Environment Variables Reference

Pro

Configuration Precedence Order

Passbolt's configuration system uses multiple sources that override each other in a specific order. Web UI settings override environment variables, which override PHP configuration files, which override default values.

Environment Variables: Infrastructure and security settings (database connections, TLS verification, GPG keys, API credentials, debug flags, email server configuration)

PHP Configuration Files: Framework defaults and application settings (CakePHP settings, plugin configurations, security policies, database and email configuration)

Web UI: Functional settings and user management (SSO provider config, MFA policies, LDAP settings, SMTP settings, user preferences)

Deployment Patterns:

• Docker/Helm: Environment variables for infrastructure configuration
• Package Installations: Environment variables or /etc/passbolt/passbolt.php for system settings
• Production: Web UI for functional configuration, environment variables for security hardening

1. Web UI Settings (Highest Priority)

Settings configured through the Passbolt web interface override all other configuration methods. These are stored in the database and provide the most user-friendly way to configure functional settings.

What's Configured Here:

• SMTP Settings: Email server configuration, authentication, TLS settings
• SSO Configuration: Provider settings, endpoints, user mapping
• MFA Settings: Provider configuration, policies, user preferences
• Directory Sync: LDAP server settings, user mapping, group synchronization
• Email Notifications: Which emails to send and what content to include

Why This Priority: Web UI settings allow administrators to configure Passbolt without server access and provide immediate feedback on configuration validity.

2. Environment Variables (High Priority)

System environment variables override PHP configuration files but are overridden by web UI settings. These are used for infrastructure configuration and automation.

What's Configured Here:

• Infrastructure Settings: Database connections, server URLs, file paths
• Security Hardening: TLS verification, security salts, authentication tokens
• Deployment Configuration: Docker/Helm variables, platform-specific settings
• Technical Details: Ports, authentication credentials, certificate paths

3. PHP Configuration Files (Medium Priority)

Configuration files are loaded in a specific order, with later files overriding earlier ones. These provide persistent configuration that survives application restarts.

Loading Order:

1. /etc/passbolt/app.php (CakePHP framework defaults)
2. /etc/passbolt/default.php (Passbolt application defaults)
3. /etc/passbolt/audit_logs.php (Audit logging configuration)
4. /etc/passbolt/passbolt.php (User-specific overrides - highest file priority)

Configuration Files

Only edit /etc/passbolt/passbolt.php for custom configuration. Do not edit app.php or default.php as they will be overwritten during updates. Configuration files are located in /etc/passbolt/ for all production installations.

4. Default Values (Lowest Priority)

Hardcoded defaults in the application code and framework defaults. These provide sensible defaults for new installations.

What's Configured Here:

• Application Defaults: Default plugin states, security policies, feature flags
• Framework Defaults: Database drivers, email transport, logging configuration
• Fallback Values: Settings used when no other configuration is provided

Configuration Methods: passbolt.php vs Environment Variables

Environment variables and passbolt.php configuration files serve the same purpose but with different syntax and nesting structure.

Environment Variable Naming

ENV

• Each level separated by underscore
• All uppercase
• passbolt section becomes PASSBOLT_ prefix
• passbolt.plugins becomes PASSBOLT_PLUGINS_
• passbolt.security.sso.ssl.verify becomes PASSBOLT_SECURITY_SSO_SSL_VERIFY

Environment variables use uppercase with underscores and follow the nested structure of the configuration:

# Database configuration
DATASOURCES_DEFAULT_HOST=db.example.com
DATASOURCES_DEFAULT_USERNAME=passbolt_user
DATASOURCES_DEFAULT_PASSWORD=secure_password

# Email configuration  
EMAIL_TRANSPORT_DEFAULT_HOST=smtp.example.com
EMAIL_TRANSPORT_DEFAULT_PORT=587
EMAIL_DEFAULT_FROM=[email protected]

# Plugin settings
PASSBOLT_PLUGINS_SSO_ENABLED=true
PASSBOLT_PLUGINS_SELF_REGISTRATION_ENABLED=false

passbolt.php Configuration

The same settings when applied in passbolt.php use PHP array syntax with nested keys:

return [
    'Datasources' => [
        'default' => [
            'host' => 'db.example.com',
            'username' => 'passbolt_user', 
            'password' => 'secure_password',
        ],
    ],
    'EmailTransport' => [
        'default' => [
            'host' => 'smtp.example.com',
            'port' => 587,
        ],
    ],
    'Email' => [
        'default' => [
            'from' => [
                '[email protected]' => 'Passbolt'
            ],
        ],
    ],
    'passbolt' => [
        'plugins' => [
            'sso' => [
                'enabled' => true,
            ],
            'selfRegistration' => [
                'enabled' => false,
            ],
        ],
    ],
];

Database Configuration

Database Setup

For detailed database configuration, see Database setup guides and PostgreSQL configuration for PostgreSQL-specific settings.

Production Database

DATASOURCES_DEFAULT_DRIVER (string, optional)
Database driver class for the primary database connection. Determines the database type and connection method.
Default: 'Cake\Database\Driver\Mysql' | Environment: all | Example: 'Cake\Database\Driver\Mysql', 'Cake\Database\Driver\Postgres'

DATASOURCES_DEFAULT_HOST (string, optional)
Database server hostname or IP address.
Default: 'localhost' | Environment: all | Example: 'db.example.com', '192.168.1.100'

DATASOURCES_DEFAULT_PORT (integer, optional)
Database server port number.
Default: 3306 | Environment: all | Example: 3306, 5432 (PostgreSQL)

DATASOURCES_DEFAULT_USERNAME (string, optional)
Database username for authentication.
Default: 'user' (passbolt.default.php) or '' (app.php) | Environment: all

DATASOURCES_DEFAULT_PASSWORD (string, optional)
Database password for authentication.
Default: 'secret' (passbolt.default.php) or '' (app.php) | Environment: all

DATASOURCES_DEFAULT_DATABASE (string, optional)
Database name to connect to.
Default: 'passbolt' (passbolt.default.php) or '' (app.php) | Environment: all

DATASOURCES_DEFAULT_ENCODING (string, optional)
Database character encoding for storing and retrieving data. Affects how special characters and Unicode are handled.
Default: 'utf8mb4' | Environment: all

DATASOURCES_DEFAULT_URL (string|null, optional)
Complete database connection URL that overrides individual host, port, username, password, and database settings. Useful for cloud database services.
Default: null | Environment: all | Example: 'mysql://user:pass@host:3306/database'

DATASOURCES_DEFAULT_SCHEMA (string, optional)
Database schema (for PostgreSQL).
Default: 'public' | Environment: all

Database TLS (SSL) Configuration

DATASOURCES_DEFAULT_SSL_KEY (string, optional)
Database TLS (SSL) private key file path.
Default: '' | Environment: all | Example: '/etc/ssl/db-client.key'

DATASOURCES_DEFAULT_SSL_CERT (string, optional)
Database TLS (SSL) certificate file path.
Default: '' | Environment: all | Example: '/etc/ssl/db-client.crt'

DATASOURCES_DEFAULT_SSL_CA (string, optional)
Database TLS (SSL) CA certificate file path.
Default: '' | Environment: all | Example: '/etc/ssl/ca.crt'

DATASOURCES_DEFAULT_LOG (boolean, optional)
Enable database query logging for debugging. Logs all SQL queries to the application log when enabled.
Default: false | Environment: all

Email Configuration

Email Setup

For email configuration, see Email server setup for SMTP configuration and Email notifications for notification settings.

SMTP Configuration

EMAIL_DEFAULT_TRANSPORT (string, optional)
Default email transport configuration name. References the transport configuration defined in the email settings.
Default: 'default' | Environment: all

EMAIL_DEFAULT_FROM_NAME (string, optional)
From name displayed in email notifications sent by Passbolt. Appears as the sender name in email clients.
Default: 'Passbolt' | Environment: all

EMAIL_DEFAULT_FROM (string, optional)
From email address for notifications sent by Passbolt. Must be a valid email address that matches your SMTP configuration.
Default: '[email protected]' | Environment: all

EMAIL_TRANSPORT_DEFAULT_HOST (string, optional)
SMTP server hostname or IP address.
Default: 'localhost' | Environment: all | Example: 'smtp.gmail.com', 'mail.example.com'

EMAIL_TRANSPORT_DEFAULT_PORT (integer, optional)
SMTP server port number. Common ports: 587 (STARTTLS), 465 (SMTPS), 25 (unencrypted), 2525 (alternative).
Default: 25 | Environment: all | Example: 587 (STARTTLS), 465 (SMTPS), 25 (unencrypted)

EMAIL_TRANSPORT_DEFAULT_USERNAME (string, optional)
SMTP server username for authentication.
Default: 'user' (passbolt.default.php) or null (app.php) | Environment: all

EMAIL_TRANSPORT_DEFAULT_PASSWORD (string, optional)
SMTP server password for authentication.
Default: 'secret' (passbolt.default.php) or null (app.php) | Environment: all

EMAIL_TRANSPORT_DEFAULT_URL (string|null, optional)
Complete SMTP connection URL that overrides individual host, port, username, password, and TLS settings. Useful for cloud email services.
Default: null | Environment: all | Example: 'smtp://user:pass@host:587?tls=true', 'smtps://user:pass@host:465'

SMTP TLS (SSL) Configuration

EMAIL_TRANSPORT_DEFAULT_TLS (boolean|null, optional)
Enable TLS encryption for SMTP connections. Set to true for STARTTLS (port 587) or false for no encryption.
Default: null | Environment: all | Example: true, false

EMAIL_TRANSPORT_DEFAULT_TIMEOUT (integer, optional)
Maximum time in seconds to wait for SMTP server responses.
Default: 30 | Environment: all | Example: 30, 60, 120

PASSBOLT_PLUGINS_SMTP_SETTINGS_SECURITY_SSL_VERIFY_PEER (boolean, optional)
Verify the SMTP server's TLS (SSL) certificate during connection.
Default: true | Environment: all | Security: high impact

PASSBOLT_PLUGINS_SMTP_SETTINGS_SECURITY_SSL_VERIFY_PEER_NAME (boolean, optional)
Verify that the SMTP server's certificate matches the server hostname.
Default: true | Environment: all | Security: high impact

PASSBOLT_PLUGINS_SMTP_SETTINGS_SECURITY_SSL_ALLOW_SELF_SIGNED (boolean, optional)
Allow connections to SMTP servers with self-signed certificates.
Default: false | Environment: development | Security: medium impact

PASSBOLT_PLUGINS_SMTP_SETTINGS_SECURITY_SSL_CAFILE (string|null, optional)
Path to a custom CA certificate file for SMTP server verification.
Default: null | Environment: all | Example: '/etc/ssl/certs/custom-ca.crt'

GPG Server Key Configuration

GPG Setup

For GPG key management, see GPG key rotation for key setup and management instructions. GPG keys can be imported, generated via web GUI, or configured through environment variables depending on your deployment method.

PASSBOLT_GPG_SERVER_KEY_FINGERPRINT (string, optional)
Fingerprint of the GPG server key used for encryption and decryption operations. Required for CLI operations and server authentication.
Default: null | Environment: all | Security: critical | Example: '43F978AFF88B53F5ABBD12C87D5E40A4C43926ED'

PASSBOLT_GPG_SERVER_KEY_PUBLIC (string, optional)
Path to the public GPG server key file.
Default: CONFIG . 'gpg' . DS . 'serverkey.asc' | Environment: all | Security: medium impact | Example: '/etc/passbolt/gpg/serverkey.asc'

PASSBOLT_GPG_SERVER_KEY_PRIVATE (string, optional)
Path to the private GPG server key file.
Default: CONFIG . 'gpg' . DS . 'serverkey_private.asc' | Environment: all | Security: critical | Example: '/etc/passbolt/gpg/serverkey_private.asc'

PASSBOLT_GPG_BACKEND (string, optional)
Tell passbolt which OpenPGP backend to use.
Default: 'gnupg' | Environment: all

PASSBOLT_GPG_EXTRA_ENCRYPT_VALIDATE (boolean, optional)
Enable experimental encrypt validation.
Default: true | Environment: all

PASSBOLT_GPG_SECURITY_ACCEPT_REVOKED_KEY_UNHASHED_ISSUER_SUB_PACKET (boolean, optional)
Allow revoked issuer subpacket to be unhashed.
Default: true | Environment: all

System GPG Configuration

GNUPGHOME (string, optional)
System environment variable for GPG home directory. Overrides the default keyring location.
Default: ~/.gnupg (user's home directory) | Environment: all | Example: '/etc/passbolt/gpg'

note

The legacy variables PASSBOLT_GPG_SERVER_KEY_PUBLIC_FILE and PASSBOLT_GPG_SERVER_KEY_PRIVATE_FILE are also supported for backward compatibility.

User Key Policies Configuration

PASSBOLT_PLUGINS_USER_KEY_POLICIES_PREFERRED_KEY_TYPE (string, optional)
Preferred GPG key type for user key generation. Controls whether users get RSA or ECC (curve) keys.
Default: 'curve' | Environment: all | Example: 'rsa', 'curve'

PASSBOLT_PLUGINS_USER_KEY_POLICIES_PREFERRED_KEY_SIZE (integer|null, optional)
Preferred GPG key size for RSA keys. Not used for ECC keys (set to null).
Default: null | Environment: all | Example: 3072, 4096, null

PASSBOLT_PLUGINS_USER_KEY_POLICIES_PREFERRED_KEY_CURVE (string|null, optional)
Preferred GPG key curve for ECC keys. Not used for RSA keys (set to null).
Default: 'curve25519_legacy+ed25519_legacy' | Environment: all | Example: 'curve25519_legacy+ed25519_legacy', null

Application Configuration

APP_FULL_BASE_URL (string|boolean, optional)
Complete base URL for the application including protocol, domain, and optional subdirectory. Used for generating absolute URLs in emails, API responses, and redirects.
Default: 'https://www.passbolt.test' (passbolt.default.php) or false (app.php, auto-generated from HTTP_HOST) | Environment: all | Example: 'https://passbolt.example.com'

APP_DEFAULT_LOCALE (string, optional)
Default locale for user interface translations, date/time formatting, and number formatting.
Default: 'en_UK' | Environment: all | Example: 'en_UK', 'fr_FR', 'de_DE'

APP_DEFAULT_TIMEZONE (string, optional)
Default timezone for the application when no user-specific timezone is set.
Default: 'UTC' | Environment: all | Example: 'UTC', 'Europe/London', 'America/New_York'

APP_BASE_URL (string, optional)
Base URL path for the application when running in a subdirectory.
Default: null | Environment: all | Example: '/passbolt', '/apps/passbolt'

PASSBOLT_JS_BUILD (string, optional)
JavaScript build mode for the application.
Default: 'production' | Environment: all | Example: 'production', 'development'

PASSBOLT_HEALTHCHECK_ERROR (boolean, optional)
Enable healthcheck error reporting.
Default: false | Environment: all

PASSBOLT_CHECK_DOMAIN_MISMATCH (boolean, optional)
Check for domain mismatch where possible.
Default: true | Environment: all

PASSBOLT_OBFUSCATE_FIELDS_PLACEHOLDER (string, optional)
Placeholder for obfuscated fields.
Default: '***' | Environment: all

Authentication Token Configuration

PASSBOLT_AUTH_TOKEN_EXPIRY (string, optional)
Default token expiry time for authentication tokens.
Default: '3 days' | Environment: all | Example: '1 day', '1 week', '30 minutes'

PASSBOLT_AUTH_REGISTER_TOKEN_EXPIRY (string, optional)
Expiry time for user registration tokens.
Default: '10 days' | Environment: all | Example: '7 days', '24 hours'

PASSBOLT_AUTH_RECOVER_TOKEN_EXPIRY (string, optional)
Expiry time for account recovery tokens.
Default: '10 days' | Environment: all | Example: '7 days', '48 hours'

PASSBOLT_AUTH_LOGIN_TOKEN_EXPIRY (string, optional)
Expiry time for login tokens.
Default: '5 minutes' | Environment: all | Example: '10 minutes', '1 hour'

PASSBOLT_AUTH_MOBILE_TRANSFER_TOKEN_EXPIRY (string, optional)
Expiry time for mobile transfer tokens.
Default: '5 minutes' | Environment: all | Example: '10 minutes', '30 minutes'

PASSBOLT_AUTH_JWT_REFRESH_TOKEN (string, optional)
Expiry time for JWT refresh tokens.
Default: '1 month' | Environment: all | Example: '2 weeks', '6 months'

PASSBOLT_AUTH_JWT_ACCESS_TOKEN (string, optional)
Expiry time for JWT access tokens.
Default: '5 minutes' | Environment: all | Example: '15 minutes', '1 hour'

PASSBOLT_AUTH_JWT_VERIFY_TOKEN (string, optional)
Expiry time for JWT verification tokens.
Default: '1 hour' | Environment: all | Example: '30 minutes', '2 hours'

PASSBOLT_AUTH_SSO_SET_SETTINGS (string, optional)
Expiry time for SSO settings tokens.
Default: '10 minutes' | Environment: all | Example: '5 minutes', '15 minutes'

PASSBOLT_AUTH_SSO_GET_KEY (string, optional)
Expiry time for SSO key retrieval tokens.
Default: '10 minutes' | Environment: all | Example: '5 minutes', '15 minutes'

PASSBOLT_AUTH_SSO_STATE (string, optional)
Expiry time for SSO state tokens.
Default: '10 minutes' | Environment: all | Example: '5 minutes', '15 minutes'

Outbound TLS Verification

TLS Documentation

For TLS setup guidance, see TLS Certificates. This section covers environment variables for outbound TLS verification.

LDAPS Configuration

PASSBOLT_PLUGINS_DIRECTORY_SYNC_SECURITY_SSL_CUSTOM_OPTIONS_ENABLED (boolean, optional)
Enable custom TLS configuration options for LDAP directory synchronization. Used in Directory Sync configuration.
Default: false | Environment: all

PASSBOLT_PLUGINS_DIRECTORY_SYNC_SECURITY_SSL_CUSTOM_OPTIONS_VERIFY_PEER (boolean, optional)
Verify the LDAP server's TLS (SSL) certificate during directory synchronization. Critical for secure LDAPS connections.
Default: true | Environment: all

PASSBOLT_PLUGINS_DIRECTORY_SYNC_SECURITY_SSL_CUSTOM_OPTIONS_CAFILE (string|null, optional)
Path to a CA certificate file for LDAP server verification. Required for private CA certificates.
Default: null | Environment: all | Example: '/etc/ssl/certs/ldap-ca.crt'

PASSBOLT_PLUGINS_DIRECTORY_SYNC_SECURITY_SSL_CUSTOM_OPTIONS_CADIR (string|null, optional)
Path to a directory containing multiple CA certificates for LDAP server verification. Alternative to CAFILE for multiple CAs.
Default: null | Environment: all | Example: '/etc/ssl/certs/ldap-cas/'

SSO TLS Verification

PASSBOLT_SECURITY_SSO_SSL_VERIFY (boolean, optional)
Verify TLS (SSL) certificates for Single Sign-On (SSO) provider endpoint connections. This environment variable controls TLS verification for SSO connections configured through the web UI.
Default: true | Environment: all

PASSBOLT_SECURITY_SSO_SSL_CAFILE (string|null, optional)
Path to a custom CA certificate file for SSO provider verification. Required for private CA certificates when using SSO configured through the web UI.
Default: null | Environment: all | Example: '/etc/ssl/certs/sso-ca.crt'

Security Configuration

Critical Security Variables

The following variables are critical for production security and should be configured in all deployments.

Related: Security policies | User management | API status monitoring

PASSBOLT_SSL_FORCE (boolean, optional)
Force SSL/HTTPS only. When enabled, all HTTP requests are redirected to HTTPS, ensuring all communication is encrypted. Required for production security.
Default: false | Environment: all

SECURITY_SALT (string, optional)
CakePHP security salt for hashing and encryption. Auto-generated during deployment. Used for password hashing and other cryptographic operations.
Default: '__SALT__' | Environment: all | Security: critical

PASSBOLT_SECURITY_SSO_SSL_VERIFY (boolean, optional)
Verify TLS (SSL) certificates for Single Sign-On (SSO) provider endpoint connections. This environment variable controls TLS verification for SSO connections configured through the web UI.
Default: true | Environment: all

PASSBOLT_PLUGINS_SMTP_SETTINGS_SECURITY_SSL_VERIFY_PEER (boolean, optional)
Verify SMTP server TLS (SSL) certificates during email transmission. Required for secure email delivery.
Default: true | Environment: all

PASSBOLT_PLUGINS_DIRECTORY_SYNC_SECURITY_SSL_CUSTOM_OPTIONS_VERIFY_PEER (boolean, optional)
Verify the LDAP server's TLS (SSL) certificate during directory synchronization. Required for secure LDAPS connections.
Default: true | Environment: all

PASSBOLT_SECURITY_SET_HEADERS (boolean, optional)
Send Content Security Policy (CSP) headers to prevent XSS attacks and control resource loading.
Default: true | Environment: all

PASSBOLT_SECURITY_COOKIE_SECURE (boolean, optional)
Set MFA cookie secure flag. When enabled, cookies are only sent over HTTPS connections.
Default: true | Environment: all

PASSBOLT_SECURITY_PROXIES_ACTIVE (boolean, optional)
Enable proxy support for load balancers/proxies. Required when Passbolt is behind a reverse proxy to correctly identify client IP addresses.
Default: false | Environment: all

PASSBOLT_SECURITY_MFA_MAX_ATTEMPTS (string, optional)
Maximum attempts for MFA authentication before the user is locked out. Helps prevent brute force attacks.
Default: '4' | Environment: all

PASSBOLT_SECURITY_FULLBASEURL_ENFORCE (boolean, optional)
Enforce full base URL configuration. When enabled, requires APP_FULL_BASE_URL to be properly configured.
Default: false | Environment: all

PASSBOLT_SECURITY_EMPTY_FULLBASEURL_WARN (boolean, optional)
Warn when full base URL is empty.
Default: true | Environment: all

PASSBOLT_SECURITY_USER_AGENT (boolean, optional)
Enable storage and display of user agent information in audit logs and user sessions.
Default: true | Environment: all

PASSBOLT_SECURITY_USER_IP (boolean, optional)
Enable storage and display of user IP address in audit logs and user sessions.
Default: true | Environment: all

PASSBOLT_SECURITY_USERNAME_LOWER_CASE (boolean, optional)
Convert usernames to lowercase during authentication. Affects username matching and case sensitivity.
Default: false | Environment: all

PASSBOLT_SECURITY_USERNAME_CASE_SENSITIVE (boolean, optional)
Enable case-sensitive username matching during authentication. When disabled, usernames are treated case-insensitively.
Default: false | Environment: all

PASSBOLT_SECURITY_SMTP_SETTINGS_ENDPOINTS_DISABLED (boolean, optional)
Disable SMTP settings endpoints for security hardening. When enabled, SMTP settings can only be configured via environment variables.
Default: false | Environment: all

PASSBOLT_SECURITY_GET_LOGOUT_ENDPOINT_ENABLED (boolean, optional)
Enable GET logout endpoint. Allows users to logout via GET request in addition to POST.
Default: true | Environment: all

PASSBOLT_SECURITY_PREVENT_EMAIL_ENUMERATION (boolean, optional)
Prevent email enumeration attacks by not revealing whether an email address exists in the system.
Default: false | Environment: all

PASSBOLT_SECURITY_DIRECTORY_SYNC_FORBIDDEN_FIELDS_ACTIVE (boolean, optional)
Enable forbidden fields protection for directory sync. Prevents sensitive fields from being synchronized from LDAP/AD.
Default: true | Environment: all

PASSBOLT_SECURITY_DIRECTORY_SYNC_ENDPOINTS_DISABLED (boolean, optional)
Disable directory sync endpoints for security hardening. When enabled, directory sync can only be configured via environment variables.
Default: false | Environment: all

PASSBOLT_SECURITY_EMAIL_ANONYMISE_ADMINISTRATOR_IDENTITY (boolean, optional)
Anonymise administrator identity in emails. When enabled, admin emails are replaced with generic addresses.
Default: false | Environment: all

PASSBOLT_SECURITY_SSO_SETTINGS_EDITION_DISABLED (boolean, optional)
Disable SSO settings creation, update, and deletion endpoints for security hardening. When enabled, SSO settings can only be viewed, not modified through the web UI or API.
Default: false | Environment: all

PASSBOLT_SECURITY_METADATA_SETTINGS_EDITION_DISABLED (boolean, optional)
Disable metadata settings edition.
Default: false | Environment: all

PASSBOLT_SECURITY_MFA_DUO_VERIFY_SUBSCRIBER (boolean, optional)
Enable Duo MFA verify subscriber.
Default: false | Environment: all

Session Configuration

Session Management

For session configuration, see SSO configuration for SSO session handling and Authentication settings for session management.

SESSION_COOKIE (string, optional)
Session cookie name.
Default: 'passbolt_session' | Environment: all

SESSION_COOKIE_SAMESITE (string, optional)
Session cookie SameSite attribute.
Default: 'Lax' | Environment: all

note

When using SSO with POST redirect requests and SameSite=Lax cookies, sessions may be dropped. Consider using "None" for SameSite in such cases.

Multi-Factor Authentication Configuration

MFA Setup

For MFA configuration, see MFA setup for provider configuration, MFA policies for policy management, Duo configuration for Duo-specific setup, and YubiKey configuration for YubiKey setup.

MFA Provider Settings

PASSBOLT_PLUGINS_MFA_PROVIDERS_TOTP (boolean, optional)
Enable TOTP (Time-based One-Time Password) MFA provider.
Default: false | Environment: all

PASSBOLT_PLUGINS_MFA_PROVIDERS_DUO (boolean, optional)
Enable Duo MFA provider.
Default: false | Environment: all

PASSBOLT_PLUGINS_MFA_PROVIDERS_YUBIKEY (boolean, optional)
Enable YubiKey MFA provider.
Default: false | Environment: all

PASSBOLT_PLUGINS_MFA_TOTP_SECRET_LENGTH (integer, optional)
Length of TOTP secret keys in characters. Longer keys provide better security but may not be compatible with all authenticator apps.
Default: 32 | Environment: all | Example: 16, 32, 64

PASSBOLT_PLUGINS_MFA_SORT_PROVIDERS_BY_LAST_USAGE (boolean, optional)
Sort MFA providers by last usage in the UI. When enabled, the most recently used MFA provider appears first in the selection list.
Default: true | Environment: all

YubiKey Configuration

PASSBOLT_PLUGINS_MFA_YUBIKEY_CLIENTID (string, optional)
YubiKey API client ID.
Default: null | Environment: all | Example: 'your-yubikey-client-id'

PASSBOLT_PLUGINS_MFA_YUBIKEY_SECRETKEY (string, optional)
YubiKey API secret key.
Default: null | Environment: all | Example: 'your-yubikey-secret-key'

Duo Configuration

PASSBOLT_PLUGINS_MFA_DUO_CLIENT_ID (string, optional)
Duo API client ID.
Default: null | Environment: all | Example: 'your-duo-client-id'

PASSBOLT_PLUGINS_MFA_DUO_CLIENT_SECRET (string, optional)
Duo API client secret.
Default: null | Environment: all | Example: 'your-duo-client-secret'

PASSBOLT_PLUGINS_MFA_DUO_API_HOSTNAME (string, optional)
Duo API hostname.
Default: null | Environment: all | Example: 'api-123456789.duosecurity.com'

Deprecated Duo Variables (Legacy Duo v3)

Deprecated Variables

These variables are deprecated but still supported for backward compatibility with legacy Duo v3. Use the Duo v4 variables above for new configurations.

PASSBOLT_PLUGINS_MFA_DUO_INTEGRATIONKEY (string, optional)
DEPRECATED: Duo integration key (legacy Duo v3). Use PASSBOLT_PLUGINS_MFA_DUO_CLIENT_ID for Duo v4.
Default: null | Environment: all | Status: deprecated

PASSBOLT_PLUGINS_MFA_DUO_SECRETKEY (string, optional)
DEPRECATED: Duo secret key (legacy Duo v3). Use PASSBOLT_PLUGINS_MFA_DUO_CLIENT_SECRET for Duo v4.
Default: null | Environment: all | Status: deprecated

PASSBOLT_PLUGINS_MFA_DUO_HOST (string, optional)
DEPRECATED: Duo host (legacy Duo v3). Use PASSBOLT_PLUGINS_MFA_DUO_API_HOSTNAME for Duo v4.
Default: null | Environment: all | Status: deprecated

SSO Configuration

SSO Setup

For SSO configuration, see SSO setup for provider configuration, Microsoft SSO for Microsoft Azure AD setup, and Google SSO for Google Workspace setup.

SSO Provider Settings

PASSBOLT_PLUGINS_SSO_PROVIDER_AZURE_ENABLED (boolean, optional)
Enable Azure Active Directory SSO provider.
Default: true | Environment: all

PASSBOLT_PLUGINS_SSO_PROVIDER_GOOGLE_ENABLED (boolean, optional)
Enable Google SSO provider.
Default: true | Environment: all

PASSBOLT_PLUGINS_SSO_PROVIDER_OAUTH2_ENABLED (boolean, optional)
Enable OAuth2 (OIDC) SSO provider.
Default: true | Environment: all

PASSBOLT_PLUGINS_SSO_PROVIDER_ADFS_ENABLED (boolean, optional)
Enable ADFS SSO provider.
Default: true | Environment: all

SSO Security Settings

PASSBOLT_PLUGINS_SSO_DEBUG_ENABLED (boolean, optional)
Enable SSO debug logging.
Default: false | Environment: all

PASSBOLT_PLUGINS_SSO_SECURITY_PROMPT (boolean, optional)
Enable SSO security prompts. When enabled, users may be prompted to re-authenticate with the SSO provider even if they have an active session.
Default: true | Environment: all

PASSBOLT_PLUGINS_SSO_SECURITY_REDIRECT_METHOD (string, optional)
SSO redirect method (GET or POST). GET redirects are simpler but may have cookie limitations. POST redirects are more secure but require proper session handling.
Default: null | Environment: all | Example: 'GET', 'POST'

PASSBOLT_PLUGINS_SSO_JWT_LEEWAY (integer, optional)
JWT clock skew tolerance in seconds. Allows for time differences between the SSO provider and Passbolt server when validating JWT tokens.
Default: 0 | Environment: all | Example: 30, 60

PASSBOLT_PLUGINS_SSO_SECURITY_OAUTH2_EMAIL_CLAIM_ALIAS (string, optional)
Custom email claim alias for OAuth2 providers. Overrides the default email claim name in the OAuth2 ID token when the provider uses a non-standard claim name.
Default: null | Environment: all | Example: 'email', 'upn'

PASSBOLT_PLUGINS_SSO_SECURITY_JWKS_DEFAULT_ALG (string, optional)
Default algorithm for SSO JWKS (JSON Web Key Set). Specifies the default signing algorithm when the SSO provider doesn't specify one in the JWKS.
Default: null | Environment: all | Example: 'RS256', 'ES256'

Plugin Feature Toggles

Plugin Configuration

For plugin management, see Role-based access control for RBAC settings, Password policies for password management, and User provisioning for user management features.

Core Plugins

PASSBOLT_PLUGINS_EXPORT_ENABLED (boolean, optional)
Enable resource export functionality.
Default: true | Environment: all

PASSBOLT_PLUGINS_IMPORT_ENABLED (boolean, optional)
Enable resource import functionality.
Default: true | Environment: all

PASSBOLT_PLUGINS_MOBILE_ENABLED (boolean, optional)
Enable mobile app integration features.
Default: true | Environment: all

PASSBOLT_PLUGINS_DESKTOP_ENABLED (boolean, optional)
Enable desktop app integration features.
Default: true | Environment: all

PASSBOLT_PLUGINS_JWT_AUTHENTICATION_ENABLED (boolean, optional)
Enable JWT authentication plugin.
Default: true | Environment: all

PASSBOLT_PLUGINS_RBACS_ENABLED (boolean, optional)
Enable Role-Based Access Control (RBAC) plugin.
Default: true | Environment: all

PASSBOLT_PLUGINS_EMAIL_DIGEST_ENABLED (boolean, optional)
Enable email digest functionality.
Default: true | Environment: all

PASSBOLT_PLUGINS_PREVIEW_PASSWORD_ENABLED (boolean, optional)
Enable password preview functionality.
Default: true | Environment: all

PASSBOLT_PLUGINS_HEALTHCHECK_SECURITY_INDEX_ENDPOINT_ENABLED (boolean, optional)
Enable healthcheck security index endpoint.
Default: true | Environment: all

PASSBOLT_PLUGINS_HEALTHCHECK_UI_ENABLED (boolean, optional)
Enable healthcheck UI.
Default: true | Environment: all

PASSBOLT_PLUGINS_SMTP_SETTINGS_ENABLED (boolean, optional)
Enable SMTP settings plugin.
Default: true | Environment: all

Authentication Plugins

PASSBOLT_PLUGINS_SSO_ENABLED (boolean, optional)
Enable Single Sign-On functionality. SSO configuration is managed through the web UI, but TLS verification can be set via environment variables.
Default: true | Environment: all

PASSBOLT_PLUGINS_MFA_POLICIES_ENABLED (boolean, optional)
Enable Multi-Factor Authentication policy enforcement. Used in MFA policy configuration.
Default: true | Environment: all

PASSBOLT_PLUGINS_ACCOUNT_RECOVERY_ENABLED (boolean, optional)
Enable account recovery functionality. Used in Account Recovery.
Default: true | Environment: all

PASSBOLT_PLUGINS_SSO_RECOVER_ENABLED (boolean, optional)
Enable SSO recovery functionality. Allows users to recover their account through SSO when they lose access to their primary authentication method.
Default: true | Environment: all

PASSBOLT_PLUGINS_SELF_REGISTRATION_ENABLED (boolean, optional)
Enable self-registration functionality. Allows new users to register themselves without administrator intervention.
Default: true | Environment: all

Password Management

PASSBOLT_PLUGINS_PASSWORD_EXPIRY_ENABLED (boolean, optional)
Enable password expiry policy enforcement. Forces users to change their passwords after a specified period. See Password expiry configuration for detailed setup.
Default: true | Environment: all

PASSBOLT_PLUGINS_PASSWORD_EXPIRY_POLICIES_ENABLED (boolean, optional)
Enable password expiry policies. Allows administrators to configure password expiration rules and notifications.
Default: true | Environment: all

PASSBOLT_PLUGINS_PASSWORD_POLICIES_ENABLED (boolean, optional)
Enable password policy validation checks. Enforces password complexity requirements and validation rules. See Password policy configuration for detailed setup.
Default: true | Environment: all

PASSBOLT_PLUGINS_PASSWORD_POLICIES_UPDATE_ENABLED (boolean, optional)
Enable password policies update functionality. Allows administrators to modify password policies after initial configuration.
Default: true | Environment: all

PASSBOLT_PLUGINS_USER_PASSPHRASE_POLICIES_ENABLED (boolean, optional)
Enable user passphrase policies. Controls the complexity requirements for user GPG passphrases. See User passphrase policies for detailed setup.
Default: true | Environment: all

Resource Management

PASSBOLT_PLUGINS_RESOURCE_TYPES_ENABLED (boolean, optional)
Enable resource types functionality.
Default: true | Environment: all

PASSBOLT_PLUGINS_TOTP_RESOURCE_TYPES_ENABLED (boolean, optional)
Enable TOTP resource types functionality.
Default: true | Environment: all

PASSBOLT_PLUGINS_TAGS_ENABLED (boolean, optional)
Enable tags functionality.
Default: true | Environment: all

PASSBOLT_PLUGINS_TAGS_READ_ONLY_MODE (boolean, optional)
Enable tags read-only mode. When enabled, users can view tags but cannot create, modify, or delete them.
Default: false | Environment: all

PASSBOLT_PLUGINS_TAGS_BACKUP_MODE (boolean, optional)
Enable tags backup mode. When enabled, tags are preserved during data migrations and system updates.
Default: false | Environment: all

PASSBOLT_PLUGINS_USER_KEY_POLICIES_ENABLED (boolean, optional)
Enable user key policies.
Default: true | Environment: all

Directory Sync

PASSBOLT_PLUGINS_DIRECTORY_SYNC_CASE_SENSITIVE_FILTERS (boolean, optional)
Enable case-sensitive LDAP filters for directory synchronization. When enabled, LDAP search filters are case-sensitive, which may be required for some directory servers. See Directory Sync configuration for detailed setup.
Default: false | Environment: all

Metadata Plugin

PASSBOLT_PLUGINS_METADATA_DEFAULT_PAGINATION_LIMIT (integer, optional)
Default pagination limit for metadata queries.
Default: 20 | Environment: all | Example: 10, 50, 100

PASSBOLT_PLUGINS_METADATA_AUTO_SETUP_CLIENT_SIDE (boolean, optional)
Enable automatic client-side metadata setup. When enabled, metadata configuration is automatically applied to client applications.
Default: false | Environment: all

PASSBOLT_PLUGINS_METADATA_ENABLE_FOR_NEW_INSTANCES (boolean, optional)
Enable metadata for new Passbolt instances.
Default: true | Environment: all

PASSBOLT_PLUGINS_METADATA_ENABLE_FOR_EXISTING_INSTANCES (boolean, optional)
Enable metadata for existing Passbolt instances.
Default: true | Environment: all

In-Form Integration

PASSBOLT_PLUGINS_IN_FORM_INTEGRATION_ENABLED (boolean, optional)
Enable in-form integration functionality.
Default: true | Environment: all

Email Digest

PASSBOLT_PLUGINS_EMAIL_DIGEST_BATCH_SIZE_LIMIT (string, optional)
Maximum batch size for email digest processing.
Default: '100' | Environment: all | Example: '50', '200'

Password Generator

PASSBOLT_PLUGINS_PASSWORD_POLICIES_DEFAULT_PASSWORD_GENERATOR_TYPE (string, optional)
Default password generator type for password policies.
Default: null | Environment: all | Example: 'passphrase', 'password'

PASSBOLT_PLUGINS_PASSWORD_GENERATOR_DEFAULT_GENERATOR (string, optional)
Legacy default password generator type.
Default: null | Environment: all | Example: 'passphrase', 'password'

Email Notification Settings

Email Notifications

For notification management, see Email configuration for notification management and Email server setup for SMTP configuration.

Email Validation

PASSBOLT_EMAIL_VALIDATE_MX (boolean, optional)
Validate email MX records.
Default: false | Environment: all

PASSBOLT_EMAIL_VALIDATE_REGEX (string, optional)
Custom regex for email validation.
Default: null | Environment: all

PASSBOLT_EMAIL_PURIFY_SUBJECT (boolean, optional)
Purify email subjects.
Default: false | Environment: all

Email Content Controls

PASSBOLT_EMAIL_SHOW_USERNAME (boolean, optional)
Include resource username in email notifications.
Default: false | Environment: all

PASSBOLT_EMAIL_SHOW_URI (boolean, optional)
Include resource URI/URL in email notifications.
Default: false | Environment: all

PASSBOLT_EMAIL_SHOW_SECRET (boolean, optional)
Include PGP encrypted password in email notifications.
Default: false | Environment: all

PASSBOLT_EMAIL_SHOW_COMMENT (boolean, optional)
Include resource comment in email notifications.
Default: false | Environment: all

PASSBOLT_EMAIL_SHOW_DESCRIPTION (boolean, optional)
Include resource description in email notifications.
Default: false | Environment: all

Email Sending Controls

PASSBOLT_EMAIL_SEND_PASSWORD_CREATE (boolean, optional)
Send email when a password is created.
Default: false | Environment: all

PASSBOLT_EMAIL_SEND_PASSWORD_SHARE (boolean, optional)
Send email when a password is shared.
Default: true | Environment: all

PASSBOLT_EMAIL_SEND_PASSWORD_UPDATE (boolean, optional)
Send email when a password is updated.
Default: true | Environment: all

PASSBOLT_EMAIL_SEND_PASSWORD_DELETE (boolean, optional)
Send email when a password is deleted.
Default: true | Environment: all

PASSBOLT_EMAIL_SEND_PASSWORD_EXPIRE (boolean, optional)
Send email when a password expires.
Default: true | Environment: all

PASSBOLT_EMAIL_SEND_USER_CREATE (boolean, optional)
Send email when a new user is invited.
Default: true | Environment: all

PASSBOLT_EMAIL_SEND_USER_RECOVER (boolean, optional)
Send email for user recovery.
Default: true | Environment: all

PASSBOLT_EMAIL_SEND_USER_RECOVER_COMPLETE (boolean, optional)
Send email when user recovery is completed.
Default: true | Environment: all

PASSBOLT_EMAIL_SEND_GROUP_USER_ADD (boolean, optional)
Send email when a user is added to a group.
Default: true | Environment: all

PASSBOLT_EMAIL_SEND_GROUP_USER_DELETE (boolean, optional)
Send email when a user is removed from a group.
Default: true | Environment: all

PASSBOLT_EMAIL_SEND_GROUP_USER_UPDATE (boolean, optional)
Send email when a user's group membership is updated.
Default: true | Environment: all

PASSBOLT_EMAIL_SEND_COMMENT_ADD (boolean, optional)
Send email when a comment is added.
Default: true | Environment: all

PASSBOLT_EMAIL_SEND_GROUP_DELETE (boolean, optional)
Send email when a group is deleted.
Default: true | Environment: all

PASSBOLT_EMAIL_SEND_GROUP_MANAGER_UPDATE (boolean, optional)
Send email when group manager is updated.
Default: true | Environment: all

PASSBOLT_EMAIL_SEND_GROUP_MANAGER_REQUEST_ADD_USER (boolean, optional)
Send email when group manager requests to add user.
Default: true | Environment: all

PASSBOLT_EMAIL_SEND_FOLDER_CREATE (boolean, optional)
Send email when a folder is created.
Default: false | Environment: all

PASSBOLT_EMAIL_SEND_FOLDER_UPDATE (boolean, optional)
Send email when a folder is updated.
Default: true | Environment: all

PASSBOLT_EMAIL_SEND_FOLDER_DELETE (boolean, optional)
Send email when a folder is deleted.
Default: true | Environment: all

PASSBOLT_EMAIL_SEND_FOLDER_SHARE (boolean, optional)
Send email when a folder is shared.
Default: true | Environment: all

Account Recovery Email Controls

PASSBOLT_EMAIL_SEND_ACCOUNT_RECOVERY_REQUEST_USER (boolean, optional)
Send email to user for account recovery request.
Default: true | Environment: all

PASSBOLT_EMAIL_SEND_ACCOUNT_RECOVERY_REQUEST_ADMIN (boolean, optional)
Send email to admin for account recovery request.
Default: true | Environment: all

PASSBOLT_EMAIL_SEND_ACCOUNT_RECOVERY_REQUEST_GUESSING (boolean, optional)
Send email for account recovery guessing attempts.
Default: true | Environment: all

PASSBOLT_EMAIL_SEND_ACCOUNT_RECOVERY_RESPONSE_USER_APPROVED (boolean, optional)
Send email to user when account recovery is approved.
Default: true | Environment: all

PASSBOLT_EMAIL_SEND_ACCOUNT_RECOVERY_RESPONSE_USER_REJECTED (boolean, optional)
Send email to user when account recovery is rejected.
Default: true | Environment: all

PASSBOLT_EMAIL_SEND_ACCOUNT_RECOVERY_RESPONSE_CREATED_ADMIN (boolean, optional)
Send email to admin when account recovery response is created.
Default: true | Environment: all

PASSBOLT_EMAIL_SEND_ACCOUNT_RECOVERY_RESPONSE_CREATED_ALL_ADMINS (boolean, optional)
Send email to all admins when account recovery response is created.
Default: true | Environment: all

PASSBOLT_EMAIL_SEND_ACCOUNT_RECOVERY_POLICY_UPDATE (boolean, optional)
Send email when account recovery policy is updated.
Default: true | Environment: all

Admin Email Controls

PASSBOLT_EMAIL_SEND_ADMIN_USER_DISABLE_ADMIN (boolean, optional)
Send email to admin when user is disabled.
Default: true | Environment: all

PASSBOLT_EMAIL_SEND_ADMIN_USER_DISABLE_USER (boolean, optional)
Send email to user when they are disabled.
Default: true | Environment: all

PASSBOLT_EMAIL_SEND_ADMIN_USER_SETUP_COMPLETED (boolean, optional)
Send email when user setup is completed.
Default: true | Environment: all

PASSBOLT_EMAIL_SEND_ADMIN_USER_RECOVER_ABORT (boolean, optional)
Send email when user recovery is aborted.
Default: true | Environment: all

PASSBOLT_EMAIL_SEND_ADMIN_USER_RECOVER_COMPLETE (boolean, optional)
Send email when user recovery is completed.
Default: true | Environment: all

PASSBOLT_EMAIL_SEND_ADMIN_USER_REGISTER_COMPLETE (boolean, optional)
Send email when user registration is completed.
Default: true | Environment: all

PASSBOLT_EMAIL_SEND_ADMIN_USER_ADMIN_ROLE_REVOKED_ADMIN (boolean, optional)
Send email to admin when admin role is revoked.
Default: true | Environment: all

PASSBOLT_EMAIL_SEND_ADMIN_USER_ADMIN_ROLE_REVOKED_USER (boolean, optional)
Send email to user when their admin role is revoked.
Default: false | Environment: all

PASSBOLT_EMAIL_SEND_ADMIN_USER_ADMIN_DELETE_ADMIN (boolean, optional)
Send email to admin when user is deleted.
Default: true | Environment: all

PASSBOLT_EMAIL_SEND_ADMIN_USER_ADMIN_DELETE_USER (boolean, optional)
Send email to user when they are deleted.
Default: false | Environment: all

Audit Logging Configuration

Log Management

For log analysis and monitoring, see Log management for log analysis and Audit log monitoring for audit review.

File-based Audit Logging

LOG_ACTION_LOGS_ON_FILE_ENABLED (boolean, optional)
Enable file-based audit logging.
Default: false | Environment: all

LOG_ACTION_LOGS_ON_FILE_FORMATTER (string, optional)
Formatter class for file-based audit logs.
Default: 'Cake\Log\Formatter\DefaultFormatter' | Environment: all

LOG_ACTION_LOGS_ON_FILE_STRATEGY (string, optional)
Query strategy for file-based audit logs.
Default: 'Passbolt\Log\Strategy\ActionLogsDefaultQueryStrategy' | Environment: all

LOG_ACTION_LOGS_ON_FILE_PATH (string, optional)
Path for file-based audit logs.
Default: LOGS | Environment: all | Example: '/var/log/passbolt/audit'

LOG_ACTION_LOGS_ON_FILE_FILE (string, optional)
Filename for file-based audit logs.
Default: 'action-logs' | Environment: all | Example: 'audit.log'

LOG_ACTION_LOGS_ON_FILE_URL (string, optional)
URL for file-based audit logs (for external logging services).
Default: null | Environment: all

Syslog Audit Logging

LOG_ACTION_LOGS_ON_SYSLOG_ENABLED (boolean, optional)
Enable syslog-based audit logging.
Default: false | Environment: all

LOG_ACTION_LOGS_ON_SYSLOG_FORMATTER (string, optional)
Formatter class for syslog audit logs.
Default: 'Cake\Log\Formatter\DefaultFormatter' | Environment: all

LOG_ACTION_LOGS_ON_SYSLOG_STRATEGY (string, optional)
Query strategy for syslog audit logs.
Default: 'Passbolt\Log\Strategy\ActionLogsDefaultQueryStrategy' | Environment: all

LOG_ACTION_LOGS_ON_SYSLOG_FLAG (integer, optional)
Syslog flags for audit logging.
Default: LOG_ODELAY | Environment: all

LOG_ACTION_LOGS_ON_SYSLOG_PREFIX (string, optional)
Prefix for syslog audit log messages.
Default: '' | Environment: all | Example: 'passbolt-audit:'

LOG_ACTION_LOGS_ON_SYSLOG_FACILITY (integer, optional)
Syslog facility for audit logging.
Default: LOG_USER | Environment: all

Web Application Metadata

PASSBOLT_META_TITLE (string, optional)
Sets the <title> tag for the web application.
Default: 'Passbolt' | Environment: all

PASSBOLT_META_DESCRIPTION (string, optional)
Sets the <meta name="description"> tag for search engine optimization.
Default: 'Open source password manager for teams' | Environment: all

PASSBOLT_META_ROBOTS (string, optional)
Controls search engine indexing behavior.
Default: 'noindex, nofollow' | Environment: all

PASSBOLT_LEGAL_TERMSURL (string, optional)
URL to the terms of service page.
Default: 'https://www.passbolt.com/terms' | Environment: all

PASSBOLT_LEGAL_PRIVACYPOLICYURL (string, optional)
URL to the privacy policy page.
Default: '' | Environment: all

Development and Testing Configuration

Development/Testing Only

The variables in this section are primarily used for development, testing, and internal framework configuration. They are not typically configured by production administrators and are included here for completeness.

Production Note: These variables should not be used in production environments as they can expose sensitive information and reduce security.

Related: Development setup | Testing guidelines

Debug Configuration

DEBUG (boolean, optional)
Enable debug mode for detailed logging and error reporting. DEVELOPMENT/TESTING ONLY - Never enable in production environments.
Default: false | Environment: development | Security: high impact

Cache Configuration

CACHE_DEFAULT_URL (string|null, optional)
Complete cache connection URL for external cache servers. Typically configured for development/testing environments.
Default: null | Environment: development | Example: 'redis://localhost:6379'

CACHE_DEFAULT_HOST (string|null, optional)
Hostname or IP address of the external cache server. Typically configured for development/testing environments.
Default: null | Environment: development | Example: 'localhost'

CACHE_DEFAULT_PORT (integer|null, optional)
Port number for the external cache server connection. Typically configured for development/testing environments.
Default: null | Environment: development | Example: 6379

Test Database Configuration

DATASOURCES_TEST_DRIVER (string, optional)
Database driver for test environment. DEVELOPMENT/TESTING ONLY - Not used in production.
Default: 'Cake\Database\Driver\Mysql' | Environment: development

DATASOURCES_TEST_HOST (string, optional)
Test database server hostname. DEVELOPMENT/TESTING ONLY - Not used in production.
Default: 'localhost' | Environment: development

DATASOURCES_TEST_PORT (integer, optional)
Test database server port. DEVELOPMENT/TESTING ONLY - Not used in production.
Default: 3306 | Environment: development

DATASOURCES_TEST_USERNAME (string, optional)
Test database username. DEVELOPMENT/TESTING ONLY - Not used in production.
Default: 'my_app' | Environment: development

DATASOURCES_TEST_PASSWORD (string, optional)
Test database password. DEVELOPMENT/TESTING ONLY - Not used in production.
Default: 'secret' | Environment: development

DATASOURCES_TEST_DATABASE (string, optional)
Test database name. DEVELOPMENT/TESTING ONLY - Not used in production.
Default: 'my_app' | Environment: development

Logging Configuration

Debug Logging

LOG_DEBUG_URL (string, optional)
Debug log connection URL.
Default: null | Environment: all

LOG_DEBUG_FORMATTER (string, optional)
Debug log formatter class.
Default: 'Cake\Log\Formatter\DefaultFormatter' | Environment: all

Error Logging

LOG_ERROR_URL (string, optional)
Error log connection URL.
Default: null | Environment: all

LOG_ERROR_FORMATTER (string, optional)
Error log formatter class.
Default: 'Cake\Log\Formatter\DefaultFormatter' | Environment: all

Query Logging

LOG_QUERIES_URL (string, optional)
Query log connection URL.
Default: null | Environment: all

LOG_QUERIES_FORMATTER (string, optional)
Query log formatter class.
Default: 'Cake\Log\Formatter\DefaultFormatter' | Environment: all

Related Documentation

Setup and Installation

• Installation Guides - Platform-specific setup instructions
• Database Configuration - Database setup and configuration
• TLS Certificates - HTTPS and certificate configuration
• Docker Deployment - Containerized deployment
• Helm Deployment - Kubernetes deployment

Administration

• User Management - User provisioning and management
• Authentication Settings - Authentication and security policies
• MFA Configuration - Multi-factor authentication setup
• SSO Configuration - Single sign-on setup
• Email Configuration - Email server and notification settings
• Password Policies - Password and passphrase policies
• Role-based Access Control - RBAC configuration

Maintenance and Troubleshooting

• API Status Monitoring - Health checks and monitoring
• Log Management - Log analysis and troubleshooting
• Troubleshooting Guides - Common issues and solutions
• Backup and Recovery - Backup procedures and data recovery

Development

• Development Setup - Development environment configuration
• Testing Guidelines - Testing procedures and best practices