Watchflare docs
On this page

Hub environment variables

Quick-reference table of all Watchflare Hub environment variables with types and defaults. For full explanations and usage context, see the Configuration guide.

All Hub configuration is done through environment variables. When using Docker Compose, place them in a .env file next to docker-compose.yml.

For full explanations and usage guidance, see Configuration.


Required

VariableMin lengthDescription
POSTGRES_PASSWORDDatabase password. The binary falls back to watchflare_dev if unset — always set this in production. Docker Compose enforces it via :?.
JWT_SECRET32 charsSigns user session cookies and encrypts TOTP secrets for 2FA. Hub exits at startup if missing or too short. Changing this value invalidates all active sessions and disables 2FA for enrolled users.
NOTIFICATION_ENCRYPTION_KEY32 charsEncrypts SMTP credentials and notification channel URLs (Discord, Slack, etc.) at rest. Optional for the Hub binary: if not set, notification storage is disabled. Required by the Docker Compose file (set via :? syntax) so it is always generated upfront, even if you don’t plan to use notifications yet. If set, must be at least 32 characters (Hub exits otherwise).

Database

VariableDefaultDescription
POSTGRES_HOSTlocalhostPostgreSQL hostname. Docker Compose sets this to postgres.
POSTGRES_PORT5432PostgreSQL port
POSTGRES_USERwatchflareDatabase user
POSTGRES_PASSWORDwatchflare_devDatabase password
POSTGRES_DBwatchflareDatabase name
POSTGRES_SSLMODEdisablePostgreSQL SSL mode

Ports

VariableDefaultDescription
HUB_PORT8080Docker only. External port for the HTTP server. The internal container port is always 8080.
GRPC_PORT50051gRPC port for agent connections

TLS

VariableDefaultDescription
TLS_MODEautoauto — Hub generates its own CA and server certificate. custom — provide your own files.
TLS_PKI_DIR/var/lib/watchflare/pkiDirectory for auto-generated certificates (auto mode only)
TLS_CERT_FILEServer certificate path (custom mode only)
TLS_KEY_FILEServer private key path (custom mode only)
TLS_CA_FILECA certificate path, sent to agents at registration (custom mode only)

VariableDefaultDescription
COOKIE_SECURE(auto)Force Secure flag: true or false. Omit to use auto-detection (recommended).
COOKIE_DOMAIN(empty)Cookie domain — set to your domain when using a reverse proxy
TRUSTED_PROXIES127.0.0.1,::1Comma-separated IPs allowed to set X-Forwarded-Proto

gRPC security

VariableDefaultDescription
GRPC_TIMESTAMP_WINDOW300HMAC timestamp window in seconds (±window). Requests outside this range are rejected.

Environment

VariableDefaultDescription
ENVdevelopmentSet to production in deployed instances. Switches Gin to release mode. Docker Compose sets this automatically.
CORS_ORIGINShttp://localhost:5173Comma-separated allowed CORS origins. Not needed for Docker or binary installs.

Quick-start .env

.env bash
POSTGRES_PASSWORD=$(openssl rand -base64 32)
JWT_SECRET=$(openssl rand -base64 32)
NOTIFICATION_ENCRYPTION_KEY=$(openssl rand -base64 32)

All other variables have sensible defaults for a standard Docker Compose deployment.