R2_PUBLIC_URL. Set them together. Miss any one and uploads have nowhere to land.",[210,652,653,658,660,662],{},[231,654,655],{},[150,656,657],{},"TRANSLATION_AI_PROVIDER",[231,659,238],{},[231,661,238],{},[231,663,664],{},"Which AI provider translates catalog and content copy: anthropic, openai or google. Each reads its own key from api.secretEnv, and only its own: ANTHROPIC_API_KEY, OPENAI_API_KEY, GOOGLE_TRANSLATE_API_KEY. Set the one that matches the provider you picked. Without it the translation engine stays off and translation jobs sit pending. Nothing else is affected.",[210,666,667,672,674,676],{},[231,668,669],{},[150,670,671],{},"TRANSLATION_AI_MODEL",[231,673,238],{},[231,675,238],{},[231,677,678],{},"The model the translation engine calls. Empty takes the provider default. The google provider ignores it.",[210,680,681,686,688,690],{},[231,682,683],{},[150,684,685],{},"SECRETS_KEK_AGE_RECIPIENT",[231,687,238],{},[231,689,238],{},[231,691,692],{},"The public half of the age key that encrypts stored credentials, such as the supplier keys your tenants hand you. Leave it empty and the platform still boots, and it writes those credentials to the database in plain text and says so loudly in the logs. Generate a key for anything real.",[210,694,695,700,702,704],{},[231,696,697],{},[150,698,699],{},"SECRETS_KEK_AGE_IDENTITY",[231,701,238],{},[231,703,323],{},[231,705,706],{},"The private half of that same age key, needed to read back what the public half encrypted. Keep a copy somewhere outside the cluster. Lose it and everything already encrypted under it is unreadable.",[210,708,709,713,715,717],{},[231,710,711],{},[150,712,166],{},[231,714,323],{},[231,716,323],{},[231,718,719],{},"The private signing key of this deployment. The license agent generates it inside your cluster on first run and writes it into the Secret. Never set it by hand and never copy it out.",[210,721,722,726,728,730],{},[231,723,724],{},[150,725,184],{},[231,727,323],{},[231,729,323],{},[231,731,732],{},"The private key this platform uses to prove it holds its own lease, by signing every renewal and check-in it sends to its parent. The license agent generates it inside your cluster and rewrites it together with the lease on every rotation, since the two are bound to each other and a mismatched pair is rejected by the parent. Never set it by hand and never copy it out.",[210,734,735,740,742,744],{},[231,736,737],{},[150,738,739],{},"SIGNING_SEEDS_RETIRED",[231,741,238],{},[231,743,323],{},[231,745,746],{},"Comma-separated older signing seeds, kept verifiable while you rotate the key. This is the one signing value the agent does not manage: you set it, and only while a rotation is in flight.",[210,748,749,753,755,757],{},[231,750,751],{},[150,752,170],{},[231,754,323],{},[231,756,323],{},[231,758,759],{},"The signed license this deployment runs under, written by the license agent and replaced on every renewal. Never set it by hand. Its presence is how the agent knows the install is already enrolled, so a hand-written value stops the real enrollment from ever happening.",[210,761,762,766,768,770],{},[231,763,764],{},[150,765,173],{},[231,767,323],{},[231,769,238],{},[231,771,772],{},"The Hub this deployment is licensed against, written by the license agent and pinned to the URL it actually activated with. Trust hangs off this value and not off anything inside the lease itself, so editing it by hand points your install at a different authority. Set activation.parentUrl instead.",[210,774,775,779,781,783],{},[231,776,777],{},[150,778,177],{},[231,780,323],{},[231,782,238],{},[231,784,785],{},"Whether the platform refuses licensed routes without a valid lease. The license agent sets it to true once enrollment succeeds, and the chart sets it too, so the key cannot go missing. Only an explicit false is permissive: unset means required. It fails closed on purpose, so an unlicensed platform does not serve, and its readiness check fails as well, which takes it out of the load balancer instead of leaving it in rotation serving licensed routes that cannot work. The binary also carries a local development escape, four variables named PARENT_BOOTSTRAP_URL, PARENT_BOOTSTRAP_SERVICE_KEY, PARENT_BOOTSTRAP_SUBJECT and PARENT_BOOTSTRAP_TTL. They exist for local development, outside the activation flow. The chart never sets them and they have no place in an installed deployment. If you find them set on a real install, someone has put them there by hand.",[210,787,788,793,795,797],{},[231,789,790],{},[150,791,792],{},"PARENT_JWKS_URL",[231,794,238],{},[231,796,238],{},[231,798,799],{},"Where the platform fetches the Hub public keys to verify its license. It works this out from PARENT_BASE_URL on its own. The chart never sets it, and neither should you.",[210,801,802,807,809,811],{},[231,803,804],{},[150,805,806],{},"PARENT_ISSUER_URL",[231,808,238],{},[231,810,238],{},[231,812,813],{},"The issuer the platform insists on seeing inside a license. It is deliberately never guessed from the Hub URL. Leave it unset unless your Hub issues leases under an issuer that differs from its base URL.",[210,815,816,821,823,825],{},[231,817,818],{},[150,819,820],{},"DEPLOYMENTS_SERVICE_KEY",[231,822,238],{},[231,824,323],{},[231,826,827],{},"The API key this platform presents to its own downstream tenants when it provisions them. It matters only when this install spawns children of its own, which means an MVNE licensing MVNOs. The chart generates it.",[210,829,830,835,837,839],{},[231,831,832],{},[150,833,834],{},"DEPLOYMENTS_SERVICE_KEYS",[231,836,238],{},[231,838,323],{},[231,840,841],{},"Comma-separated extra keys the platform also accepts, so DEPLOYMENTS_SERVICE_KEY can be rolled without a flag day: publish the new key, keep the old one here until every caller has moved, then drop it.",[210,843,844,849,851,853],{},[231,845,846],{},[150,847,848],{},"PPA_BASE_URL",[231,850,238],{},[231,852,238],{},[231,854,855],{},"An older name for PARENT_BASE_URL that a few code paths still fall back to. The chart only ever sets PARENT_BASE_URL. Leave this one alone.",[210,857,858,863,865,867],{},[231,859,860],{},[150,861,862],{},"PLATFORM_KIND",[231,864,323],{},[231,866,238],{},[231,868,869],{},"Tells the license agent which kind of platform it is enrolling, mvne or mvno, in lower case. The chart takes it from platform.kind. Any other value and the agent stops before it starts. The agent also needs the address of the Hub it is enrolling with. The chart passes that as PARENT_URL, taken from activation.parentUrl. HUB_URL is the other accepted name for the same thing, and it wins if both are set.",[210,871,872,877,879,881],{},[231,873,874],{},[150,875,876],{},"ACTIVATION_CODE",[231,878,323],{},[231,880,323],{},[231,882,883],{},"The one-time enrollment code you mint in the Hub, read by the license agent. It is spent on the first successful activation. The chart takes it from activation.code.",[210,885,886,891,893,895],{},[231,887,888],{},[150,889,890],{},"SECRET_NAME",[231,892,323],{},[231,894,238],{},[231,896,897],{},"The Kubernetes Secret the license agent writes the signing key and the license into, and the same Secret the platform pods read their environment from. The chart derives the name from the release rather than from a value you set: the release name, the chart name and the suffix -env, so a release called acme installs a Secret named acme-platform-env. The one way to change it is secrets.existingSecret, which replaces the name outright and hands you a Secret the chart no longer creates.",[210,899,900,905,907,909],{},[231,901,902],{},[150,903,904],{},"SECRET_NAMESPACE",[231,906,238],{},[231,908,238],{},[231,910,911],{},"The namespace that Secret lives in. The chart sets it to the release namespace. Left empty, the agent falls back to the namespace of the pod it is running in, which is the same one, but the chart says it out loud rather than leaning on the fallback.",[210,913,914,919,921,923],{},[231,915,916],{},[150,917,918],{},"PORT",[231,920,323],{},[231,922,238],{},[231,924,925],{},"The port the auth container listens on. It is fixed at 9999, and everything that talks to auth is wired to that number.",[210,927,928,933,935,937],{},[231,929,930],{},[150,931,932],{},"GOTRUE_API_HOST",[231,934,323],{},[231,936,238],{},[231,938,939],{},"The address the auth container binds to. It is 0.0.0.0 so the rest of the cluster can reach it.",[210,941,942,947,949,951],{},[231,943,944],{},[150,945,946],{},"API_EXTERNAL_URL",[231,948,323],{},[231,950,238],{},[231,952,953],{},"The URL the auth service believes it is reachable at. The chart points it at that service's own in-cluster address. It is also the base the OAuth authorization server hangs off, and that server is what lets an AI assistant register itself as a client and sign in on a user's behalf. Turn it on with auth.oauthServer.enabled and the chart writes five keys together: GOTRUE_OAUTH_SERVER_ENABLED, GOTRUE_OAUTH_SERVER_DEFAULT_SCOPE, GOTRUE_OAUTH_SERVER_AUTHORIZATION_TTL, GOTRUE_OAUTH_SERVER_ALLOW_DYNAMIC_REGISTRATION and GOTRUE_OAUTH_SERVER_AUTHORIZATION_PATH.",[210,955,956,961,963,965],{},[231,957,958],{},[150,959,960],{},"GOTRUE_DISABLE_SIGNUP",[231,962,238],{},[231,964,238],{},[231,966,967],{},"Whether public registration is closed. It ships false, so anyone can create an account. Set it true to shut that door. Guest checkout leans on a lighter kind of account, governed by two keys the chart always sets together: GOTRUE_EXTERNAL_ANONYMOUS_USERS_ENABLED, which is true, and GOTRUE_RATE_LIMIT_ANONYMOUS_USERS, which caps how many such accounts one caller may open and is set to 30. Passkeys are a third path in, and auth.passkey.enabled on an https host writes five keys as one set: GOTRUE_PASSKEY_ENABLED, GOTRUE_PASSKEY_MAX_PASSKEYS_PER_USER, GOTRUE_WEBAUTHN_RP_ID, GOTRUE_WEBAUTHN_RP_DISPLAY_NAME and GOTRUE_WEBAUTHN_RP_ORIGINS, the last three built from your public host. On a plain http host the chart leaves all five out, because passkeys need https and the auth container will not start without it.",[210,969,970,975,977,979],{},[231,971,972],{},[150,973,974],{},"GOTRUE_SITE_URL",[231,976,323],{},[231,978,238],{},[231,980,981],{},"Where a user lands after confirming an email, following a magic link or finishing a social sign-in. The chart derives it from auth.siteUrl, falling back to your public host. Point it somewhere wrong and confirmation links lead nowhere. Social sign-in is a separate matter, and this chart does not wire it. GoTrue reads four keys per provider: GOTRUE_EXTERNAL_GOOGLE_ENABLED, GOTRUE_EXTERNAL_GOOGLE_CLIENT_ID, GOTRUE_EXTERNAL_GOOGLE_SECRET and GOTRUE_EXTERNAL_GOOGLE_REDIRECT_URI, then the same four for Apple as GOTRUE_EXTERNAL_APPLE_ENABLED, GOTRUE_EXTERNAL_APPLE_CLIENT_ID, GOTRUE_EXTERNAL_APPLE_SECRET and GOTRUE_EXTERNAL_APPLE_REDIRECT_URI. None of the eight are rendered today. The only key of that family the auth container receives is GOTRUE_EXTERNAL_ANONYMOUS_USERS_ENABLED, and the auth.providers block in values.yaml is read by no template, so filling in a client id and secret there and upgrading changes nothing and warns about nothing. Until the chart wires them, those eight keys have to reach the GoTrue container by your own hand, all four of a provider or none of them.",[210,983,984,989,991,993],{},[231,985,986],{},[150,987,988],{},"DATABASE_URL",[231,990,323],{},[231,992,323],{},[231,994,995],{},"The connection string the auth service uses, which is not the same as DB_DSN. It connects as its own database role and pins its search path to the auth schema, because the auth service never sets that path itself. Drop the search path and it cannot find its own tables. Two fixed companions ride along: GOTRUE_DB_DRIVER, always postgres, and DB_NAMESPACE, always auth. The chart builds all three. If you bring your own Secret, this is the one to get exactly right.",[210,997,998,1003,1005,1007],{},[231,999,1000],{},[150,1001,1002],{},"GOTRUE_JWT_EXP",[231,1004,238],{},[231,1006,238],{},[231,1008,1009],{},"How long a session token stays valid, in seconds. It ships at 28800, which is eight hours. Shorten it to make people sign in more often.",[210,1011,1012,1017,1019,1021],{},[231,1013,1014],{},[150,1015,1016],{},"GOTRUE_JWT_SECRET",[231,1018,323],{},[231,1020,323],{},[231,1022,1023],{},"The auth side of the token-signing key. It has to be the same value as the platform JWT_SECRET. The chart writes one value into both, which is why neither is yours to set.",[210,1025,1026,1031,1033,1035],{},[231,1027,1028],{},[150,1029,1030],{},"GOTRUE_MAILER_AUTOCONFIRM",[231,1032,323],{},[231,1034,238],{},[231,1036,1037],{},"Whether a new account counts as confirmed without the user clicking anything. The chart sets false whenever mail is configured, so confirmation is always asked for. Confirmation only reaches the user if the auth service can send mail. Give it a transport through auth.resendAPIKey or auth.smtp, and the chart fills the same five keys either way: GOTRUE_SMTP_HOST, GOTRUE_SMTP_PORT, GOTRUE_SMTP_USER, GOTRUE_SMTP_PASS and GOTRUE_SMTP_ADMIN_EMAIL. Leave both unset and there is no way to send a confirmation, so this flips to true and new accounts are confirmed on sight.",[210,1039,1040,1045,1047,1049],{},[231,1041,1042],{},[150,1043,1044],{},"GOTRUE_MAILER_EXTERNAL_HOSTS",[231,1046,238],{},[231,1048,238],{},[231,1050,1051],{},"The hosts the auth service is willing to send confirmation and recovery links to. The chart sets your public host. It is what stops a crafted signup from aiming a confirmation link at a site you do not own.",{"title":1053,"searchDepth":1054,"depth":1055,"links":1056},"",1,2,[],"The environment the platform boots with, whether each variable is required, and whether it is a secret.","md",null,{},true,{"title":133,"description":1057},"yUNAk-D8WnEE0ANmdIhIYyOFAiCwl8gfscIJhbWP8Tc",[1065,1059],{"title":129,"path":130,"stem":131,"description":1066,"children":-1},"Every value the platform chart accepts, its default, and what it does.",1783967741116]