Skip to main content

Environment Variables

GenKitKraft is configured entirely through environment variables. No config files needed.

Reference Table

VariableDescriptionDefaultRequired
PORTHTTP server port8080No
DATABASE_PROVIDERDatabase engine: sqlite, postgres, mysql, mariadbsqliteNo
DATABASE_PATHPath to SQLite database file/data/app.dbNo
DATABASE_URLConnection URL/DSN for non-SQLite providersWhen DATABASE_PROVIDERsqlite
ENCRYPTION_KEYSecret key for encrypting provider API keys at restYes
AUTH_CREDENTIALSComma-separated username:password pairs(unset — auth disabled)No
PUBLIC_API_KEYComma-separated API keys for deploy endpoints(unset — deploy is public)No

PORT

The port the HTTP server listens on. Both the API and the embedded UI are served on this port.

DATABASE_PROVIDER

Selects the database engine. Defaults to sqlite.

ValueEngineUse case
sqliteSQLite (default)Single-node, zero-config
postgresPostgreSQL 14+Multi-instance, recommended for production
mysqlMySQL 8.0+Multi-instance
mariadbMariaDB 10.6+Multi-instance

Database migrations run automatically on startup. If a migration fails, the server will not start.

SQLite is write-serialised (MaxOpenConns=1) and unsuitable for multiple instances sharing storage. Switch to postgres, mysql, or mariadb for horizontal scaling.

DATABASE_URL

Connection string for non-SQLite providers. Required when DATABASE_PROVIDER is anything other than sqlite — the server will refuse to start if it is missing.

PostgreSQL

DATABASE_URL=postgres://user:password@host:5432/dbname?sslmode=require

For local or internal networks without TLS:

DATABASE_URL=postgres://user:password@host:5432/dbname?sslmode=disable

MySQL

# parseTime=true is required for correct timestamp handling
DATABASE_URL=user:password@tcp(host:3306)/dbname?parseTime=true

MariaDB

DATABASE_URL=user:password@tcp(host:3306)/dbname?parseTime=true

Non-SQLite providers use a connection pool (25 max open, 5 max idle). Size this according to your database server's max_connections limit.

DATABASE_PATH

File path for the SQLite database. Only used when DATABASE_PROVIDER=sqlite (the default).

When running in Docker, mount this path on a persistent volume to prevent data loss on container recreation:

environment:
- DATABASE_PATH=/data/app.db
volumes:
- genkitkraft-data:/data

ENCRYPTION_KEY

A secret string used to encrypt LLM provider API keys before storing them in the database. The server will refuse to start if this variable is not set.

Tips:

  • Generate a strong key: openssl rand -base64 32
  • Keep it safe — if lost, existing provider configurations become unreadable
  • Changing this key requires re-creating all provider configurations

AUTH_CREDENTIALS

Controls login-based authentication. Format: username:password pairs separated by commas.

AUTH_CREDENTIALS=admin:changeme,readonly:viewer123
  • When set: all UI and API access requires authentication
  • When unset: authentication is disabled entirely
  • Also controls authentication for the MCP endpoint — when set, the MCP server requires HTTP Basic Auth with the same credentials
  • See Authentication for more details

PUBLIC_API_KEY

Controls API key authentication for the Deploy API endpoints (both stateless and stateful sessions). Format: one or more keys separated by commas.

PUBLIC_API_KEY=sk-my-secret-key
# Or multiple keys:
PUBLIC_API_KEY=sk-key-one,sk-key-two
  • When set: deploy requests must include Authorization: Bearer <key>
  • When unset: all deploy endpoints are publicly accessible (no authentication required)
  • This is separate from AUTH_CREDENTIALS — deploy API keys are for external integrations, while auth credentials protect the management UI