Skip to content
Breeze RMM

Environment Variables

All configuration is done through environment variables, defined in your .env.prod file. This page documents every variable.

Database

VariableDefaultRequiredDescription
POSTGRES_USERbreezePostgreSQL username
POSTGRES_PASSWORDYesPostgreSQL password
POSTGRES_DBbreezeDatabase name
POSTGRES_PORT5432PostgreSQL port
DATABASE_URLAutoFull connection string (constructed from above in Docker)

Redis

VariableDefaultRequiredDescription
REDIS_URLredis://localhost:6379Redis connection URL
REDIS_PORT6379Redis port

Authentication & Security

VariableDefaultRequiredDescription
JWT_SECRETYesJWT signing key (min 32 chars). Generate: openssl rand -base64 64
JWT_EXPIRES_IN15mAccess token lifetime
REFRESH_TOKEN_EXPIRES_IN7dRefresh token lifetime
AGENT_ENROLLMENT_SECRETYesShared secret for agent enrollment. Generate: openssl rand -hex 32
APP_ENCRYPTION_KEYYesAES encryption key for sensitive data at rest
MFA_ENCRYPTION_KEYYesEncryption key for MFA secrets
ENROLLMENT_KEY_PEPPERYesHMAC pepper for enrollment key hashing
MFA_RECOVERY_CODE_PEPPERYesHMAC pepper for recovery code hashing
ENROLLMENT_KEY_DEFAULT_TTL_MINUTES60Default enrollment key expiry
SESSION_SECRETYesExpress session signing secret
SESSION_MAX_AGE86400000Session max age in ms (24h)

Server

VariableDefaultRequiredDescription
NODE_ENVproductionEnvironment mode
API_PORT3001API server port
WEB_PORT4321Web dashboard port
PUBLIC_API_URLYesFull public API URL (e.g., https://breeze.example.com/api/v1)
BREEZE_DOMAINYes (prod)Domain for Caddy TLS provisioning
ACME_EMAILYes (prod)Email for Let’s Encrypt certificate notifications
CORS_ALLOWED_ORIGINSComma-separated allowed CORS origins
TRUST_PROXY_HEADERSfalseSet true when behind a reverse proxy
DASHBOARD_URLURL for links in emails
PUBLIC_APP_URLPublic-facing app URL

Email

VariableDefaultDescription
EMAIL_PROVIDERautoProvider: auto, resend, smtp, or mailgun
RESEND_API_KEYResend API key
EMAIL_FROMnoreply@breeze.localSender address
SMTP_HOSTSMTP server hostname
SMTP_PORT587SMTP port
SMTP_USERSMTP username
SMTP_PASSSMTP password
SMTP_FROMnoreply@breeze.localSMTP-specific sender address
SMTP_SECUREfalseUse TLS for SMTP
MAILGUN_API_KEYMailgun API key
MAILGUN_DOMAINMailgun sending domain
MAILGUN_BASE_URLhttps://api.mailgun.netMailgun API base URL
MAILGUN_FROMnoreply@breeze.localMailgun-specific sender address

SMS (Twilio)

VariableDefaultDescription
TWILIO_ACCOUNT_SIDTwilio Account SID
TWILIO_AUTH_TOKENTwilio Auth Token
TWILIO_VERIFY_SERVICE_SIDTwilio Verify service SID (for SMS MFA)
TWILIO_MESSAGING_SERVICE_SIDTwilio Messaging Service SID (for alert SMS)
TWILIO_PHONE_NUMBERTwilio phone number for outbound SMS

Binary Distribution

VariableDefaultDescription
BINARY_SOURCElocalDownload source: local (serve from disk, optional S3) or github (redirect to GitHub Releases)
AGENT_BINARY_DIR./agent/binLocal directory containing agent binaries
VIEWER_BINARY_DIR./viewer/binLocal directory containing viewer installers
BINARY_VERSION_FILEPath to VERSION file for local mode DB registration (set automatically in Docker Compose)
BINARY_VERSIONRelease tag for GitHub redirect mode (falls back to BREEZE_VERSION, then latest)

See Binary Distribution for details on local vs GitHub mode and S3 offloading.

Object Storage

VariableDefaultDescription
S3_ENDPOINTS3-compatible endpoint (MinIO, R2, AWS). Uses path-style addressing.
S3_ACCESS_KEYAccess key
S3_SECRET_KEYSecret key
S3_BUCKETBucket name
S3_REGIONus-east-1Bucket region
S3_PRESIGN_TTL900Presigned URL expiration in seconds (15 min)
MINIO_API_PORT9000MinIO API port (Docker only)
MINIO_CONSOLE_PORT9001MinIO web console port (Docker only)

WebRTC / TURN

VariableDefaultDescription
TURN_HOSTlocalhostTURN server hostname
TURN_PORT3478TURN listening port
TURN_SECRETTURN shared secret
TURN_REALMbreeze.localTURN realm

Monitoring

VariableDefaultDescription
METRICS_SCRAPE_TOKENBearer token for /metrics/scrape
METRICS_INCLUDE_ORG_IDfalseInclude org IDs in Prometheus labels
METRICS_SCRAPE_IP_ALLOWLISTRestrict metrics scraping by IP
LOG_LEVELinfoLog verbosity: debug, info, warn, error
LOG_JSONfalseStructured JSON logging
GRAFANA_ADMIN_USERadminGrafana admin username
GRAFANA_ADMIN_PASSWORDGrafana admin password

Sentry

VariableDefaultDescription
SENTRY_DSNSentry DSN for error tracking
SENTRY_ENVIRONMENTproductionSentry environment tag
SENTRY_RELEASESentry release tag (e.g. git SHA)
SENTRY_TRACES_SAMPLE_RATE0.1Sentry performance trace sample rate (0.0-1.0)

Rate Limiting

VariableDefaultDescription
RATE_LIMIT_WINDOW_MS60000Sliding window duration (ms)
RATE_LIMIT_MAX_REQUESTS100Max requests per window

File Transfer & Remote Sessions

VariableDefaultDescription
TRANSFER_STORAGE_PATH./data/transfersFile transfer storage directory
MAX_TRANSFER_SIZE_MB100Max file transfer size
MAX_ACTIVE_TRANSFERS_PER_ORG20Concurrent transfer limit per org
MAX_ACTIVE_TRANSFERS_PER_USER10Concurrent transfer limit per user
MAX_ACTIVE_REMOTE_SESSIONS_PER_ORG10Concurrent remote sessions per org
MAX_ACTIVE_REMOTE_SESSIONS_PER_USER5Concurrent remote sessions per user
PATCH_REPORT_STORAGE_PATH./data/patch-reportsPatch compliance report storage

Feature Flags

VariableDefaultDescription
ENABLE_REGISTRATIONtrueAllow new user registration
ENABLE_2FAtrueEnable two-factor authentication
ENABLE_API_DOCSfalseEnable Swagger API documentation
ENABLE_API_DOCS_UIfalseEnable interactive Swagger UI (requires ENABLE_API_DOCS=true)
USE_AGENT_SDKUse Claude Agent SDK for AI chat
PORTAL_STATE_BACKENDmemoryPortal state backend: memory or redis (auto redis in production)

MCP Server

VariableDefaultDescription
MCP_SSE_RATE_LIMIT_PER_MINUTE30SSE connection rate limit per API key
MCP_MESSAGE_RATE_LIMIT_PER_MINUTE120Message rate limit per API key
MCP_MAX_SSE_SESSIONS_PER_KEY5Max concurrent SSE sessions per API key
MCP_REQUIRE_EXECUTE_ADMINfalseRequire ai:execute_admin scope for Tier 3 tools
MCP_EXECUTE_TOOL_ALLOWLISTComma-separated allowed Tier 3 tools (empty = deny all)

Cloudflare mTLS

VariableDefaultDescription
CLOUDFLARE_API_TOKENCloudflare API token with Client Certificates permission
CLOUDFLARE_ZONE_IDCloudflare zone ID for your domain

AI

VariableDefaultDescription
ANTHROPIC_API_KEYAnthropic API key for AI assistant (BYOK)