Version: 1.1

Environment Variables (Configuration)

Shyntr follows the 12-Factor App model. Configuration is provided through environment variables. This page reflects the current defaults in the Shyntr 1.1 codebase.

Configuration Priority

Environment variables override defaults in the config loader. In containerized deployments, prefer explicit environment variables over implicit local defaults.

Core Server Settings

Variable	Default	Description
`PORT`	`7496`	Port for the Public API
`ADMIN_PORT`	`7497`	Port for the Admin API
`SWAGGER_PORT`	`7498`	Port for the Swagger / OpenAPI server
`ISSUER_URL`	`http://localhost:7496`	Base issuer URL for OIDC metadata, token issuer claims, and public identity endpoints
`LOG_LEVEL`	`info`	Log verbosity: `debug`, `info`, `warn`, `error`, `fatal`
`COOKIE_SECURE`	`false`	Set to `true` when the deployment is behind HTTPS
`DEVELOPMENT`	`false`	Shyntr config flag loaded by `config/config.go`; in current code it is used for development-only webhook URL behavior

Example: Production core settings
PORT=7496
ADMIN_PORT=7497
SWAGGER_PORT=7498
ISSUER_URL=https://auth.yourcompany.com
LOG_LEVEL=info
COOKIE_SECURE=true
DEVELOPMENT=false

ISSUER_URL Importance

ISSUER_URL must match the public issuer your clients and resource servers expect. Changing it after deployment can invalidate token validation and metadata expectations.

Framework / Process Environment

The following environment variables affect runtime behavior, but they are not part of the Shyntr config struct loaded from config/config.go:

Variable	Default	Description
`GO_ENV`	`development`	Read directly by the logger; `production` switches logging to the production Zap configuration
`GIN_MODE`	Gin default	Gin framework runtime mode; commonly set to `release` in production

Database Configuration

Variable	Default	Description
`DSN`	`postgres://shyntr:secretpassword@localhost:5432/shyntr?sslmode=disable`	PostgreSQL connection string
`DATABASE_URL`	(alias for `DSN`)	Alternate connection string variable
`DB_MAX_IDLE_CONNS`	`20`	Maximum idle database connections
`DB_MAX_OPEN_CONNS`	`80`	Maximum open database connections

Example: Production database settings
DSN=postgres://shyntr:${DB_PASSWORD}@db.internal:5432/shyntr?sslmode=require
DB_MAX_IDLE_CONNS=20
DB_MAX_OPEN_CONNS=80

Connection String Format

postgres://[user]:[password]@[host]:[port]/[database]?[parameters]

Common parameters:

sslmode=disable
sslmode=require
sslmode=verify-full
connect_timeout=10

Cryptography & Security

Variable	Default	Description
`APP_SECRET`	`12345678901234567890123456789012`	Required 32-byte secret for encryption and related internal secrets handling
`APP_PRIVATE_KEY_BASE64`	(empty)	Base64-encoded RSA private key; if empty, Shyntr generates and stores key material internally
`AUTO_KEY_ROTATION_ENABLED`	`false`	Enables automatic internal key rotation when supported by the deployment
`SKIP_TLS_VERIFY`	`false`	Skips outbound TLS certificate verification; affects TLS validation only, not outbound policy decisions

Critical Security Variables

APP_SECRET must be exactly 32 bytes and must be treated as a real secret. If it changes unexpectedly, encrypted stored values become unreadable.

Generate a 32-byte secret
openssl rand -hex 16

SKIP_TLS_VERIFY

Do not set SKIP_TLS_VERIFY=true in production. It weakens outbound TLS validation and should only be used for development or controlled test environments.

Outbound Security Note

Shyntr does not rely on environment variables alone for outbound request security.

Outbound HTTP actions such as OIDC discovery, JWKS retrieval, SAML metadata retrieval, and webhooks are still governed by outbound policy enforcement. SKIP_TLS_VERIFY changes TLS validation behavior, but it does not bypass outbound policy checks.

Headless UI Routing (Auth Portal)

These URLs tell Shyntr where to redirect users for external UI:

Variable	Default	Description
`EXTERNAL_LOGIN_URL`	`http://localhost:3000/login`	Login UI URL
`EXTERNAL_CONSENT_URL`	`http://localhost:3000/consent`	Consent UI URL

Example: Production Auth Portal
EXTERNAL_LOGIN_URL=https://auth-portal.yourcompany.com/login
EXTERNAL_CONSENT_URL=https://auth-portal.yourcompany.com/consent

Shyntr appends challenge parameters such as login_challenge and consent_challenge to these URLs.

Token Lifespans

Variable	Default	Description
`ACCESS_TOKEN_LIFESPAN`	`1h`	Default access token lifetime
`ID_TOKEN_LIFESPAN`	`1h`	Default ID token lifetime
`REFRESH_TOKEN_LIFESPAN`	`720h`	Default refresh token lifetime

Supported duration examples:

15m
1h
24h
720h

Client-Specific Overrides

These values are global defaults. Individual clients can still override token behavior through management APIs or CLI commands where supported.

Variable	Default	Description
`CORS_ALLOWED_ORIGINS`	`*`	Allowed origins for the Public API
`ADMIN_CORS_ALLOWED_ORIGINS`	`http://localhost:3010,http://localhost:3000,http://localhost:3274,http://localhost:7497`	Allowed origins for the Admin API

Example: Production CORS
CORS_ALLOWED_ORIGINS=https://app.yourcompany.com
ADMIN_CORS_ALLOWED_ORIGINS=https://auth-portal.yourcompany.com,https://dashboard.internal.yourcompany.com

Admin API Boundary

ADMIN_CORS_ALLOWED_ORIGINS is not an authentication control. The admin surface must still be protected at the trusted edge and must not be exposed directly to a public interface.

Multi-Tenancy

Variable	Default	Description
`DEFAULT_TENANT_ID`	`default`	Root tenant created during initial migration

Complete Production Example

.env.production
# Core Server
PORT=7496
ADMIN_PORT=7497
SWAGGER_PORT=7498
ISSUER_URL=https://auth.yourcompany.com
LOG_LEVEL=info
COOKIE_SECURE=true
DEVELOPMENT=false

# Framework / process environment
GO_ENV=production
GIN_MODE=release

# Database
DSN=postgres://shyntr:${DB_PASSWORD}@db.internal:5432/shyntr?sslmode=verify-full
DB_MAX_IDLE_CONNS=20
DB_MAX_OPEN_CONNS=80

# Security
APP_SECRET=${APP_SECRET}
APP_PRIVATE_KEY_BASE64=${RSA_PRIVATE_KEY}
AUTO_KEY_ROTATION_ENABLED=false
SKIP_TLS_VERIFY=false

# Auth Portal
EXTERNAL_LOGIN_URL=https://auth-portal.yourcompany.com/login
EXTERNAL_CONSENT_URL=https://auth-portal.yourcompany.com/consent

# Token Lifespans
ACCESS_TOKEN_LIFESPAN=1h
ID_TOKEN_LIFESPAN=1h
REFRESH_TOKEN_LIFESPAN=168h

# CORS
CORS_ALLOWED_ORIGINS=https://app.yourcompany.com
ADMIN_CORS_ALLOWED_ORIGINS=https://auth-portal.yourcompany.com,https://dashboard.internal.yourcompany.com

# Multi-Tenancy
DEFAULT_TENANT_ID=default

Validation Notes

Shyntr validates key configuration at startup, including:

APP_SECRET presence and exact 32-byte length
database connectivity through the configured DSN
environment binding into the runtime config

This codebase does not document or implement a file-based *_FILE secret-loading mechanism in the current config loader, so this page intentionally documents only the environment variables that are explicitly present in code.

Next Steps

Deploy with Docker Compose
Review the CLI Reference
Read Architecture before exposing the admin plane

Core Server Settings​

Framework / Process Environment​

Database Configuration​

Connection String Format​

Cryptography & Security​

Outbound Security Note​

Headless UI Routing (Auth Portal)​

Token Lifespans​

Cross-Origin Resource Sharing (CORS)​

Multi-Tenancy​

Complete Production Example​

Validation Notes​

Next Steps​