Skip to main content
This page provides a comprehensive reference for all environment variables and configuration options available in Omni.
All environment variables can be set in your .env file for Docker Compose deployments or in terraform.tfvars for AWS deployments.

Quick Configuration Examples

# Database
DATABASE_PASSWORD=your-secure-password

# Security
SESSION_SECRET=generate-32-char-secret
ENCRYPTION_KEY=generate-32-char-key
ENCRYPTION_SALT=generate-16-char-salt

# Application
APP_URL=http://localhost:3000

# LLM Provider
LLM_PROVIDER=anthropic
ANTHROPIC_API_KEY=sk-ant-your-key

# Embeddings
EMBEDDING_PROVIDER=jina
JINA_API_KEY=your-jina-key

# Database
DATABASE_HOST=postgres
DATABASE_PORT=5432
DATABASE_NAME=omni
DATABASE_USER=omni
DATABASE_PASSWORD=your-secure-password
DATABASE_SSL=true
DB_MAX_CONNECTIONS=20

# Redis
REDIS_URL=redis://redis:6379

# Security
SESSION_SECRET=your-32-char-secret
SESSION_DURATION_DAYS=30
ENCRYPTION_KEY=your-32-char-key
ENCRYPTION_SALT=your-16-char-salt

# Application
APP_URL=https://omni.yourcompany.com
NODE_ENV=production
LOG_LEVEL=info

# LLM Provider (Self-hosted)
LLM_PROVIDER=vllm
VLLM_URL=http://vllm:8000
VLLM_MODEL=meta-llama/Llama-3.1-8B-Instruct

# Embeddings
EMBEDDING_PROVIDER=jina
JINA_API_KEY=your-jina-key

# Storage
STORAGE_BACKEND=s3
S3_BUCKET=omni-content
S3_REGION=us-east-1

# Email
EMAIL_PROVIDER=resend
EMAIL_FROM=Omni <[email protected]>
RESEND_API_KEY=re_your-key

# HTTPS
ACME_EMAIL=[email protected]
CLIO_DOMAIN=omni.yourcompany.com

Database Configuration

VariableRequiredDefaultDescription
DATABASE_HOSTYespostgresDatabase hostname or IP address
DATABASE_PORTYes5432Database port
DATABASE_USERNAMEYesomniDatabase username
DATABASE_PASSWORDYes-Database password (use strong password)
DATABASE_NAMEYesomniDatabase name
DATABASE_SSLNofalseEnable SSL for database connection
DB_MAX_CONNECTIONSNo10Connection pool size per service
DB_ACQUIRE_TIMEOUT_SECONDSNo3Connection acquisition timeout
Generate a secure database password:
openssl rand -base64 32

Redis Configuration

VariableRequiredDefaultDescription
REDIS_URLYesredis://redis:6379Redis connection URL (format: redis://host:port)
For Redis with password: 
REDIS_URL=redis://:password@redis:6379

Application Configuration

VariableRequiredDefaultDescription
APP_URLYeshttp://localhost:3000Public-facing application URL (include protocol)
OMNI_DOMAINNolocalhostDomain name for the application
SESSION_SECRETYes-Secret key for session encryption (32+ characters)
SESSION_COOKIE_NAMENoauth-sessionName of the session cookie
SESSION_DURATION_DAYSNo7Session expiry in days
NODE_ENVNodevelopmentNode environment: development or production
Never use the same SESSION_SECRET across different environments. Generate unique secrets for dev, staging, and production.

Security & Encryption

VariableRequiredDefaultDescription
ENCRYPTION_KEYYes-Encryption key for OAuth tokens (32+ characters)
ENCRYPTION_SALTYes-Salt for key derivation (16+ characters)
Generate secure encryption keys: 
# For ENCRYPTION_KEY (32 characters)
openssl rand -hex 16

# For ENCRYPTION_SALT (16 characters)
openssl rand -hex 8

# For SESSION_SECRET (32 characters)
openssl rand -hex 16

Service Ports

VariableRequiredDefaultDescription
WEB_PORTNo3000SvelteKit web application port
SEARCHER_PORTNo3001Search service port
INDEXER_PORTNo3002Indexer service port
AI_SERVICE_PORTNo3003AI service port
GOOGLE_CONNECTOR_PORTNo4001Google connector port
SLACK_CONNECTOR_PORTNo4002Slack connector port
ATLASSIAN_CONNECTOR_PORTNo4003Atlassian connector port
VLLM_PORTNo8000vLLM inference server port
In Docker Compose, services communicate via service names (e.g., http://searcher:3001). Ports only need to be exposed to the host for debugging.

Inter-Service URLs

VariableRequiredDefaultDescription
SEARCHER_URLYeshttp://searcher:3001Search service URL
INDEXER_URLYeshttp://indexer:3002Indexer service URL
AI_SERVICE_URLYeshttp://ai:3003AI service URL
GOOGLE_CONNECTOR_URLYeshttp://google-connector:4001Google connector URL

Feature Flags

VariableRequiredDefaultDescription
AI_ANSWER_ENABLEDNotrueEnable AI-generated answers in search results
AI_FIRST_SEARCH_ENABLEDNotrueDisplay AI answers before traditional search results

LLM Provider Configuration

VariableRequiredDefaultDescription
LLM_PROVIDERYesvllmLLM provider: vllm, anthropic, or bedrock

vLLM (Self-Hosted)

For self-hosted LLM inference:
VariableRequiredDefaultDescription
VLLM_URLYeshttp://vllm:8000vLLM service URL
VLLM_MODELNomicrosoft/Phi-3-mini-4k-instructHuggingFace model identifier
VLLM_DTYPENoautoData type: auto, float16, bfloat16
VLLM_API_KEYNotoken-abc123API key for vLLM authentication
VLLM_MAX_MODEL_LENNo2048Maximum context length in tokens
Popular model options:
  • microsoft/Phi-3-mini-4k-instruct (4 GB VRAM)
  • mistralai/Mistral-7B-Instruct-v0.2 (14 GB VRAM)
  • meta-llama/Llama-3.1-8B-Instruct (16 GB VRAM)

Anthropic Claude

For Anthropic’s Claude API:
VariableRequiredDefaultDescription
ANTHROPIC_API_KEYYes-Anthropic API key from https://console.anthropic.com
ANTHROPIC_MODELNoclaude-sonnet-4-20250514Claude model version
ANTHROPIC_MAX_TOKENSNo4096Maximum tokens in response
Available models:
  • claude-sonnet-4-20250514 (Recommended)
  • claude-opus-4-20250514 (Highest quality)
  • claude-haiku-4-20250901 (Fastest, lowest cost)

AWS Bedrock

For AWS Bedrock:
VariableRequiredDefaultDescription
BEDROCK_MODEL_IDNous.anthropic.claude-sonnet-4-20250514-v1:0Bedrock model ID
TITLE_GENERATION_MODEL_IDNous.anthropic.claude-haiku-4-5-20251001-v1:0Model for title generation
AWS_REGIONYes-AWS region for Bedrock (e.g., us-east-1)
AWS_ACCESS_KEY_IDConditional-AWS access key (if not using IAM role)
AWS_SECRET_ACCESS_KEYConditional-AWS secret key (if not using IAM role)

AI Service Configuration

VariableRequiredDefaultDescription
MODEL_PATHNo/modelsDirectory for model storage
EMBEDDING_MODELNointfloat/e5-large-v2HuggingFace embedding model (if using local)
EMBEDDING_DIMENSIONSNo1024Dimension of embedding vectors
EMBEDDING_PROVIDERYesjinaEmbedding provider: jina, local, or bedrock
JINA_API_KEYConditional-Jina AI API key (required if EMBEDDING_PROVIDER=jina)
AI_WORKERSNo1Number of uvicorn worker processes
CUDA_VISIBLE_DEVICESNo0GPU device ID for local models (comma-separated for multiple)
For Jina embeddings, get a free API key at https://jina.ai. The free tier includes 1M tokens/month.

Conversation Compaction

For long conversations that exceed LLM context limits, Omni automatically compacts older messages into a summary while preserving recent messages.
VariableRequiredDefaultDescription
ENABLE_CONVERSATION_COMPACTIONNotrueEnable automatic conversation compaction
MAX_CONVERSATION_INPUT_TOKENSNo150000Maximum token limit (compaction triggers at 80%)
COMPACTION_RECENT_MESSAGES_COUNTNo20Number of recent messages to keep intact
COMPACTION_SUMMARY_MAX_TOKENSNo2000Maximum tokens for the generated summary
COMPACTION_CACHE_TTL_SECONDSNo86400Cache TTL for summaries (24 hours)
Compaction triggers when conversation tokens reach 80% of MAX_CONVERSATION_INPUT_TOKENS (default: 120,000 tokens). The compactor preserves tool_use/tool_result pairs and caches summaries in Redis.

Batch Embedding Inference (AWS Bedrock)

For large-scale embedding generation using AWS Bedrock batch inference:
VariableRequiredDefaultDescription
ENABLE_EMBEDDING_BATCH_INFERENCENofalseEnable batch processing for embeddings
EMBEDDING_BATCH_S3_BUCKETConditional-S3 bucket for batch files (required if batch enabled)
EMBEDDING_BATCH_BEDROCK_ROLE_ARNConditional-IAM role ARN for Bedrock (required if batch enabled)
EMBEDDING_BATCH_MIN_DOCUMENTSNo100Minimum documents to trigger batch job
EMBEDDING_BATCH_MAX_DOCUMENTSNo50000Maximum documents per batch
EMBEDDING_BATCH_ACCUMULATION_TIMEOUT_SECONDSNo300Wait time before starting batch (5 min)
EMBEDDING_BATCH_ACCUMULATION_POLL_INTERVALNo10Interval to check queue (10 sec)
EMBEDDING_BATCH_MONITOR_POLL_INTERVALNo300Interval to check batch status (5 min)

Google Workspace Connector

VariableRequiredDefaultDescription
GOOGLE_CLIENT_IDYes-Google OAuth 2.0 client ID
GOOGLE_CLIENT_SECRETYes-Google OAuth 2.0 client secret
GOOGLE_REDIRECT_URIYes-OAuth callback URL (e.g., https://omni.company.com/api/oauth/google/callback)
GOOGLE_SYNC_INTERVAL_SECONDSNo86400Interval between full syncs (24 hours)
GOOGLE_MAX_AGE_DAYSNo730Maximum age of files to index (2 years)
GOOGLE_WEBHOOK_URLNo-HTTPS URL for real-time updates (requires valid SSL certificate)
WEBHOOK_RENEWAL_CHECK_INTERVAL_SECONDSNo3600Interval to check and renew webhooks (1 hour)
To set up Google OAuth credentials, visit the Google Cloud Console. See Google Connector Setup for detailed instructions.

Slack Connector

VariableRequiredDefaultDescription
SLACK_CLIENT_IDYes-Slack OAuth client ID
SLACK_CLIENT_SECRETYes-Slack OAuth client secret
SLACK_BOT_TOKENYes-Slack bot token (starts with xoxb-)
Create a Slack app at https://api.slack.com/apps to get credentials. See Slack Connector Setup for detailed instructions.

Atlassian Connector

VariableRequiredDefaultDescription
ATLASSIAN_CLIENT_IDYes-Atlassian OAuth client ID
ATLASSIAN_CLIENT_SECRETYes-Atlassian OAuth client secret
ATLASSIAN_BASE_URLYes-Atlassian instance URL (e.g., https://yourcompany.atlassian.net)
ATLASSIAN_USER_EMAILYes-User email for API authentication
ATLASSIAN_API_TOKENYes-Atlassian API token
Generate an API token at https://id.atlassian.com/manage-profile/security/api-tokens. See Atlassian Connector Setup for detailed instructions.

HubSpot Connector

VariableRequiredDefaultDescription
HUBSPOT_CONNECTOR_PORTNo4004HubSpot connector service port
The HubSpot connector requires credentials to be configured through the Omni UI:
  • Private App Token: A HubSpot private app token (starts with pat-na1-)
  • Portal ID: Your HubSpot portal ID (optional)
Required OAuth scopes for Private Apps:
  • crm.objects.contacts.read
  • crm.objects.companies.read
  • crm.objects.deals.read
  • tickets
  • e-commerce (for engagements)
See HubSpot Connector Setup for detailed instructions.

Filesystem Connector

VariableRequiredDefaultDescription
FILESYSTEM_CONNECTOR_PORTNo4006Filesystem connector service port
The Filesystem connector is configured through source settings:
  • base_path: Root directory path to scan (required)
  • scan_interval_seconds: Full scan interval (default: 300)
  • file_extensions: Whitelist of extensions to include (optional)
  • exclude_patterns: Path patterns to exclude (optional)
  • max_file_size_bytes: Maximum file size to process (default: 10MB for content)
See Filesystem Connector Setup for detailed instructions including Docker volume mounting.

Connector Manager

The connector-manager service orchestrates all connector operations.
VariableRequiredDefaultDescription
CONNECTOR_MANAGER_PORTNo8090Connector manager service port
MAX_CONCURRENT_SYNCSNo10Maximum concurrent syncs across all sources
MAX_CONCURRENT_SYNCS_PER_TYPENo3Maximum concurrent syncs per connector type
SCHEDULER_INTERVAL_SECONDSNo30How often scheduler checks for due syncs
STALE_SYNC_TIMEOUT_MINUTESNo10Timeout to mark a sync as stale/failed
Connector URLs (used by connector-manager to communicate with connectors):
VariableRequiredDefaultDescription
CONNECTOR_GOOGLE_URLYes-Google connector URL
CONNECTOR_SLACK_URLYes-Slack connector URL
CONNECTOR_ATLASSIAN_URLYes-Atlassian connector URL
CONNECTOR_WEB_URLYes-Web connector URL

Storage Configuration

VariableRequiredDefaultDescription
STORAGE_BACKENDYess3Storage backend: s3 or local
S3_BUCKETConditional-S3 bucket name (required if STORAGE_BACKEND=s3)
S3_REGIONConditional-S3 region (required if STORAGE_BACKEND=s3)
AWS_ACCESS_KEY_IDConditional-AWS access key (if not using IAM role)
AWS_SECRET_ACCESS_KEYConditional-AWS secret key (if not using IAM role)
AWS_SESSION_TOKENNo-AWS session token (for temporary credentials)
Local storage example: 
STORAGE_BACKEND=local
# Files stored in /data/storage directory
S3 storage example: 
STORAGE_BACKEND=s3
S3_BUCKET=omni-content-prod
S3_REGION=us-east-1
# Use IAM role in AWS, or provide keys for other environments

Email Configuration

VariableRequiredDefaultDescription
EMAIL_PROVIDERYesresendEmail provider: resend or smtp
EMAIL_FROMYesOmni <[email protected]>From email address

Resend Provider

VariableRequiredDefaultDescription
RESEND_API_KEYYes-Resend API key from https://resend.com

SMTP Provider

VariableRequiredDefaultDescription
EMAIL_HOSTYes-SMTP server hostname
EMAIL_PORTYes587SMTP server port (587 for TLS, 465 for SSL)
EMAIL_USERYes-SMTP username
EMAIL_PASSWORDYes-SMTP password
EMAIL_SECURENotrueUse TLS/SSL

Search Configuration

VariableRequiredDefaultDescription
TYPO_TOLERANCE_ENABLEDNotrueEnable typo tolerance in search queries
TYPO_TOLERANCE_MAX_DISTANCENo2Maximum Levenshtein distance for typo correction
TYPO_TOLERANCE_MIN_WORD_LENGTHNo4Minimum word length to apply typo correction

Logging & Monitoring

VariableRequiredDefaultDescription
RUST_LOGNoinfoRust services log level: trace, debug, info, warn, error
LOG_LEVELNodebugPython services log level: DEBUG, INFO, WARNING, ERROR
Log level recommendations:
  • Development: RUST_LOG=debug, LOG_LEVEL=DEBUG
  • Production: RUST_LOG=info, LOG_LEVEL=INFO
  • Troubleshooting: RUST_LOG=trace, LOG_LEVEL=DEBUG

Telemetry (OpenTelemetry)

VariableRequiredDefaultDescription
OTEL_EXPORTER_OTLP_ENDPOINTNo-OTLP collector endpoint (empty = telemetry disabled)
OTEL_DEPLOYMENT_IDNo-Deployment identifier for tracing
OTEL_DEPLOYMENT_ENVIRONMENTNodevelopmentEnvironment: development, staging, production
SERVICE_VERSIONNo0.1.0Service version for tracing
Example with Honeycomb: 
OTEL_EXPORTER_OTLP_ENDPOINT=https://api.honeycomb.io
OTEL_EXPORTER_OTLP_HEADERS=x-honeycomb-team=your-api-key
OTEL_DEPLOYMENT_ID=omni-prod-us-east-1
OTEL_DEPLOYMENT_ENVIRONMENT=production

HTTPS & SSL (Production)

VariableRequiredDefaultDescription
ACME_EMAILConditional-Email for Let’s Encrypt notifications (required for automatic HTTPS)
CLIO_DOMAINConditional-Domain name for Caddy (required for automatic HTTPS)
Automatic HTTPS setup: 
ACME_EMAIL=[email protected]
CLIO_DOMAIN=omni.yourcompany.com
Caddy will automatically:
  1. Obtain SSL certificate from Let’s Encrypt
  2. Configure HTTPS
  3. Redirect HTTP to HTTPS
  4. Auto-renew certificates

Environment-Specific Examples

Development (.env)

# Minimal configuration for local development
DATABASE_PASSWORD=dev-password
SESSION_SECRET=dev-session-secret-32-characters
ENCRYPTION_KEY=dev-encryption-key-32-chars
ENCRYPTION_SALT=dev-salt-16char
APP_URL=http://localhost:3000

LLM_PROVIDER=anthropic
ANTHROPIC_API_KEY=sk-ant-your-dev-key

EMBEDDING_PROVIDER=jina
JINA_API_KEY=jina_your-dev-key

RUST_LOG=debug
LOG_LEVEL=DEBUG

Staging (.env)

# Staging environment with production-like settings
DATABASE_HOST=staging-db.internal
DATABASE_PASSWORD=staging-secure-password
DATABASE_SSL=true

SESSION_SECRET=staging-session-secret-unique-32-chars
ENCRYPTION_KEY=staging-encryption-key-unique-32
ENCRYPTION_SALT=staging-salt-16

APP_URL=https://omni-staging.yourcompany.com

LLM_PROVIDER=anthropic
ANTHROPIC_API_KEY=sk-ant-your-staging-key

EMBEDDING_PROVIDER=jina
JINA_API_KEY=jina_your-staging-key

STORAGE_BACKEND=s3
S3_BUCKET=omni-content-staging
S3_REGION=us-east-1

EMAIL_PROVIDER=resend
RESEND_API_KEY=re_staging_key

RUST_LOG=info
LOG_LEVEL=INFO

OTEL_EXPORTER_OTLP_ENDPOINT=https://api.honeycomb.io
OTEL_DEPLOYMENT_ENVIRONMENT=staging

Production (.env)

# Production configuration with all features
DATABASE_HOST=prod-db.internal
DATABASE_PORT=5432
DATABASE_NAME=omni
DATABASE_USER=omni
DATABASE_PASSWORD=prod-very-secure-password-here
DATABASE_SSL=true
DB_MAX_CONNECTIONS=20

REDIS_URL=redis://:redis-password@redis:6379

SESSION_SECRET=prod-session-secret-unique-32-characters
SESSION_DURATION_DAYS=30
ENCRYPTION_KEY=prod-encryption-key-unique-32-chars
ENCRYPTION_SALT=prod-salt-unique

APP_URL=https://omni.yourcompany.com
NODE_ENV=production

LLM_PROVIDER=vllm
VLLM_URL=http://vllm:8000
VLLM_MODEL=meta-llama/Llama-3.1-8B-Instruct

EMBEDDING_PROVIDER=jina
JINA_API_KEY=jina_prod_key

STORAGE_BACKEND=s3
S3_BUCKET=omni-content-prod
S3_REGION=us-east-1

EMAIL_PROVIDER=resend
EMAIL_FROM=Omni <[email protected]>
RESEND_API_KEY=re_prod_key

GOOGLE_CLIENT_ID=your-prod-client-id.apps.googleusercontent.com
GOOGLE_CLIENT_SECRET=GOCSPX-your-prod-secret
GOOGLE_REDIRECT_URI=https://omni.yourcompany.com/api/oauth/google/callback
GOOGLE_WEBHOOK_URL=https://omni.yourcompany.com/api/webhooks/google

SLACK_CLIENT_ID=your-slack-client-id
SLACK_CLIENT_SECRET=your-slack-client-secret
SLACK_BOT_TOKEN=xoxb-your-bot-token

ACME_EMAIL=[email protected]
CLIO_DOMAIN=omni.yourcompany.com

RUST_LOG=info
LOG_LEVEL=INFO

OTEL_EXPORTER_OTLP_ENDPOINT=https://api.honeycomb.io
OTEL_DEPLOYMENT_ID=omni-prod-us-east-1
OTEL_DEPLOYMENT_ENVIRONMENT=production

Security Best Practices

Use cryptographically secure random values for all secrets:
# Generate all secrets at once
cat > .env.secrets <<EOF
SESSION_SECRET=$(openssl rand -hex 16)
ENCRYPTION_KEY=$(openssl rand -hex 16)
ENCRYPTION_SALT=$(openssl rand -hex 8)
DATABASE_PASSWORD=$(openssl rand -base64 32)
EOF

# Then copy values to .env

# Never commit .env to version control
echo ".env" >> .gitignore
echo ".env.*" >> .gitignore

# Set restrictive permissions
chmod 600 .env

# For production, use secret management systems
# - AWS Secrets Manager (Terraform deployments)
# - Docker Secrets (Swarm deployments)
# - Kubernetes Secrets (K8s deployments)
Best practices for secret rotation:
  1. API Keys: Rotate every 90 days
  2. Database Passwords: Rotate every 180 days
  3. Session Secrets: Rotate after security incidents
  4. Encryption Keys: Only rotate with data migration plan
Rotating ENCRYPTION_KEY requires re-encrypting all stored OAuth tokens. Plan carefully.
Use different secrets for each environment:
# Development
.env.development

# Staging
.env.staging

# Production
.env.production
Never reuse production secrets in non-production environments.

Validation & Testing

Test your configuration: 
# Validate environment variables are set
docker compose config

# Test service connectivity
docker compose up -d
docker compose ps  # All services should be "healthy"

# Check logs for configuration errors
docker compose logs web
docker compose logs ai

Troubleshooting Configuration Issues

Check for missing required variables:
# Look for environment variable errors in logs
docker compose logs | grep -i "environment"
docker compose logs | grep -i "required"
Common issues:
  • Missing DATABASE_PASSWORD
  • Missing SESSION_SECRET or ENCRYPTION_KEY
  • Missing API keys for enabled features
Verify database configuration:
# Check if PostgreSQL is accessible
docker compose exec web nc -zv postgres 5432

# Test database connection
docker compose exec postgres psql -U omni -d omni -c "SELECT 1;"
Check:
  • DATABASE_HOST matches service name
  • DATABASE_PASSWORD is correct
  • PostgreSQL is fully started
Test LLM connectivity:
# For Anthropic
curl -H "x-api-key: $ANTHROPIC_API_KEY" \
  https://api.anthropic.com/v1/messages

# For vLLM
docker compose exec web curl http://vllm:8000/health
Check:
  • LLM_PROVIDER is set correctly
  • API keys are valid
  • vLLM service is running (if self-hosted)
Test email configuration:
# Check email service logs
docker compose logs web | grep -i email

# For Resend
curl -H "Authorization: Bearer $RESEND_API_KEY" \
  https://api.resend.com/domains
Check:
  • EMAIL_PROVIDER is set
  • API key or SMTP credentials are valid
  • EMAIL_FROM domain is verified (for Resend)

Next Steps

Deploy with Docker

Use these variables in Docker Compose deployment

Deploy to AWS

Configure Terraform variables for AWS deployment

Resource Requirements

Understand hardware and resource needs

Security Guide

Implement security best practices