Environment Variables
import { Aside } from ‘@astrojs/starlight/components’;
All configuration is passed to Kotauth via environment variables. Variables marked Required cause a fatal startup error if missing. Variables marked Recommended degrade functionality if absent but do not block startup.
KAUTH_BASE_URL
Section titled “KAUTH_BASE_URL”Required.
The public base URL of the Kotauth instance. Used as the OIDC issuer (iss claim), in OIDC discovery documents, OAuth2 redirect URI validation, and email links.
KAUTH_BASE_URL=https://auth.yourdomain.comRules:
- Must start with
https://whenKAUTH_ENV=production. The server refuses to start otherwise. - HTTP is allowed for
localhostin development mode. - No trailing slash.
KAUTH_ENV
Section titled “KAUTH_ENV”Optional. Default: development
Controls startup validation strictness.
| Value | Behavior |
|---|---|
development | HTTP allowed, default secrets tolerated, startup warnings printed |
production | HTTPS required, default JWT secret rejected, strict cookie flags enforced |
KAUTH_ENV=productionKAUTH_SECRET_KEY
Section titled “KAUTH_SECRET_KEY”Recommended.
A 32+ character hex string used for AES-256-GCM encryption of SMTP passwords stored in the database and HMAC-SHA256 signing of short-lived cookies (MFA pending, PKCE verifier, portal session).
KAUTH_SECRET_KEY=a2c35a1bfe82492eb087c5a29b28fc2b1fc2505da2a6f5dd37201c2bf4df39b3Generate one with:
openssl rand -hex 32Database
Section titled “Database”DB_URL
Section titled “DB_URL”Required.
PostgreSQL JDBC connection URL.
DB_URL=jdbc:postgresql://db:5432/kotauth_dbKotauth runs Flyway migrations on startup. The database and schema are created automatically — only the server, database name, and credentials need to exist beforehand.
DB_USER
Section titled “DB_USER”Required.
DB_USER=postgresDB_PASSWORD
Section titled “DB_PASSWORD”Required.
DB_PASSWORD=changemePer-tenant settings
Section titled “Per-tenant settings”These are not environment variables — they are configured per workspace through the admin console. Documented here for reference.
Token lifetimes
Section titled “Token lifetimes”| Setting | Default | Notes |
|---|---|---|
| Access token TTL | 300s (5 min) | Configurable per application |
| Refresh token TTL | 86400s (24h) | Workspace-wide |
| Email verification token | 24h | Fixed |
| Password reset token | 1h | Fixed |
Password policy
Section titled “Password policy”- Minimum length (default: 8)
- Require uppercase / lowercase / numbers / symbols
- Maximum age in days (0 = no expiry)
- Password history depth (0 = no history check)
MFA policy
Section titled “MFA policy”| Value | Behavior |
|---|---|
optional | Users can enroll but are not required to |
required | All users must complete MFA before accessing the portal |
required_for_admins | Only users with the admin role are required to enroll |
- Host, port, username, password (AES-256-GCM encrypted at rest)
- From address and display name
- TLS mode:
NONE,STARTTLS, orSSL
Example configurations
Section titled “Example configurations”Local development
Section titled “Local development”KAUTH_BASE_URL=http://localhost:8080KAUTH_SECRET_KEY=a2c35a1bfe82492eb087c5a29b28fc2b1fc2505da2a6f5dd37201c2bf4df39b3# DB is injected by docker-compose — no need to set hereProduction
Section titled “Production”KAUTH_BASE_URL=https://auth.yourdomain.comKAUTH_ENV=productionKAUTH_SECRET_KEY=<openssl rand -hex 32>DB_URL=jdbc:postgresql://your-db-host:5432/kotauth_dbDB_USER=kotauthDB_PASSWORD=<strong password>