# Database (Required) DATABASE_URL="postgresql://postgres:your_password@localhost:5432/simstudio" # Optional read-replica connection string for offloading heavy read paths # (logs listing, audit logs, dashboard aggregations). Reads fall back to # DATABASE_URL when unset. # DATABASE_REPLICA_URL="" # Authentication (Required unless DISABLE_AUTH=true) BETTER_AUTH_SECRET=your_secret_key # Use `openssl rand -hex 32` to generate, or visit https://www.better-auth.com/docs/installation BETTER_AUTH_URL=http://localhost:3000 # Authentication Bypass (Optional - for self-hosted deployments behind private networks) # DISABLE_AUTH=true # Uncomment to bypass authentication entirely. Creates an anonymous session for all requests. # Private Database Hosts (Optional - for self-hosted deployments only) # ALLOW_PRIVATE_DATABASE_HOSTS=true # Uncomment to let database/connector tools reach private/reserved/loopback hosts (e.g. Docker/K8s service names, localhost). Loosens the SSRF boundary; only enable on a trusted private network. # NextJS (Required) NEXT_PUBLIC_APP_URL=http://localhost:3000 # INTERNAL_API_BASE_URL=http://sim-app.default.svc.cluster.local:3000 # Optional: internal URL for server-side /api self-calls; defaults to NEXT_PUBLIC_APP_URL # TRUSTED_ORIGINS=https://www.example.com,https://app.example.com # Optional: comma-separated additional public origins to trust for auth (apex+www, alias domains). Merged into Better Auth trustedOrigins. # Security (Required) ENCRYPTION_KEY=your_encryption_key # Use `openssl rand -hex 32` to generate, used to encrypt environment variables INTERNAL_API_SECRET=your_internal_api_secret # Use `openssl rand -hex 32` to generate, used to encrypt internal api routes API_ENCRYPTION_KEY=your_api_encryption_key # Use `openssl rand -hex 32` to generate, used to encrypt api keys # Email Provider (Optional) # Configure ONE provider — the mailer auto-detects in priority order: # Resend → AWS SES → SMTP → Azure Communication Services. If none are # configured, emails are logged to console instead. # # Resend # RESEND_API_KEY= # API key from https://resend.com # # AWS SES (credentials resolved via the standard AWS provider chain: # env vars, shared config, ECS/EKS task role, EC2 instance profile, SSO) # AWS_SES_REGION=us-east-1 # # SMTP (works with MailHog locally: host=localhost port=1025, no auth) # SMTP_HOST=smtp.example.com # SMTP_PORT=587 # 465 = implicit TLS, 587 = STARTTLS, 25 = plain # SMTP_USER= # Optional — omit for unauthenticated relays # SMTP_PASS= # Optional — omit for unauthenticated relays # SMTP_SECURE= # Set "true" to force TLS on connect; auto-true on port 465 # # Azure Communication Services # AZURE_ACS_CONNECTION_STRING= # # Shared sender configuration # FROM_EMAIL_ADDRESS="Sim " # EMAIL_DOMAIN=example.com # Fallback when FROM_EMAIL_ADDRESS is unset # Local AI Models (Optional) # OLLAMA_URL=http://localhost:11434 # URL for local Ollama server - uncomment if using local models # VLLM_BASE_URL=http://localhost:8000 # Base URL for your self-hosted vLLM (OpenAI-compatible) # VLLM_API_KEY= # Optional bearer token if your vLLM instance requires auth # LITELLM_BASE_URL=http://localhost:4000 # Base URL for your LiteLLM proxy (OpenAI-compatible) # LITELLM_API_KEY= # Optional bearer token if your LiteLLM proxy requires auth # FIREWORKS_API_KEY= # Optional Fireworks AI API key for model listing # NEXT_PUBLIC_BEDROCK_DEFAULT_CREDENTIALS=true # Set when using AWS default credential chain (IAM roles, ECS task roles, IRSA). Hides credential fields in Agent block UI. # AZURE_OPENAI_ENDPOINT= # Azure OpenAI endpoint (hides field in UI when set alongside NEXT_PUBLIC_AZURE_CONFIGURED) # AZURE_OPENAI_API_KEY= # Azure OpenAI API key # AZURE_OPENAI_API_VERSION= # Azure OpenAI API version # AZURE_ANTHROPIC_ENDPOINT= # Azure Anthropic endpoint (AI Foundry) # AZURE_ANTHROPIC_API_KEY= # Azure Anthropic API key # AZURE_ANTHROPIC_API_VERSION= # Azure Anthropic API version (e.g., 2023-06-01) # NEXT_PUBLIC_AZURE_CONFIGURED=true # Set when Azure credentials are pre-configured above. Hides endpoint/key/version fields in Agent block UI. # COHERE_API_KEY= # Cohere API key for the Knowledge block reranker (rerank-v4.0-pro/-fast, rerank-v3.5). Alternatively set COHERE_API_KEY_1/2/3 for rotation. # NEXT_PUBLIC_COHERE_CONFIGURED=true # Set when COHERE_API_KEY (or rotation keys) are pre-configured above. Hides the Cohere API Key field on the Knowledge block UI. # Hosted tool API keys (Optional - lets Sim supply the key so users don't have to bring their own). # Each provider reads `{PREFIX}_COUNT` then `{PREFIX}_1..N`, distributing requests round-robin across the keys. # HUNTER_API_KEY_COUNT=2 # Number of Hunter.io keys for hosted Hunter blocks # HUNTER_API_KEY_1= # Hunter.io API key #1 # HUNTER_API_KEY_2= # Hunter.io API key #2 # PEOPLEDATALABS_API_KEY_COUNT=2 # Number of People Data Labs keys for hosted PDL blocks # PEOPLEDATALABS_API_KEY_1= # People Data Labs API key #1 # PEOPLEDATALABS_API_KEY_2= # People Data Labs API key #2 # CONTEXT_DEV_API_KEY_COUNT=2 # Number of Context.dev keys for hosted Context.dev blocks # CONTEXT_DEV_API_KEY_1= # Context.dev API key #1 # CONTEXT_DEV_API_KEY_2= # Context.dev API key #2 # File Storage (Optional - defaults to local disk; use S3 or Azure Blob for production) # AWS_REGION=us-east-1 # Required with S3_BUCKET_NAME to enable S3. Use "auto" for Cloudflare R2 # AWS_ACCESS_KEY_ID= # Omit to use the instance/IRSA credential chain # AWS_SECRET_ACCESS_KEY= # Omit to use the instance/IRSA credential chain # S3_BUCKET_NAME= # General workspace files bucket (required with AWS_REGION to enable S3) # S3_KB_BUCKET_NAME= # Knowledge base documents # S3_EXECUTION_FILES_BUCKET_NAME= # Workflow execution files # S3_CHAT_BUCKET_NAME= # Deployed chat assets # S3_COPILOT_BUCKET_NAME= # Copilot attachments # S3_PROFILE_PICTURES_BUCKET_NAME= # User profile pictures # S3_OG_IMAGES_BUCKET_NAME= # OpenGraph preview images (falls back to S3_BUCKET_NAME) # S3_WORKSPACE_LOGOS_BUCKET_NAME= # Workspace logos (falls back to S3_BUCKET_NAME) # S3_ENDPOINT= # Custom endpoint for S3-compatible storage (Cloudflare R2, MinIO, Backblaze B2). Leave unset for AWS S3 # S3_FORCE_PATH_STYLE=true # Required for MinIO/Ceph RGW. Leave unset for AWS S3 and R2 # Azure Blob Storage takes precedence over S3 if both are configured # AZURE_ACCOUNT_NAME= # Azure storage account name # AZURE_ACCOUNT_KEY= # Azure storage account key # AZURE_CONNECTION_STRING= # Alternative to account name/key # AZURE_STORAGE_CONTAINER_NAME= # General workspace files container # AZURE_STORAGE_KB_CONTAINER_NAME= # Knowledge base documents # AZURE_STORAGE_EXECUTION_FILES_CONTAINER_NAME= # Workflow execution files # AZURE_STORAGE_CHAT_CONTAINER_NAME= # Deployed chat assets # AZURE_STORAGE_COPILOT_CONTAINER_NAME= # Copilot attachments # AZURE_STORAGE_PROFILE_PICTURES_CONTAINER_NAME= # User profile pictures # AZURE_STORAGE_OG_IMAGES_CONTAINER_NAME= # OpenGraph preview images (falls back to AZURE_STORAGE_CONTAINER_NAME) # AZURE_STORAGE_WORKSPACE_LOGOS_CONTAINER_NAME= # Workspace logos (falls back to AZURE_STORAGE_CONTAINER_NAME) # Admin API (Optional - for self-hosted GitOps) # ADMIN_API_KEY= # Use `openssl rand -hex 32` to generate. Enables admin API for workflow export/import. # Usage: curl -H "x-admin-key: your_key" https://your-instance/api/v1/admin/workspaces