# Jackson settings
# Change this to your deployment public URL
EXTERNAL_URL=http://localhost:5225
SAML_AUDIENCE=https://saml.boxyhq.com
JACKSON_API_KEYS="secret"
ADMIN_PORTAL_SSO_TENANT="_jackson_boxyhq"
ADMIN_PORTAL_SSO_PRODUCT="_jackson_admin_portal"
IDP_ENABLED=
PRE_LOADED_CONNECTION=
CLIENT_SECRET_VERIFIER=

# Database settings
DB_ENGINE=sql
DB_URL=postgres://postgres:postgres@localhost:5432/postgres
DB_TYPE=postgres
DB_TTL=300
DB_CLEANUP_LIMIT=1000
DB_PAGE_LIMIT=50
# You can use openssl to generate a random 32 character key: openssl rand -base64 24
DB_ENCRYPTION_KEY=
# Uncomment below if you wish to run DB migrations manually.
#DB_MANUAL_MIGRATION=true

# Admin Portal settings
# SMTP details for Magic Links
SMTP_HOST=
SMTP_PORT=
SMTP_USER=
SMTP_PASSWORD=
SMTP_FROM=
# Access Control for Magic Links. Set this to a comma separated string of email addresses
# or glob patterns like: `tonystark@gmail.com,*@marvel.com`.
# Access will be denied to email addresses which don't match. If you don't specify any value access is denied to all.
NEXTAUTH_ACL=

# Change this to your deployment public URL (https://next-auth.js.org/configuration/options#nextauth_url)
NEXTAUTH_URL=http://localhost:5225
# Change this to a real secret when deploying to production
# You can use openssl to generate a secret key: openssl rand -base64 32
NEXTAUTH_SECRET=secret
# Admin credentials (In the format email:password. Comma separated values if you want multiple logins). Alternative to Magic Links.
NEXTAUTH_ADMIN_CREDENTIALS=

# Admin Portal for Retraced (Audit Logs)
RETRACED_HOST_URL=
RETRACED_EXTERNAL_URL=
RETRACED_ADMIN_ROOT_TOKEN=

# Admin Portal for Terminus (Privacy Vault)
TERMINUS_PROXY_HOST_URL=
TERMINUS_ADMIN_ROOT_TOKEN=

# OpenTelemetry
OTEL_EXPORTER_OTLP_METRICS_ENDPOINT=
OTEL_EXPORTER_OTLP_METRICS_HEADERS=
# If you want to use grpc
# OTEL_EXPORTER_OTLP_METRICS_PROTOCOL=grpc
# If you have any issues with using the otel exporter and want to enable debug logs
# OTEL_EXPORTER_DEBUG=true

# JWS Algorithm to be used for signing e.g., RS256
# https://github.com/panva/jose/issues/114#digital-signatures
OPENID_JWS_ALG=

# JWT signing keys 
# Generate keys: https://www.scottbrady91.com/openssl/creating-rsa-keys-using-openssl, 
# Load into env: https://developer.vonage.com/blog/20/07/29/using-private-keys-in-environment-variables
# openssl genrsa -out private-key.pem 3072
# convert to pkcs8 format: openssl pkcs8 -topk8 -inform PEM -outform PEM -nocrypt -in private-key.pem -out private_key.pem
# cat private_key.pem | base64
OPENID_RSA_PRIVATE_KEY=
# openssl rsa -in private_key.pem -pubout -out public_key.pem
# cat public_key.pem | base64
OPENID_RSA_PUBLIC_KEY= 

# You can use `openssl req -x509 -newkey rsa:2048 -keyout key.pem -out public.crt -sha256 -days 365000 -nodes` to generate one
# Base64 encoded value of public key `cat public.crt | base64`
PUBLIC_KEY=

# Base64 encoded value of private key `cat key.pem | base64`
PRIVATE_KEY=

# To enable enterprise-only features, fill your license key in here.
BOXYHQ_LICENSE_KEY=

# To turn off our anonymous analytics uncomment the line below
#BOXYHQ_NO_ANALYTICS=1

# Set Webhook URL and secret to enable webhook notifications
WEBHOOK_URL=
WEBHOOK_SECRET=

# Directory sync webhook event batch size (Eg: 50)
DSYNC_WEBHOOK_BATCH_SIZE=
DSYNC_WEBHOOK_BATCH_CRON_INTERVAL=

# Google workspace directory sync
DSYNC_GOOGLE_CLIENT_ID=
DSYNC_GOOGLE_CLIENT_SECRET=
DSYNC_GOOGLE_CRON_INTERVAL=

# Only applicable for BoxyHQ SaaS deployments
BOXYHQ_HOSTED=0

# Setup link expiry in days
SETUP_LINK_EXPIRY_DAYS=3

# Ory integration. You need BOXYHQ_LICENSE_KEY to be set to use this.
ENTERPRISE_ORY_SDK_TOKEN=
ENTERPRISE_ORY_PROJECT_ID=

# Uncomment below if you wish to opt-out of sending `profile` scope in OIDC Provider Authorization Request
#OPENID_REQUEST_PROFILE_SCOPE=false