Skip to Content
ContributeEnvironment Variables

Environment Variables

Environment variables for the backend, frontend, and Celery workers. Local development is intentionally small: run ./rh dev init once from the repository root, then ./rh dev up to start Postgres and Redis on dev ports (11000 / 11001).

terminal
# From the repo root (one-time)
./rh dev init
./rh dev up

Note: These commands generate apps/backend/.env and apps/frontend/.env.local with a first line like # Generated by ./rh dev init. Do not commit real secrets.

Backend (apps/backend/.env)

Created by ./rh dev init

VariableDescription
QUICK_STARTSet to `true` for local quick-start behavior. **Do not enable in production.**
SQLALCHEMY_DATABASE_URLPostgreSQL URL. With dev infra: `postgresql://rhesis-user:rhesis-password@localhost:11000/rhesis-db`.
SQLALCHEMY_DB_DRIVERDatabase driver (e.g. `postgresql`).
SQLALCHEMY_DB_PORTPort matching dev Postgres (`11000` when using `./rh dev up`).
SQLALCHEMY_DB_USERDatabase user.
SQLALCHEMY_DB_PASSDatabase password.
SQLALCHEMY_DB_HOSTHost and port (e.g. `localhost:11000`).
SQLALCHEMY_DB_NAMEDatabase name.
DB_ENCRYPTION_KEYFernet key for encrypted fields. **Keep secret.** Generate if not using init: `python -c "from cryptography.fernet import Fernet; print(Fernet.generate_key().decode())"`.
REDIS_URLRedis URL for app cache and queues (dev: port `11001`).
BROKER_URLCelery broker (same Redis host as above in typical dev setups).
CELERY_RESULT_BACKENDCelery results store; use a different Redis DB index than `BROKER_URL` when both are Redis.
ENVIRONMENTEnvironment name (e.g. `development`).
BACKEND_ENVBackend environment label (e.g. `development`).
LOG_LEVELLog level (e.g. `DEBUG`).
FRONTEND_URLPublic frontend URL (CORS and redirects), e.g. `http://localhost:3000`.
BACKEND_URLBackend URL as reachable by clients and tools, e.g. `http://localhost:8080`.
JWT_SECRET_KEYSecret for signing JWTs. Change for any non-local deployment.
JWT_ALGORITHMJWT algorithm (e.g. `HS256`).
JWT_ACCESS_TOKEN_EXPIRE_MINUTESAccess token lifetime in minutes (init uses a long window for local dev).

Optional and production variables

These are not added by ./rh dev init but are commonly needed when you deploy, integrate OAuth, email, observability, or hosted models.

Rhesis API key (hosted models): If you keep default model settings that use Rhesis-hosted inference (rhesis/rhesis-default for generation, evaluation, or execution), set RHESIS_API_KEY to a key from the Rhesis platform (https://app.rhesis.ai ) — create or copy an API key from your account or organization settings and add it to the backend environment in production (or to your secret store). Set RHESIS_BASE_URL if the API base URL must differ from the default https://api.rhesis.ai.

VariableRequired / defaultDescription
RHESIS_API_KEYOptional locally; **required** when using `rhesis/rhesis-default` modelsAuthenticates calls to Rhesis-hosted models. Obtain from the Rhesis platform (API keys in the app).
RHESIS_BASE_URLDefault: `https://api.rhesis.ai`Backend API base URL; set explicitly in production so callbacks and integrations resolve correctly.
SESSION_SECRET_KEYRequired in productionSession middleware signing key. Local dev may use a fallback when running locally; production must set this.
DEFAULT_GENERATION_MODEL`, `DEFAULT_EVALUATION_MODEL`, `DEFAULT_EXECUTION_MODEL`, `DEFAULT_EMBEDDING_MODELSee `apps/backend` defaultsModel IDs in `provider/model` form. Rhesis defaults need `RHESIS_API_KEY`; switch to OpenAI, Gemini, Azure, or Vertex and set the matching provider env vars instead if you prefer not to use a platform key.
`OPENAI_API_KEY`, `GEMINI_API_KEY`, Azure / Vertex variablesOptionalThird-party LLM and embedding providers; set whichever providers you use.
GOOGLE_CLIENT_ID`, `GOOGLE_CLIENT_SECRET`, `GH_CLIENT_ID`, `GH_CLIENT_SECRETOptionalOAuth sign-in providers.
`SMTP_HOST`, `SMTP_PORT`, `SMTP_USER`, `SMTP_PASSWORD`, `FROM_EMAIL`, …OptionalOutbound email.
SQLALCHEMY_DB_MODE`, `SQLALCHEMY_DATABASE_TEST_URLOptionalDatabase mode and test DB URL for automated tests.
`OTEL_*` (e.g. `OTEL_EXPORTER_OTLP_ENDPOINT`, `OTEL_SERVICE_NAME`)OptionalOpenTelemetry export and service metadata.
SERVICE_DELEGATION_EXPIRE_MINUTESDefault: `15`Lifetime, in minutes, for short-lived service delegation JWTs used by backend worker flows such as Architect local tool calls.
WS_MAX_MESSAGE_SIZE`, `WS_IDLE_TIMEOUT`, `WS_RATE_LIMITDefaults documented in codeSDK connector WebSocket limits (`/connector/ws`).
CELERY_WORKER_*Defaults documented in codeCelery worker process tuning.

For a full production file (many more keys), teams often load secrets from Google Cloud Secret Manager — see apps/backend/CONTRIBUTING.md (Environment configuration).

Frontend (apps/frontend/.env.local)

Created by ./rh dev init

VariableDescription
NEXT_PUBLIC_QUICK_STARTMirrors backend quick-start; **disable in production** (`false`).
NEXT_PUBLIC_API_BASE_URLBackend API URL exposed to the browser, e.g. `http://localhost:8080`.
BACKEND_URLBackend URL for server-side requests, e.g. `http://localhost:8080`.
NEXTAUTH_URLMust match how users open the app (same origin as the frontend).
NEXTAUTH_SECRETNextAuth secret; change for non-local deployments.
NEXT_TELEMETRY_DISABLEDDisables Next.js telemetry in local dev when set (e.g. `1`).

Optional frontend variables

Enable Google or GitHub sign-in, extra env labels, or SMTP when your deployment needs them (see apps/frontend/README.md). Some code paths expect AUTH_SECRET to mirror NEXTAUTH_SECRET when you run strict environment validation.

Celery workers

Workers should use the same PostgreSQL connection, DB_ENCRYPTION_KEY, Celery BROKER_URL / CELERY_RESULT_BACKEND, and Redis settings as the backend, plus a matching JWT_SECRET_KEY when tasks validate tokens. LOG_LEVEL and WORKER_ENV follow the same conventions as in application code. Use your process manager or container orchestration to inject the same logical configuration as apps/backend/.env rather than maintaining a second long variable list here.

ConnectorTelemetry