Environment Variables
Environment variables for the backend, frontend, and Celery workers. Local development is intentionally small: run ./rh dev init once from the repository root, then ./rh dev up to start Postgres and Redis on dev ports (11000 / 11001).
Note: These commands generate apps/backend/.env and apps/frontend/.env.local with a first line like # Generated by ./rh dev init. Do not commit real secrets.
Backend (apps/backend/.env)
Created by ./rh dev init
| Variable | Description |
|---|---|
QUICK_START | Set to `true` for local quick-start behavior. **Do not enable in production.** |
DB_DRIVER | Database driver (default: `postgresql`). |
DB_HOST | Database host (e.g. `localhost`). Use a Unix socket path for Cloud SQL (e.g. `/cloudsql/project:region:instance`). |
DB_PORT | Database port (default: `5432`). Set to `11000` when using `./rh dev up`. |
DB_NAME | Database name. |
APP_DB_USER | Runtime application database user (e.g. `rhesis-user`). |
APP_DB_PASS | Runtime application database password. |
ADMIN_DB_USER | (Optional) Migration / admin database user. Falls back to `APP_DB_USER` when unset. |
ADMIN_DB_PASS | (Optional) Migration / admin database password. Required when `ADMIN_DB_USER` is set. |
DB_ENCRYPTION_KEY | Fernet key for encrypted fields. **Keep secret.** Generate if not using init: `python -c "from cryptography.fernet import Fernet; print(Fernet.generate_key().decode())"`. |
BROKER_URL | Celery broker Redis URL (dev: port `11001`). |
CELERY_RESULT_BACKEND | Celery results store; use a different Redis DB index than `BROKER_URL` when both are Redis. |
ENVIRONMENT | Environment name (e.g. `development`). |
BACKEND_ENV | Backend environment label (e.g. `development`). |
LOG_LEVEL | Log level (e.g. `DEBUG`). |
API_BASE_URL | Public URL of this deployment's backend API (OAuth/SSO callbacks), e.g. `http://localhost:8080`. |
FRONTEND_URL | Public frontend URL (CORS and redirects), e.g. `http://localhost:3000`. |
BACKEND_URL | Backend URL as reachable by clients and tools, e.g. `http://localhost:8080`. |
JWT_SECRET_KEY | Secret for signing JWTs. Change for any non-local deployment. |
JWT_ALGORITHM | JWT algorithm (e.g. `HS256`). |
JWT_ACCESS_TOKEN_EXPIRE_MINUTES | Access token lifetime in minutes (init uses a long window for local dev). |
Optional and production variables
These are not added by ./rh dev init but are commonly needed when you deploy, integrate OAuth, email, observability, or hosted models.
Rhesis API key (hosted models): If you keep default model settings that use Rhesis-hosted inference (rhesis/rhesis-default for generation, evaluation, or execution; rhesis/rhesis-embedding for embeddings), set RHESIS_API_KEY to a key from the Rhesis platform (https://app.rhesis.ai ) — create or copy an API key from your account or organization settings and add it to the backend environment in production (or to your secret store). Set RHESIS_BASE_URL if the Rhesis platform API URL must differ from the default https://api.rhesis.ai (for example when using hosted models against the SaaS API while self-hosting the app).
| Variable | Required / default | Description |
|---|---|---|
RHESIS_API_KEY | Optional locally; **required** when using `rhesis/rhesis-default` models | Authenticates calls to Rhesis-hosted models. Obtain from the Rhesis platform (API keys in the app). |
RHESIS_BASE_URL | Default: `https://api.rhesis.ai` | Rhesis platform API URL for hosted-model calls only; not used for OAuth/SSO callbacks. |
SESSION_SECRET_KEY | Required in production | Session middleware signing key. Local dev may use a fallback when running locally; production must set this. |
DEFAULT_GENERATION_MODEL`, `DEFAULT_EVALUATION_MODEL`, `DEFAULT_EXECUTION_MODEL | Default: `rhesis/rhesis-default` | Model IDs in `provider/model` form for generation, evaluation, and endpoint execution. Rhesis defaults need `RHESIS_API_KEY`; switch to OpenAI, Gemini, Azure, or Vertex and set the matching provider env vars instead if you prefer not to use a platform key. |
DEFAULT_EMBEDDING_MODEL | Default: `rhesis/rhesis-embedding` | Embedding model ID in `provider/model` form. Explicit deployment secrets or `.env` values override this default; keep an older provider value only if you want to continue using that provider for embeddings. |
`OPENAI_API_KEY`, `GEMINI_API_KEY`, Azure / Vertex variables | Optional | Third-party LLM and embedding providers; set whichever providers you use. |
GOOGLE_CLIENT_ID`, `GOOGLE_CLIENT_SECRET`, `GH_CLIENT_ID`, `GH_CLIENT_SECRET | Optional | OAuth sign-in providers. |
`SMTP_HOST`, `SMTP_PORT`, `SMTP_USER`, `SMTP_PASSWORD`, `FROM_EMAIL`, … | Optional | Outbound email. |
`OTEL_*` (e.g. `OTEL_EXPORTER_OTLP_ENDPOINT`, `OTEL_SERVICE_NAME`) | Optional | OpenTelemetry export and service metadata. |
SERVICE_DELEGATION_EXPIRE_MINUTES | Default: `15` | Lifetime, in minutes, for short-lived service delegation JWTs used by backend worker flows such as Architect local tool calls. |
WS_MAX_MESSAGE_SIZE`, `WS_IDLE_TIMEOUT`, `WS_RATE_LIMIT | Defaults documented in code | SDK connector WebSocket limits (`/connector/ws`). |
CELERY_WORKER_* | Defaults documented in code | Celery worker process tuning. |
For a full production file (many more keys), teams often load secrets from Google Cloud Secret Manager — see apps/backend/CONTRIBUTING.md (Environment configuration).
Frontend (apps/frontend/.env.local)
Created by ./rh dev init
| Variable | Description |
|---|---|
API_BASE_URL | Same semantic as backend `API_BASE_URL`: this deployment's public backend API URL, exposed to browser code through `window.__ENV__`, e.g. `http://localhost:8080`. |
BACKEND_URL | Backend URL for server-side requests, e.g. `http://localhost:8080`. |
NEXTAUTH_URL | Must match how users open the app (same origin as the frontend). |
NEXTAUTH_SECRET | NextAuth secret; change for non-local deployments. |
NEXT_TELEMETRY_DISABLED | Disables Next.js telemetry in local dev when set (e.g. `1`). |
Optional frontend variables
Enable Google or GitHub sign-in, extra env labels, or SMTP when your deployment needs them (see apps/frontend/README.md). Some code paths expect AUTH_SECRET to mirror NEXTAUTH_SECRET when you run strict environment validation.
Celery workers
Workers should use the same PostgreSQL connection, DB_ENCRYPTION_KEY, Celery BROKER_URL / CELERY_RESULT_BACKEND, and Redis settings as the backend, plus a matching JWT_SECRET_KEY when tasks validate tokens. LOG_LEVEL and WORKER_ENV follow the same conventions as in application code. Use your process manager or container orchestration to inject the same logical configuration as apps/backend/.env rather than maintaining a second long variable list here.