Configuration
Environment variables and secrets for self-hosted SlugBase: database, server URLs, security, registrations, and API docs.
What you need
- A way to set environment variables for the process — typically a
.envfile, a Docker Composeenv_file, or your server/orchestrator's secrets manager. - Strong random values for secrets (the server checks minimum lengths at startup and refuses to start if they are missing or too short).
For a quick start, copy .env.example from the repository to .env and fill in the required secrets before your first run.
Security and session variables
These are validated before the server starts listening for connections:
| Variable | Requirement |
|---|---|
JWT_SECRET | Required. At least 32 characters and not the documented default placeholder string. |
ENCRYPTION_KEY | Required. At least 32 characters. |
SESSION_SECRET | In NODE_ENV=production, required with length at least 32. (In development, missing values may warn.) |
Generate values with Node, for example:
node -e "console.log(require('crypto').randomBytes(32).toString('hex'))"
Run twice for separate JWT_SECRET and ENCRYPTION_KEY values.
Server and URLs
| Variable | Role |
|---|---|
PORT | HTTP listen port (default 5000). |
NODE_ENV | development or production. Production enables stricter session handling and static SPA serving. |
BASE_URL | Public base URL of the app (used for redirects and cookie security logic). Default in code: http://localhost:5000. Set to your real HTTPS URL in production. |
FRONTEND_URL | Origin allowed for CORS and related checks. Default: http://localhost:3000. For the bundled self-hosted UI on the same origin, set this to the same public URL as BASE_URL. |
CORS_EXTRA_ORIGINS | Comma-separated extra allowed origins when needed. |
Session cookies use secure: true when NODE_ENV=production and BASE_URL starts with https://, so HTTPS deployments should set BASE_URL to an https:// URL.
Database
| Variable | When |
|---|---|
DB_TYPE | sqlite (default) or postgresql. |
DB_PATH | SQLite file path (Dockerfile default /app/data/slugbase.db). |
DATABASE_URL | PostgreSQL connection string (alternative to discrete fields). |
DB_HOST, DB_PORT, DB_NAME, DB_USER, DB_PASSWORD | Used when DB_TYPE=postgresql and DATABASE_URL is not set. |
The application runs migrations automatically on startup.
Registrations
| Variable | Role |
|---|---|
REGISTRATIONS_ENABLED | Set to false to disable new user sign-ups. Leave unset (or set to anything else) to keep registration open (default). |
SMTP is configured inside the app under Admin → Settings, not via environment variables. See Admin: SMTP email.
AI suggestions
AI suggestions are configured inside the app under Admin → AI Suggestions. See Admin: AI suggestions.
API documentation
| Variable | Effect |
|---|---|
SLUGBASE_API_DOCS | Set to false to hide the Swagger UI at /api-docs. |
Troubleshooting
Ensure each variable is set, non-default, and at least 32 characters. Restart after changing .env.
Align BASE_URL and FRONTEND_URL with the scheme and host users actually use. Behind TLS termination, those should reflect the public https:// origin.
Add your UI origin to FRONTEND_URL or CORS_EXTRA_ORIGINS. For a single-container self-hosted build, same-origin deployment avoids CORS entirely.
Related
Last updated 1 week ago
Built with Documentation.AI