Environment variables reference
Environment variables for Self-hosted Retool deployments.
| Self-hosted Retool Availability | |||
|---|---|---|---|
| Self-hosted Edge | Generally Available | ||
| Self-hosted Stable | Generally Available | ||
Environment variables control or override certain functions and characteristics of Self-hosted Retool instances. Some Retool features require you to set environment variables, such as SSO or Source Control.
Only configure environment variables when needed. You can configure many environment variables from your organization's Settings rather than directly editing your deployment's configuration file.
You must restart your instance after setting any variables for them to take effect.
All properties for this object with supported data types or values. You can write JavaScript almost anywhere in Retool to manipulate or read property values.
ADMIN_API_ACCESS_TOKEN
If non-empty, Retool creates an API access token with the provided string value. Requires ADMIN_USER_EMAIL to be set to a valid email address of an admin user.
| Type | string |
| Format | Authentication Key |
| Required | Optional |
| Default | null |
Examples
ADMIN_API_ACCESS_TOKEN=api-key
ADMIN_API_ACCESS_TOKEN_SCOPES
Comma-separated list of scopes to be assigned to the API access token created using ADMIN_API_ACCESS_TOKEN environment variable.
| Type | string |
| Format | Plain Text |
| Required | Optional |
| Default | null |
Examples
ADMIN_API_ACCESS_TOKEN_SCOPES=source_control:read,source_control:write,groups:read,groups:write,spaces:read,spaces:write,folders:read,folders:write,permissions:all:read,permissions:all:write
ADMIN_USER_EMAIL
If non-empty, Retool creates an admin user with the provided email in the Admin Space.
| Type | string |
| Format | Email Address |
| Required | Optional |
| Default | null |
Examples
ADMIN_USER_EMAIL=admin@example.com
AGENT_EVALS_S3_ACCESS_KEY_ID
The Amazon S3 access key ID for running agent evals.
| Type | string |
| Required | Optional |
| Default | null |
Examples
AGENT_EVALS_S3_ACCESS_KEY_ID=AKIAIOSFODNN7EXAMPLE
AGENT_EVALS_S3_BUCKET
The Amazon S3 bucket for running agent evals.
| Type | string |
| Required | Optional |
| Default | null |
Examples
AGENT_EVALS_S3_BUCKET=retool-agent-evals
AGENT_EVALS_S3_REGION
The Amazon S3 region for running agent evals.
| Type | string |
| Required | Optional |
| Default | null |
Examples
AGENT_EVALS_S3_REGION=us-west-2
AGENT_EVALS_S3_SECRET_ACCESS_KEY
The Amazon S3 secret access key for running agent evals.
| Type | string |
| Required | Optional |
| Default | null |
Examples
AGENT_EVALS_S3_SECRET_ACCESS_KEY=wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
ALLOW_SAME_ORIGIN_OPTION
Whether to use allow-same-origin for iframes and custom components. If this is not true, custom components are heavily restricted in their behavior. Refer to the configure same-origin and sandbox guide to learn more.
| Type | boolean |
| Format | True/False |
| Required | Optional |
| Default | false |
Examples
ALLOW_SAME_ORIGIN_OPTION=false
API_CALLS_PER_MINUTE
Retool API uses a point system for rate limiting where endpoint requests cost a certain number of points. The default is 300 points in a 60 second window. If you exceed this, Retool blocks any subsequent API calls for 60 seconds. You can increase the number of points with the API_CALLS_PER_MIN environment variable.
| Type | number |
| Format | Integer |
| Required | Optional |
| Default | 300 |
Examples
API_CALLS_PER_MINUTE=300
AZURE_REPOS_MAIN_BRANCH
The main branch for the Azure Repos repository.
| Type | string |
| Format | Plain Text |
| Required | Optional |
| Default | null |
Examples
AZURE_REPOS_MAIN_BRANCH=main
AZURE_REPOS_ORGANIZATION
The Azure DevOps organization name.
| Type | string |
| Format | Plain Text |
| Required | Optional |
| Default | null |
Examples
AZURE_REPOS_ORGANIZATION=my-organization
AZURE_REPOS_PERSONAL_ACCESS_TOKEN
The personal access token for the Azure DevOps organization user.
| Type | string |
| Format | Authentication Key |
| Required | Optional |
| Default | null |
Examples
AZURE_REPOS_PERSONAL_ACCESS_TOKEN=mpoqd2zy7jklzfbhmuzev46vbbcpkeeqminb4wcvwigsrldasdfa
AZURE_REPOS_REPO
The Azure DevOps repository name.
| Type | string |
| Format | Plain Text |
| Required | Optional |
| Default | null |
Examples
AZURE_REPOS_REPO=my-repo
AZURE_REPOS_USER
The username or service account for the for Azure DevOps organization.
| Type | string |
| Format | Plain Text |
| Required | Optional |
| Default | null |
Examples
AZURE_REPOS_USER=retool
BASE_DOMAIN
The full URL of your Retool deployment for user invitations and password resets. This also needs to be set if you dynamically set callback URLs on protected resources.
| Type | string |
| Format | URL |
| Required | Required |
| Default | null |
Examples
BASE_DOMAIN=https://retool.example.com
BITBUCKET_APP_PASSWORD
The app password for the Bitbucket user.
| Type | string |
| Format | Password |
| Required | Optional |
| Default | null |
Examples
BITBUCKET_APP_PASSWORD=mpoqd2zy7jklzfbhmuzev46vbbcpkeeqminb4wcvwigsrldasdfa
BITBUCKET_MAIN_BRANCH
The main branch for the Bitbucket repository.
| Type | string |
| Format | Plain Text |
| Required | Optional |
| Default | null |
Examples
BITBUCKET_MAIN_BRANCH=main
BITBUCKET_REPO
The Bitbucket repository name.
| Type | string |
| Format | Plain Text |
| Required | Optional |
| Default | null |
Examples
BITBUCKET_REPO=my-repo
Examples
BITBUCKET_USER=retool
BITBUCKET_WORKSPACE
The Bitbucket workspace name.
| Type | string |
| Format | Plain Text |
| Required | Optional |
| Default | null |
Examples
BITBUCKET_WORKSPACE=my-workspace
CLIENT_ID
A Google OAuth client app ID for OAuth-based authentication with Google (e.g., Google SSO with OIDC or using a Google Sheets resource).
| Type | string |
| Format | Plain Text |
| Required | Optional |
| Default | null |
Examples
CLIENT_ID=123456789012-abcdefghijklmnopqrstuvwxyz.apps.googleusercontent.com
CLIENT_MAX_BODY_SIZE
On the https-portal container, specify the maximum request body size, in bytes, megabytes (M), or kilobytes (K). Any upload that exceeds this limit results in a 413 HTTP error. Set to 0 to allow bodies of any size.
| Type | string |
| Format | Plain Text |
| Required | Optional |
| Default | null |
Examples
CLIENT_MAX_BODY_SIZE=40M
CLIENT_MAX_BODY_SIZE=8096K
CLIENT_MAX_BODY_SIZE=1048576
CLIENT_SECRET
A Google OAuth client app secret for OAuth-based authentication with Google (e.g., Google SSO with OIDC or using a Google Sheets resource).
| Type | string |
| Format | Plain Text |
| Required | Optional |
| Default | null |
Examples
CLIENT_SECRET=abcdefghijklmnopqrstuvwxyz
CODE_COMMIT_AWS_ACCESS_KEY_ID
The AWS access key ID for the IAM user.
| Type | string |
| Format | Plain Text |
| Required | Optional |
| Default | null |
Examples
CODE_COMMIT_AWS_ACCESS_KEY_ID=AKIAIOSFODNN7EXAMPLE
CODE_COMMIT_AWS_DEFAULT_REGION
The AWS region for the CodeCommit repository.
| Type | string |
| Format | Plain Text |
| Required | Optional |
| Default | null |
Examples
CODE_COMMIT_AWS_DEFAULT_REGION=us-west-2
CODE_COMMIT_AWS_SECRET_ACCESS_KEY
The AWS secret access key for the IAM user.
| Type | string |
| Format | Plain Text |
| Required | Optional |
| Default | null |
Examples
CODE_COMMIT_AWS_SECRET_ACCESS_KEY=wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
CODE_COMMIT_HTTPS_PASSWORD
The password for HTTPS authentication with the CodeCommit repository.
| Type | string |
| Format | Password |
| Required | Optional |
| Default | null |
Examples
CODE_COMMIT_HTTPS_PASSWORD=mpoqd2zy7jklzfbhmuzev46vbbcpkeeqminb4wcvwigsrldasdfa
CODE_COMMIT_HTTPS_USERNAME
The username for HTTPS authentication with the CodeCommit repository.
| Type | string |
| Format | Plain Text |
| Required | Optional |
| Default | null |
Examples
CODE_COMMIT_HTTPS_USERNAME=retool
CODE_COMMIT_MAIN_BRANCH
The main branch for the CodeCommit repository.
| Type | string |
| Format | Plain Text |
| Required | Optional |
| Default | null |
Examples
CODE_COMMIT_MAIN_BRANCH=main
CODE_COMMIT_REPOSITORY_NAME
The CodeCommit repository name.
| Type | string |
| Format | Plain Text |
| Required | Optional |
| Default | null |
Examples
CODE_COMMIT_REPOSITORY_NAME=my-repo
CODE_EXECUTOR_INGRESS_DOMAIN
The domain for the code-executor service that executes arbitrary user-defined JavaScript and Python code with installed custom libraries. The value depends on your deployment configuration, but must include a protocol (http:// or https://).
| Type | string |
| Format | Plain Text |
| Required | Optional |
| Default | null |
Examples
CODE_EXECUTOR_INGRESS_DOMAIN=code-executor.example.com
CONTAINER_UNPRIVILEGED_MODE
Whether to run the code-executor service in an unprivileged mode and remove any sandboxing of user code.
| Type | boolean |
| Required | Optional |
| Default | false |
Examples
CONTAINER_UNPRIVILEGED_MODE=false
COOKIE_INSECURE
Whether to send authentication requests using insecure cookies. Enable this if your Retool deployment uses a non-HTTPS URL or IP address. This is typically used when a Retool deployment is not yet configured with a custom domain.
| Type | boolean |
| Required | Optional |
| Default | true |
Examples
COOKIE_INSECURE=true
CREATE_FIRST_ORG
If set to true, Retool automatically creates the first organization on the instance. This is useful for automated provisioning of Retool instances.
| Type | boolean |
| Required | Optional |
| Default | false |
Examples
CREATE_FIRST_ORG=true
CUSTOM_API_KEY
An API key to authenticate workflow webhook requests. Add to the request as an x-api-key header to trigger workflows.
| Type | string |
| Required | Optional |
| Default | null |
Examples
CUSTOM_API_KEY=retool_wk_2ed0cfe975474f4091fbe603d975d7b7
CUSTOM_LOGOUT_REDIRECT
A URL that users are redirected to after logging out of Retool.
| Type | string |
| Format | URL |
| Required | Optional |
| Default | null |
Examples
CUSTOM_LOGOUT_REDIRECT=https://example.com/logout/success
CUSTOM_OAUTH2_SSO_ACCESS_TOKEN_LIFESPAN_MINUTES
The lifespan, in minutes, of custom OpenID provider tokens.
| Type | number |
| Format | Integer |
| Required | Optional |
| Default | 120 |
Examples
CUSTOM_OAUTH2_SSO_ACCESS_TOKEN_LIFESPAN_MINUTES=60
CUSTOM_OAUTH2_SSO_AUDIENCE
An identifier for a resource to which users should have access upon completion of an OpenID authorization process.
| Type | string |
| Format | Plain Text |
| Required | Optional |
| Default | null |
Examples
CUSTOM_OAUTH2_SSO_AUDIENCE=https://retool.auth0.com/api/v2
CUSTOM_OAUTH2_SSO_JWT_ROLES_KEY
Returns an array of strings where each string represents an OpenID group name. This setting is used with CUSTOM_OAUTH2_SSO_ROLE_MAPPING to map groups to Retool permission groups.
| Type | string |
| Format | Plain Text |
| Required | Optional |
| Default | null |
Examples
CUSTOM_OAUTH2_SSO_JWT_ROLES_KEY=idToken.groups
CUSTOM_OAUTH2_SSO_ROLE_MAPPING
The mapping of roles from your OpenID provider to Retool permission groups.
| Type | string |
| Format | Plain Text |
| Required | Optional |
| Default | null |
Examples
CUSTOM_OAUTH2_SSO_ROLE_MAPPING=devops -> admin, support -> viewer
CUSTOM_OAUTH2_SSO_ROLE_MAPPING_DISABLED
Disables the mapping of roles from your OpenID provider to Retool permission groups. Set this variable to true to disable passing roles from JWTs.
| Type | boolean |
| Required | Optional |
| Default | null |
Examples
CUSTOM_OAUTH2_SSO_ROLE_MAPPING_DISABLED=true
CUSTOM_OAUTH2_SSO_USERINFO_URL
The endpoint for Retool to make an additional request for a fat token containing all available claims from your OpenID SSO provider.
| Type | string |
| Format | Plain Text |
| Required | Optional |
| Default | null |
Examples
CUSTOM_OAUTH2_SSO_USERINFO_URL=https://yourcompany.okta.com/oauth2/v1/userinfo
CUSTOM_RETOOL_SANDBOX_RESTRICTIONS
The JavaScript sandbox restrictions to allow. Specify space-separated values for multiple restrictions. Only configure custom sandbox restrictions if you are comfortable with the security implications.
| Type | string |
| Required | Optional |
| Default | null |
Examples
CUSTOM_RETOOL_SANDBOX_RESTRICTIONS=allow-downloads
DATABASE_MIGRATIONS_TIMEOUT_SECONDS
The timeout, in seconds, for database migrations. If the migration takes longer than this time, the migration fails. Consider setting a higher value if you're upgrading to another major version of Self-hosted Retool or the upgrade includes changes from multiple minor versions.
| Type | number |
| Format | Integer |
| Required | Optional |
| Default | 0 |
Examples
DATABASE_MIGRATIONS_TIMEOUT_SECONDS=1000
DBCONNECTOR_EXTENDED_QUERY_TIMEOUT_ENABLED_RESOURCES
A list of resource types that use the extended query timeout period defined with `DBCONNECTOR_EXTENDED_QUERY_TIMEOUT_MS
| Type | string |
| Required | Optional |
| Default | null |
Examples
DBCONNECTOR_EXTENDED_QUERY_TIMEOUT_ENABLED_RESOURCES=postgresql,mysql
DBCONNECTOR_EXTENDED_QUERY_TIMEOUT_MS
The extended timeout period for queries of specific resource types, in milliseconds.
| Type | string |
| Required | Optional |
| Default | 600000 |
Examples
DBCONNECTOR_EXTENDED_QUERY_TIMEOUT_MS=10000
DBCONNECTOR_NUM_WORKERS
The number of worker threads for the db-connector container. The default value is Math.min(Math.max(1, numCPUs), 3), where numCPUs is the number of logical CPU cores on the machine determined by Node.js.
| Type | number |
| Format | Integer |
| Required | Optional |
| Default | 0 |
Examples
DBCONNECTOR_NUM_WORKERS=4
DBCONNECTOR_POSTGRES_POOL_MAX_SIZE
The PostgreSQL connection pool maximum size.
| Type | number |
| Format | Integer |
| Required | Optional |
| Default | 10 |
Examples
DBCONNECTOR_POSTGRES_POOL_MAX_SIZE=20
DBCONNECTOR_QUERY_TIMEOUT_MS
The duration, in milliseconds, for queries to run before timing out. If your Retool deployment is behind a load balancer, increase the load balancer's timeout by a proportionate amount.
| Type | number |
| Required | Optional |
| Default | 120000 |
| Units | ms |
Examples
DBCONNECTOR_QUERY_TIMEOUT_MS=120000
DEBUG
Whether to enable verbose logging for debugging purposes.
| Type | boolean |
| Required | Optional |
| Default | false |
Examples
DEBUG=true
DEFAULT_GROUP_FOR_DOMAINS
The default Retool user group for a Google SSO domain. Default groups only apply to new users who sign up using SSO, not existing users signing in.
| Type | string |
| Format | Plain Text |
| Required | Optional |
| Default | null |
Examples
DEFAULT_GROUP_FOR_DOMAINS=example1.org -> admin, example2.com -> viewer
DISABLE_AUDIT_TRAILS_LOGGING
Whether to disable logging of audit trails.
| Type | boolean |
| Required | Optional |
| Default | false |
Examples
DISABLE_AUDIT_TRAILS_LOGGING=true
DISABLE_FORWARDABLE_COOKIE_DECODING
Whether to disable decoding of forwardable cookies.
| Type | boolean |
| Required | Optional |
| Default | false |
Examples
DISABLE_FORWARDABLE_COOKIE_DECODING=true
Examples
DISABLE_GIT_SYNCING=true
DISABLE_IMAGE_PROXY
Whether to disable the proxy used for publicly embedded apps.
| Type | boolean |
| Required | Optional |
| Default | false |
Examples
DISABLE_IMAGE_PROXY=true
DISABLE_INTERCOM
Disable Retool's support widget in the frontend. Refer to the Retool Support page to learn how to contact Retool.
| Type | boolean |
| Required | Optional |
| Default | false |
Examples
DISABLE_INTERCOM=true
DISABLE_IPTABLES_SECURITY_CONFIGURATION
Whether to disable the default security configuration for link-local address, which is done by running the following startup commands requiring elevated privileges. Set to true if privileged access (e.g NET_ADMIN) cannot be given to the container running Code executor service.
| Type | boolean |
| Required | Optional |
| Default | false |
Examples
DISABLE_IPTABLES_SECURITY_CONFIGURATION=false
DISABLE_MEMORY_AND_CPU_USAGE_LOGGING
Whether to disable logging of memory and CPU usage.
| Type | boolean |
| Required | Optional |
| Default | false |
Examples
DISABLE_MEMORY_AND_CPU_USAGE_LOGGING=true
DISABLE_PUBLIC_PAGES
Whether to disable public access to Retool apps. If set to true, also set DISABLE_IMAGE_PROXY to true to fully disable public access.
| Type | boolean |
| Required | Optional |
| Default | false |
Examples
DISABLE_PUBLIC_PAGES=true
DISABLE_SOURCE_CONTROL_SYNCING
Whether to disable Source Control syncing changes with the repository. This only pauses the syncing process and protected items are unaffected.
| Type | boolean |
| Required | Optional |
| Default | false |
Examples
DISABLE_SOURCE_CONTROL_SYNCING=true
DISABLE_USER_PASS_LOGIN
Disable username and password authentication. If true, users can only log in using SSO.
| Type | boolean |
| Format | True/False |
| Required | Optional |
| Default | false |
Examples
DISABLE_USER_PASS_LOGIN=true
DOMAINS
The domains to use for EntityID in SAML requests and obtaining SSL certificates when setting up HTTPS.
| Type | string |
| Format | Plain Text |
| Required | Optional |
| Default | null |
Examples
DOMAINS=retool.your-domain.com -> http://api:3000
ENABLE_CLIENT_SIDE_CUSTOM_AUTH_BROWSER_CALLS
Whether to allow custom authentication steps for resources that make REST API calls directly from the browser. If true, these requests include all browser credentials, even cross-origin calls.
| Type | boolean |
| Required | Optional |
| Default | false |
Examples
ENABLE_CLIENT_SIDE_CUSTOM_AUTH_BROWSER_CALLS=true
ENABLE_CUSTOM_PLATFORM_LEVEL_AUTH_STEPS
Whether to allow configuration of custom authentication steps for users to perform whenever they log into Retool.
| Type | boolean |
| Required | Optional |
| Default | false |
Examples
ENABLE_CUSTOM_PLATFORM_LEVEL_AUTH_STEPS=true
ENCRYPTION_KEY
The encryption key used to encrypt data stored in the PostgreSQL database (e.g., database credentials, SSH keys, etc). If you change this key, you will lose access to all resources that were created before the change.
| Type | string |
| Format | Plain Text |
| Required | Optional |
| Default | null |
Examples
ENCRYPTION_KEY=key
FORWARDABLE_SAME_DOMAIN_COOKIES_ALLOWLIST
Whether to send authentication requests using insecure cookies. When you have cookies scoped to your primary domain, you can use this variable to include those cookies in requests from the subdomain you host Retool on to your primary domain.
| Type | string |
| Format | Plain Text |
| Required | Optional |
| Default | null |
Examples
FORWARDABLE_SAME_DOMAIN_COOKIES_ALLOWLIST=cookieName
GITLAB_MAIN_BRANCH
The main branch for the GitLab repository.
| Type | string |
| Format | Plain Text |
| Required | Optional |
| Default | null |
Examples
GITLAB_MAIN_BRANCH=main
GITLAB_ORGANIZATION_NAME
The GitLab organization name.
| Type | string |
| Format | Plain Text |
| Required | Optional |
| Default | null |
Examples
GITLAB_ORGANIZATION_NAME=my-organization
GITLAB_PROJECT_ACCESS_TOKEN
The project access token for the GitLab repository.
| Type | string |
| Format | Authentication Key |
| Required | Optional |
| Default | null |
Examples
GITLAB_PROJECT_ACCESS_TOKEN=mpoqd2zy7jklzfbhmuzev46vbbcpkeeqminb4wcvwigsrldasdfa
Examples
GITLAB_PROJECT_ID=123
GITLAB_PROJECT_SLUG
The path of the GitLab project URL.
| Type | string |
| Format | Plain Text |
| Required | Optional |
| Default | null |
Examples
GITLAB_PROJECT_SLUG=company/eng/product-dev
GITLAB_REPOSITORY_NAME
The GitLab repository name.
| Type | string |
| Format | Plain Text |
| Required | Optional |
| Default | null |
Examples
GITLAB_REPOSITORY_NAME=my-repo
GITLAB_URL
The GitLab URL for the GitLab repository.
| Type | string |
| Format | Plain Text |
| Required | Optional |
| Default | null |
Examples
GITLAB_URL=https://gitlab.com
HIDE_ALL_HEADERS_IN_AUDIT_LOG_EVENTS
Whether to prevent all query headers and cookies from being added to audit log entries.
| Type | boolean |
| Required | Optional |
| Default | false |
Examples
HIDE_ALL_HEADERS_IN_AUDIT_LOG_EVENTS=true
HIDE_PROD_AND_STAGING_TOGGLES
Whether to hide the Production and Staging toggles in the Retool interface.
| Type | boolean |
| Required | Optional |
| Default | false |
Examples
HIDE_PROD_AND_STAGING_TOGGLES=true
HOST_HEADER_NAME
Retool backend expects Host header to contain the host used in the original request. This is important for Spaces to work properly. If your self-hosted instance has a proxy or load-balancer in front of the Retool backend, you can specify a different header that contains the original host.
| Type | string |
| Format | Plain Text |
| Required | Optional |
| Default | HOST_HEADER_NAME |
Examples
HOST_HEADER_NAME=x-forwarded-host
HTML_ESCAPE_RETOOL_EXPRESSIONS
Whether to escape HTML in `` expressions. If set to true, all HTML in expressions is escaped.
| Type | boolean |
| Required | Optional |
| Default | false |
Examples
HTML_ESCAPE_RETOOL_EXPRESSIONS=true
HTTP_PROXY
The HTTP proxy to use for all HTTP requests.
| Type | string |
| Format | Plain Text |
| Required | Optional |
| Default | null |
Examples
HTTP_PROXY=http://proxy.example.com:8080
INVITES_PER_DAY
The number of invites that can be sent to users.
| Type | number |
| Required | Optional |
| Default | 50 |
Examples
INVITES_PER_DAY=100
Examples
JIT_ENABLED=true
JWT_SECRET
The JWT secret token to sign requests for authentication with Retool's backend API server. If changed, all active user login sessions are invalidated.
| Type | string |
| Format | Plain Text |
| Required | Optional |
| Default | null |
Examples
JWT_SECRET=676765765327645bvbfgbsfhfbgr
KEEPALIVE_TIMEOUT
The keep alive timeout for queries, in seconds. Queries that exceed this limit results in a 514 HTTP error.
| Type | number |
| Required | Optional |
| Default | 0 |
Examples
KEEPALIVE_TIMEOUT=1000
LDAP_BASE_DOMAIN_COMPONENTS
The organization's email domain in DC syntax when syncing Google Groups to Retool.
| Type | string |
| Format | Plain Text |
| Required | Optional |
| Default | null |
Examples
LDAP_BASE_DOMAIN_COMPONENTS=dc=example,dc=com
LDAP_ROLE_MAPPING
The mapping of Google LDAP Groups or SAML groups to Retool permission groups used for Google Group syncing and SAML role mapping.
| Type | string |
| Format | Plain Text |
| Required | Optional |
| Default | null |
Examples
LDAP_ROLE_MAPPING=retool-admins -> admin, support -> Support
LDAP_ROLE_MAPPING_DISABLED
Disable syncing SAML groups or Google Groups to Retool permission groups. When LDAP_ROLE_MAPPING is set and LDAP_ROLE_MAPPING_DISABLED is true, Retool logs the groups that would have synced to Retool when a user logs in.
| Type | string |
| Format | Plain Text |
| Required | Optional |
| Default | false |
Examples
LDAP_ROLE_MAPPING_DISABLED=true
LDAP_SERVER_CERTIFICATE
The certificate from the downloaded bundle when syncing Google Groups to Retool.
| Type | string |
| Format | Plain Text |
| Required | Optional |
| Default | null |
Examples
LDAP_SERVER_CERTIFICATE=filename
LDAP_SERVER_KEY
The private key from the downloaded bundle when syncing Google Groups to Retool.
| Type | string |
| Format | Plain Text |
| Required | Optional |
| Default | null |
Examples
LDAP_SERVER_KEY=filename
LDAP_SERVER_NAME
The LDAP server name when syncing Google Groups to Retool.
| Type | string |
| Format | Plain Text |
| Required | Optional |
| Default | null |
Examples
LDAP_SERVER_NAME=ldap.google.com
LDAP_SERVER_URL
The LDAP server URL for Google's Secure LDAP Service when syncing Google Groups to Retool.
| Type | string |
| Format | Plain Text |
| Required | Optional |
| Default | null |
Examples
LDAP_SERVER_URL=ldaps://ldap.google.com:636
LDAP_SYNC_ALL_GROUPS
Whether to sync all groups regardless of whether they're configured in the LDAP_ROLE_MAPPING environment variable. When enabled, new groups are created during SAML sync.
| Type | boolean |
| Required | Optional |
| Default | false |
Examples
LDAP_SYNC_ALL_GROUPS=true
LDAP_SYNC_GROUP_CLAIMS
Enable syncing Google Groups to Retool.
| Type | boolean |
| Required | Optional |
| Default | false |
Examples
LDAP_SYNC_GROUP_CLAIMS=true
LICENSE_KEY
The license key for your Retool deployment. This is required for Retool to validate that your instance is properly licensed.
| Type | string |
| Format | Plain Text |
| Required | Optional |
| Default | null |
Examples
LICENSE_KEY=key_1234567890
LOG_AUDIT_EVENTS
Audit events are always written to the Retool platform database. This environment variable determines if they should also be written to stdout where Retool container logs are sent so that they can be forwarded to a custom observability provider using a log collector (e.g. the telemetry collector Retool provides as an option in the Helm chart).
| Type | boolean |
| Required | Optional |
| Default | false |
Examples
LOG_AUDIT_EVENTS=true
LOG_LEVEL
The log level for Retool logs.
| Type | string | ||||||||||
| Required | Optional | ||||||||||
| Allowed Values |
| ||||||||||
| Default | info |
MOBILE_PUSH_NOTIFIER_API_TOKEN
The API token for the mobile push notifier service.
| Type | string |
| Format | Authentication Key |
| Required | Optional |
| Default | null |
Examples
MOBILE_PUSH_NOTIFIER_API_TOKEN=api-key
MOBILE_PUSH_NOTIFIER_HOST
The host for the mobile push notifier service.
| Type | string | ||||
| Format | URL | ||||
| Required | Optional | ||||
| Allowed Values |
| ||||
| Default | null |
Examples
MOBILE_PUSH_NOTIFIER_HOST=https://spb8yl7d3j.execute-api.us-west-2.amazonaws.com
MULTIPLAYER_SERVER_PORT
The port on which to run the multiplayer server. Configure to match your proxy settings.
| Type | string |
| Required | Optional |
| Default | null |
Examples
MULTIPLAYER_SERVER_PORT=3009
NO_PROXY
A comma-separated list of hosts that should not be proxied.
| Type | string |
| Format | Plain Text |
| Required | Optional |
| Default | null |
Examples
NO_PROXY=localhost,*.service.company
NODE_ENV
The Node.js environment. Should always be set to production.
| Type | string |
| Format | Plain Text |
| Required | Optional |
| Default | null |
Examples
NODE_ENV=production
NODE_OPTIONS
Used to specify the maximum heap size for the JavaScript v8 engine.
| Type | string |
| Format | Plain Text |
| Required | Optional |
| Default | --max-old-space-size=1024 |
Examples
NODE_OPTIONS=--max-old-space-size=1024
NODE_TLS_REJECT_UNAUTHORIZED
Whether to reject unauthorized TLS certificates. This setting is insecure and not recommended for production instances
| Type | boolean |
| Format | True/False |
| Required | Optional |
| Default | false |
Examples
NODE_TLS_REJECT_UNAUTHORIZED=false
NUM_WORKERS
The number of worker threads for the api container. The default value is Math.min(Math.max(1, numCPUs), 3), where numCPUs is the number of logical CPU cores on the machine determined by Node.js.
| Type | number |
| Format | Integer |
| Required | Optional |
| Default | 0 |
Examples
NUM_WORKERS=4
POSTGRES_CUSTOM_SSL_CA_FILE_NAME
The custom SSL CA file name for the PostgreSQL connection. This is required when configuring Google Cloud SQL as the database to use instead of Retool's PostgreSQL database.
| Type | string |
| Format | Plain Text |
| Required | Required |
| Default | null |
Examples
POSTGRES_CUSTOM_SSL_CA_FILE_NAME=ca.pem
POSTGRES_CUSTOM_SSL_CERT_PATH��
The custom SSL certificate path for the PostgreSQL connection. This is required when configuring Google Cloud SQL as the database to use instead of Retool's PostgreSQL database.
| Type | string |
| Format | File Path |
| Required | Optional |
| Default | null |
Examples
POSTGRES_CUSTOM_SSL_CERT_PATH=/path/to/cert
POSTGRES_CUSTOM_SSL_KEY_FILE_NAME
The custom SSL key file name for the PostgreSQL connection. This is required when configuring Google Cloud SQL as the database to use instead of Retool's PostgreSQL database.
| Type | string |
| Format | File Name |
| Required | Optional |
| Default | null |
Examples
POSTGRES_CUSTOM_SSL_KEY_FILE_NAME=client-key.pem
POSTGRES_SSL_ENABLED
Whether to enable SSL for the PostgreSQL connection.
| Type | boolean |
| Required | Optional |
| Default | false |
Examples
POSTGRES_SSL_ENABLED=true
POSTGRES_SSL_REJECT_UNAUTHORIZED
Whether to reject unauthorized SSL certificates for the PostgreSQL connection if POSTGRES_SSL_ENABLED is true.
| Type | boolean |
| Required | Optional |
| Default | true |
Examples
POSTGRES_SSL_REJECT_UNAUTHORIZED=true
PRESERVE_PASSWORDS_FIRST_GOOGLE_LOGIN
Prevent Retool from resetting your password when logging in with Google for the first time.
| Type | boolean |
| Required | Optional |
| Default | null |
Examples
PRESERVE_PASSWORDS_FIRST_GOOGLE_LOGIN=true
PROXY_CONNECT_TIMEOUT
The proxy connect timeout for queries, in seconds. Queries that exceed this limit results in a 514 HTTP error.
| Type | number |
| Required | Optional |
| Default | 0 |
Examples
PROXY_CONNECT_TIMEOUT=1000
PROXY_READ_TIMEOUT
The proxy read timeout for queries, in seconds. Queries that exceed this limit results in a 514 HTTP error.
| Type | number |
| Required | Optional |
| Default | 0 |
Examples
PROXY_READ_TIMEOUT=1000
PROXY_SEND_TIMEOUT
The proxy send timeout for queries, in seconds. Queries that exceed this limit results in a 514 HTTP error.
| Type | number |
| Required | Optional |
| Default | 0 |
Examples
PROXY_SEND_TIMEOUT=1000
REDIS_DB
The database number for read and write operations, between 0 and 15.
| Type | number |
| Required | Optional |
| Default | 0 |
Examples
REDIS_DB=0
REDIS_HOST
The hostname of the Redis reader endpoint that connects the Redis instance as a caching layer.
| Type | string |
| Format | Hostname |
| Required | Optional |
| Default | null |
Examples
REDIS_HOST=redis-retool
REDIS_PASSWORD
The password for the Redis instance.
| Type | string |
| Format | Password |
| Required | Optional |
| Default | null |
Examples
REDIS_PASSWORD=password
REDIS_PORT
The port number of the Redis reader endpoint that connects the Redis instance as a caching layer.
| Type | number |
| Required | Optional |
| Default | 6379 |
Examples
REDIS_PORT=6379
Examples
REDIS_TLS=true
RESOURCE_TYPES_CREATION_DENY_LIST
A comma-separated list of resource types to restrict users from creating. Use RESOURCE_TYPES_DENY_LIST to restrict both creating and using resources of specific types.
| Type | string |
| Required | Optional |
| Default | null |
Examples
RESOURCE_TYPES_CREATION_DENY_LIST=mongodb,rest-api
RESOURCE_TYPES_DENY_LIST
A comma-separated list of resource types to restrict users from both creating and using. Any existing resources of these types will not be accessible while this restriction is in place. Use RESOURCE_TYPES_CREATION_DENY_LIST to restrict only the creation of resources of specific types.
| Type | string |
| Required | Optional |
| Default | null |
Examples
RESOURCE_TYPES_DENY_LIST=mongodb,rest-api
RESTRICTED_DOMAIN
Restrict users from logging in unless they use SSO for the specified domain. Specify comma-separated values for multiple domains.
| Type | string |
| Format | Plain Text |
| Required | Optional |
| Default | null |
Examples
RESTRICTED_DOMAIN=example.com,example.org
RETOOL_CLIENT_MAX_BODY_SIZE
The maximum body size, in megabytes, for Retool client requests. Any uploads that exceed this limit, or if this limit is set to 0, result in a 413 HTTP error.
| Type | string |
| Format | Plain Text |
| Required | Optional |
| Default | 100mb |
Examples
RETOOL_CLIENT_MAX_BODY_SIZE=20mb
RETOOL_ENVIRONMENT
The environment for SCIM provisioning and Source Control alerts.
| Type | string |
| Format | Plain Text |
| Required | Optional |
| Default | production |
Examples
RETOOL_ENVIRONMENT=production
RETOOL_EXPOSED_{NAME}
Use the RETOOL_EXPOSED_ prefix to store secrets that you can use when configuring resources. Only underscores and alphanumeric characters are supported.
| Type | string |
| Format | Plain Text |
| Required | Optional |
| Default | null |
Examples
RETOOL_EXPOSED_{NAME}=RETOOL_EXPOSED_DB_USERNAME=db_user
RTEL_SEND_TO_RETOOL_INPUT_ALLOWLIST
A comma-separated list of telemetry data types sent to Retool.
| Type | string | ||||||||
| Required | Optional | ||||||||
| Allowed Values |
| ||||||||
| Default | container_logs,metrics,otlp_traces |
Examples
RTEL_SEND_TO_RETOOL_INPUT_ALLOWLIST=container_logs,metrics,otlp_traces
SAML_FIRST_NAME_ATTRIBUTE
The first name attribute in the SAML response.
| Type | string |
| Format | Plain Text |
| Required | Optional |
| Default | firstName |
Examples
SAML_FIRST_NAME_ATTRIBUTE=nameFirst
SAML_GROUPS_ATTRIBUTE
The groups attribute in the SAML response.
| Type | string |
| Format | Plain Text |
| Required | Optional |
| Default | groups |
Examples
SAML_GROUPS_ATTRIBUTE=userGroups
SAML_IDP_METADATA
An XML document that contains information necessary for configuring SAML-enabled identity or service providers.
| Type | string |
| Format | Plain Text |
| Required | Optional |
| Default | null |
Examples
SAML_IDP_METADATA=<md:EntityDescriptor xmlns:md="urn:desert:names:tc:SAML:2.0:metadata" entityID="http://www.okta.com/your_entity_id"><md:IDPSSODescriptor WantAuthnRequestsSigned="false" protocolSupportEnumeration="urn:desert:names:tc:SAML:2.0:protocol"><md:KeyDescriptor use="signing"><ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:X509Data><ds:X509Certificate>your_certificate</ds:X509Certificate></ds:X509Data></ds:KeyInfo></md:KeyDescriptor><md:NameIDFormat>urn:desert:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat><md:SingleSignOnService Binding="urn:desert:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://example-98123.okta.com/app/company/jfdu90324f/sso/saml"/><md:SingleSignOnService Binding="urn:desert:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://example-98123.okta.com/app/company/your_entity_id/sso/saml"/></md:IDPSSODescriptor></md:EntityDescriptor>"
SAML_LAST_NAME_ATTRIBUTE
The last name attribute in the SAML response.
| Type | string |
| Format | Plain Text |
| Required | Optional |
| Default | lastName |
Examples
SAML_LAST_NAME_ATTRIBUTE=nameLast
SAML_SYNC_GROUP_CLAIMS
Sync Retool group memberships using the retool- prefix with the groups listed in SAML_GROUPS_ATTRIBUTE. The prefix is not shown in the Retool interface.
| Type | boolean |
| Required | Optional |
| Default | null |
Examples
SAML_SYNC_GROUP_CLAIMS=true
Examples
SANDBOX_DOMAIN=https://not-your-primary-domain.com
SANDBOX_MAX_FILE_DESCRIPTORS
The maximum number of file descriptors within a single sandbox.
| Type | number |
| Required | Optional |
| Default | 256 |
Examples
SANDBOX_MAX_FILE_DESCRIPTORS=256
SANDBOX_MOUNT_DIR
Used to configure where files will be mounted into the sandbox.
| Type | string |
| Format | Plain Text |
| Required | Optional |
| Default | /tmp |
Examples
SANDBOX_MOUNT_DIR=/tmp
SCIM_AUTH_TOKEN
A secret token shared with your SSO provider to provision user accounts. If you use Spaces, this token only applies to the admin Space.
| Type | string |
| Format | Plain Text |
| Required | Optional |
| Default | null |
Examples
SCIM_AUTH_TOKEN=api-key
SCIM_LOG_FULL_REQUESTS
Log SCIM requests to the Retool API container logs.
| Type | boolean |
| Required | Optional |
| Default | null |
Examples
SCIM_LOG_FULL_REQUESTS=true
SENDING_INVITES_WITH_EMAIL_DISABLED
Allow user invites without pinging Retool's user invitation server. You must enable this if you have an airgapped deployment.
| Type | boolean |
| Required | Optional |
| Default | null |
Examples
SENDING_INVITES_WITH_EMAIL_DISABLED=true
SERVICE_TYPE
Comma-separated list of Retool services to run within a container. If unset, all services run in the same container.
| Type | string |
| Required | Optional |
| Default | null |
Examples
SERVICE_TYPE=MAIN_BACKEND,JOBS_RUNNER
SERVICE_TYPE=MULTIPLAYER
SESSION_DURATION_MINUTES
Set a custom session duration, in minutes. The default value is either 720 (12 hours) or 10080 (1 week), depending on whether USE_SHORT_SESSIONS is set to true.
| Type | number |
| Format | Integer |
| Required | Optional |
| Default | 0 |
Examples
SESSION_DURATION_MINUTES=60
TEMPORAL_TASKQUEUE_WORKFLOW
The task queue for the Temporal Cluster. Used by clients connecting to Temporal for all Retool Workflow-related requests (enqueue, query, etc.). This value should match WORKER_TEMPORAL_TASKQUEUE.
| Type | string |
| Format | Plain Text |
| Required | Optional |
| Default | workflows |
Examples
TEMPORAL_TASKQUEUE_WORKFLOW=workflows
TRIGGER_OAUTH_2_SSO_LOGIN_AUTOMATICALLY
Automatically start the Oauth 2 SSO login flow when users navigate to your Retool instance. Use either TRIGGER_OAUTH_2_SSO_LOGIN_AUTOMATICALLY or TRIGGER_SAML_LOGIN_AUTOMATICALLY, you cannot enable both.
| Type | boolean |
| Required | Optional |
| Default | null |
Examples
TRIGGER_OAUTH_2_SSO_LOGIN_AUTOMATICALLY=true
TRIGGER_SAML_LOGIN_AUTOMATICALLY
Automatically start the SAML SSO login flow when users navigate to your Retool instance. Use either TRIGGER_SAML_LOGIN_AUTOMATICALLY or TRIGGER_OAUTH_2_SSO_LOGIN_AUTOMATICALLY, you cannot enable both.
| Type | boolean |
| Required | Optional |
| Default | null |
Examples
TRIGGER_SAML_LOGIN_AUTOMATICALLY=true
USAGE_API_TOKEN
The access token to enable Usage Analytics. Please reach out to your Retool account manager to obtain this token.
| Type | string |
| Format | Plain Text |
| Required | Optional |
| Default | null |
Examples
USAGE_API_TOKEN=accessToken
USE_GCM_ENCRYPTION
Whether to use AES-192-GCM authenticated encryption method instead of AES-192-CBC. If set to true, you must also set ENCRYPTION_KEY.
| Type | boolean |
| Required | Optional |
| Default | false |
Examples
USE_GCM_ENCRYPTION=true
USE_SHORT_SESSIONS
Restrict session length to 12 hours. If unset, session length is one week.
| Type | boolean |
| Required | Optional |
| Default | null |
Examples
USE_SHORT_SESSIONS=true
VERSION_CONTROL_LOCKED
Whether to enable version control and create a read-only Retool instance. If enabled, users cannot create, edit, or protect all elements (apps, workflows, resources, etc). Users with edit or own permissions are still permitted to create new releases. Admins can still delete unprotected elements.
| Type | boolean |
| Required | Optional |
| Default | false |
Examples
VERSION_CONTROL_LOCKED=true
WORKER_TEMPORAL_TASKQUEUE
The task queue for the Temporal worker. Used by workers connecting to Temporal for all Retool Workflow-related requests (enqueue, query, etc.). This value should match TEMPORAL_TASKQUEUE_WORKFLOW.
| Type | string |
| Format | Plain Text |
| Required | Optional |
| Default | workflows |
Examples
WORKER_TEMPORAL_TASKQUEUE=workflows
WORKFLOW_BACKEND_HOST
The hostname for all Retool Workflow-related backend requests, such as querying resources, updating workflow status, and storing block results and logs. The value depends on your deployment configuration, but must include a protocol (http:// or https://).
| Type | string |
| Format | Plain Text |
| Required | Optional |
| Default | null |
Examples
WORKFLOW_BACKEND_HOST=http://workflow-backend
WORKFLOW_CPU_LIMIT
The maximum number of CPUs a workflow can use when running. Requires WORKFLOW_MONITOR_PROCESS_ENABLED to be true.
| Type | number |
| Required | Optional |
| Default | 1 |
Examples
WORKFLOW_CPU_LIMIT=1
WORKFLOW_MEMORY_LIMIT_MBS
The maximum amount of memory, in megabytes, a workflow can use when running. Requires WORKFLOW_MONITOR_PROCESS_ENABLED to be true.
| Type | number |
| Format | Integer |
| Required | Optional |
| Default | 2147 |
| Units | MiB |
Examples
WORKFLOW_MEMORY_LIMIT_MBS=2147
WORKFLOW_MONITOR_PROCESS_ENABLED
Whether to limit the memory and CPUs available to a workflow while running. If enabled, WORKFLOW_MEMORY_LIMIT_MIBS and WORKFLOW_CPU_LIMIT can be set.
| Type | boolean |
| Required | Optional |
| Default | false |
Examples
WORKFLOW_MONITOR_PROCESS_ENABLED=true
WORKFLOW_TEMPORAL_ACTIVITY_TASK_POLLERS
The number of Temporal activity task pollers that concurrently run.
| Type | number |
| Required | Optional |
| Default | 2 |
Examples
WORKFLOW_TEMPORAL_ACTIVITY_TASK_POLLERS=2
WORKFLOW_TEMPORAL_CLUSTER_FRONTEND_HOST
The hostname for the Temporal Cluster. If you're using Temporal Cloud, your host may end with .tmprl.cloud. This environment variable does not need to be set if using Retool-managed Temporal Cluster.
| Type | string |
| Format | Plain Text |
| Required | Optional |
| Default | null |
Examples
WORKFLOW_TEMPORAL_CLUSTER_FRONTEND_HOST=org.example.tmprl.cloud
WORKFLOW_TEMPORAL_CLUSTER_FRONTEND_PORT
The port for the Temporal Cluster.
| Type | number |
| Required | Optional |
| Default | 7233 |
Examples
WORKFLOW_TEMPORAL_CLUSTER_FRONTEND_PORT=7233
WORKFLOW_TEMPORAL_CLUSTER_NAMESPACE
The namespace for the Temporal Cluster.
| Type | string |
| Format | Plain Text |
| Required | Optional |
| Default | workflows |
Examples
WORKFLOW_TEMPORAL_CLUSTER_NAMESPACE=workflows
WORKFLOW_TEMPORAL_CONCURRENT_ACTIVITIES_LIMIT
The maximum number of concurrent activities that can be executed by a single workflow. Refer to the Temporal documentation for more information.
| Type | number |
| Required | Optional |
| Default | 10 |
Examples
WORKFLOW_TEMPORAL_CONCURRENT_ACTIVITIES_LIMIT=10
WORKFLOW_TEMPORAL_CONCURRENT_TASKS_LIMIT
The maximum number of concurrent tasks that can be executed by a single workflow. Refer to the Temporal documentation for more information.
| Type | number |
| Required | Optional |
| Default | 10 |
Examples
WORKFLOW_TEMPORAL_CONCURRENT_TASKS_LIMIT=10
WORKFLOW_TEMPORAL_OPENTELEMETRY_COLLECTOR
The OpenTelemetry collector endpoint for Temporal Worker metrics.
| Type | string |
| Format | Plain Text |
| Required | Optional |
| Default | null |
Examples
WORKFLOW_TEMPORAL_OPENTELEMETRY_COLLECTOR=http://open-telemetry-collector-opentelemetry-collector:4318
WORKFLOW_TEMPORAL_SERVER_NAME_OVERRIDE
The server name override for the Temporal Cluster. This overrides the target name (SNI) used for TLS host name checking. It can be useful if you have reverse proxy in front of Temporal server and you need to override the SNI to direct traffic to the appropriate backend server based on custom routing rules. Connections can be refused if the provided SNI does not match the expected host. Adding this override should be done with care. This does not need to be set if using Retool-managed Temporal Cluster.
| Type | string |
| Format | Plain Text |
| Required | Optional |
| Default | null |
Examples
WORKFLOW_TEMPORAL_SERVER_NAME_OVERRIDE=other.domain.tmprl.cld
WORKFLOW_TEMPORAL_SERVER_ROOT_CA_CRT
Base64 encoded PEM certificate for the root CA of the Temporal Cluster. This does not need to be set if using Retool-managed Temporal Cluster.
| Type | string |
| Format | Plain Text |
| Required | Optional |
| Default | null |
Examples
WORKFLOW_TEMPORAL_SERVER_ROOT_CA_CRT=UXVpcyBjb21tb2RvIGV4ZXJjaXRhd
WORKFLOW_TEMPORAL_STICKY_CACHE_SIZE
The size of the Temporal sticky queue cache.
| Type | number |
| Required | Optional |
| Default | 200 |
Examples
WORKFLOW_TEMPORAL_STICKY_CACHE_SIZE=100
WORKFLOW_TEMPORAL_TLS_CRT
Base64 encoded certificate for TLS client certification pair. See Temporal documentation for more details. This does not need to be set if using Retool-managed Temporal Cluster.
| Type | string |
| Format | Plain Text |
| Required | Optional |
| Default | null |
Examples
WORKFLOW_TEMPORAL_TLS_CRT=UXVpcyBjb21tb2RvIGV4ZXJjaXRhd
WORKFLOW_TEMPORAL_TLS_ENABLED
Whether to enable TLS for the Temporal Cluster. You can set this to true if you use your own Temporal Cloud. This does not need to be set if using Retool-managed Temporal Cluster.
| Type | boolean |
| Required | Optional |
| Default | false |
Examples
WORKFLOW_TEMPORAL_TLS_ENABLED=true
WORKFLOW_TEMPORAL_TLS_KEY
Base64 encoded private key for TLS client certification pair. This does not need to be set if using Retool-managed Temporal Cluster.
| Type | string |
| Format | Plain Text |
| Required | Optional |
| Default | null |
Examples
WORKFLOW_TEMPORAL_TLS_KEY=c2VjcmV0X2tleQ==
WORKFLOW_TEMPORAL_WORKER_SHUTDOWN_GRACE_TIME
The timeout, in minutes, to wait for pending workflows to complete before the Temporal worker gracefully shuts down. If the worker does not shut down within this time, it is forcefully terminated.
| Type | number |
| Required | Optional |
| Default | 15 |
Examples
WORKFLOW_TEMPORAL_WORKER_SHUTDOWN_GRACE_TIME=15
WORKFLOW_TEMPORAL_WORKFLOW_TASK_POLLERS
The number of Temporal workflow task pollers that concurrently run.
| Type | number |
| Required | Optional |
| Default | 10 |
Examples
WORKFLOW_TEMPORAL_WORKFLOW_TASK_POLLERS=10
WORKFLOW_WORKER_HEALTHCHECK_PORT
The port for the /api/checkHealth health check endpoint for the Temporal worker.
| Type | number |
| Required | Optional |
| Default | 3005 |
Examples
WORKFLOW_WORKER_HEALTHCHECK_PORT=3005