Skip to content
Breeze RMM

Environment Variables

All configuration is done through environment variables, defined in your .env.prod file. This page documents every variable.

Database

Section titled “Database”
VariableDefaultRequiredDescription
POSTGRES_USERbreezePostgreSQL username
POSTGRES_PASSWORDYesPostgreSQL password
POSTGRES_DBbreezeDatabase name
POSTGRES_PORT5432PostgreSQL port
DATABASE_URLAutoFull connection string (constructed from above in Docker)

Redis

Section titled “Redis”
VariableDefaultRequiredDescription
REDIS_URLredis://localhost:6379Yes (prod)Redis connection URL. Must carry a password in production (e.g., redis://:password@localhost:6379) — the API refuses to boot if it doesn’t.
REDIS_PORT6379Redis port
REDIS_PASSWORDYes (prod)Password for Redis authentication. Set in docker-compose and include in REDIS_URL.
REDIS_PASSWORD_FILEPath to a file containing the Redis password (Docker secret style). Used in place of REDIS_PASSWORD when secrets are mounted as files.

Authentication & Security

Section titled “Authentication & Security”
VariableDefaultRequiredDescription
JWT_SECRETYesJWT signing key (min 32 chars). Generate: openssl rand -base64 64
JWT_EXPIRES_IN15mAccess token lifetime
REFRESH_TOKEN_EXPIRES_IN7dRefresh token lifetime
AGENT_ENROLLMENT_SECRETYesShared secret for agent enrollment. Generate: openssl rand -hex 32
APP_ENCRYPTION_KEYYesAES encryption key for sensitive data at rest
MFA_ENCRYPTION_KEYYesEncryption key for MFA secrets
ENROLLMENT_KEY_PEPPERYesHMAC pepper for enrollment key hashing
MFA_RECOVERY_CODE_PEPPERYesHMAC pepper for recovery code hashing
ENROLLMENT_KEY_DEFAULT_TTL_MINUTES60Default enrollment key expiry
SESSION_SECRETYesExpress session signing secret
SESSION_MAX_AGE86400000Session max age in ms (24h)

Server

Section titled “Server”
VariableDefaultRequiredDescription
NODE_ENVproductionEnvironment mode
API_PORT3001API server port
WEB_PORT4321Web dashboard port
PUBLIC_API_URLhttps://${BREEZE_DOMAIN} (bundled compose only)Public API URL used for generated agent installers and shareable links. The bundled docker-compose.yml derives this from BREEZE_DOMAIN. If you use a custom compose file, you must set PUBLIC_API_URL in .env and map it into the api service environment: block, or Generate Link / Download Installer will fail with Server URL not configured.
API_URLLegacy fallback for PUBLIC_API_URL, honored only by enrollment, installer, and MCP-invite code paths. Auto-update, dev-push, and a few other routes read PUBLIC_API_URL only — prefer setting PUBLIC_API_URL.
BREEZE_DOMAINYes (prod)Domain for Caddy TLS provisioning
ACME_EMAILYes (prod)Email for Let’s Encrypt certificate notifications
CORS_ALLOWED_ORIGINSComma-separated allowed CORS origins
IS_HOSTEDYes (prod)true for hosted SaaS edition, false for self-hosted. Must be set explicitly — the API refuses to boot otherwise. Controls signup gating, billing, and email-verification policy.
TRUST_PROXY_HEADERSYes (prod)true when behind a reverse proxy (Caddy, Cloudflare). Must be set explicitly in production.
TRUSTED_PROXY_CIDRSWhen TRUST_PROXY_HEADERS=trueComma-separated CIDRs of trusted reverse proxies (e.g., 10.0.0.0/8,172.16.0.0/12). Required when proxy headers are trusted.
DASHBOARD_URLURL for links in emails
PUBLIC_APP_URLPublic-facing app URL

Email

Section titled “Email”
VariableDefaultDescription
EMAIL_PROVIDERautoProvider: auto, resend, smtp, or mailgun
RESEND_API_KEYResend API key
EMAIL_FROMnoreply@breeze.localSender address
SMTP_HOSTSMTP server hostname
SMTP_PORT587SMTP port
SMTP_USERSMTP username
SMTP_PASSSMTP password
SMTP_FROMnoreply@breeze.localSMTP-specific sender address
SMTP_SECUREfalseUse TLS for SMTP
MAILGUN_API_KEYMailgun API key
MAILGUN_DOMAINMailgun sending domain
MAILGUN_BASE_URLhttps://api.mailgun.netMailgun API base URL
MAILGUN_FROMnoreply@breeze.localMailgun-specific sender address

SMS (Twilio)

Section titled “SMS (Twilio)”
VariableDefaultDescription
TWILIO_ACCOUNT_SIDTwilio Account SID
TWILIO_AUTH_TOKENTwilio Auth Token
TWILIO_VERIFY_SERVICE_SIDTwilio Verify service SID (for SMS MFA)
TWILIO_MESSAGING_SERVICE_SIDTwilio Messaging Service SID (for alert SMS)
TWILIO_PHONE_NUMBERTwilio phone number for outbound SMS

Binary Distribution

Section titled “Binary Distribution”
VariableDefaultRequiredDescription
BINARY_SOURCElocalDownload source: local (serve from disk, optional S3) or github (redirect to GitHub Releases)
AGENT_BINARY_DIR./agent/binLocal directory containing agent binaries
VIEWER_BINARY_DIR./viewer/binLocal directory containing viewer installers
HELPER_BINARY_DIR/data/binaries/helperLocal directory containing helper binaries
BINARY_VERSION_FILEPath to VERSION file for local mode DB registration (set automatically in Docker Compose)
BINARY_VERSIONRelease tag for GitHub redirect mode (falls back to BREEZE_VERSION, then latest)
RELEASE_ARTIFACT_MANIFEST_PUBLIC_KEYSYes (prod)Comma-separated base64 SPKI of the Ed25519 keys that sign release manifests. The API refuses to start in production without it. BREEZE_RELEASE_ARTIFACT_MANIFEST_PUBLIC_KEYS is accepted as an alias.

See Binary Distribution for details on local vs GitHub mode and S3 offloading.

Object Storage

Section titled “Object Storage”
VariableDefaultDescription
S3_ENDPOINTS3-compatible endpoint (MinIO, R2, AWS). Uses path-style addressing.
S3_ACCESS_KEYAccess key
S3_SECRET_KEYSecret key
S3_BUCKETBucket name
S3_REGIONus-east-1Bucket region
S3_PRESIGN_TTL900Presigned URL expiration in seconds (15 min)
MINIO_API_PORT9000MinIO API port (Docker only)
MINIO_CONSOLE_PORT9001MinIO web console port (Docker only)

WebRTC / TURN

Section titled “WebRTC / TURN”

The Breeze stack includes a coturn TURN server for WebRTC relay. Without TURN, remote desktop connections fail when either peer is behind symmetric NAT or a restrictive firewall.

VariableDefaultRequiredDescription
TURN_HOSTYes (prod)Public IP or hostname of the TURN server. Must be reachable by agents and viewers.
TURN_PORT3478TURN listening port (UDP and TCP)
TURN_SECRETYes (prod)Shared secret for TURN credential generation. Generate: openssl rand -hex 32
TURN_REALMbreeze.localTURN authentication realm

Monitoring

Section titled “Monitoring”
VariableDefaultDescription
METRICS_SCRAPE_TOKENBearer token for /metrics/scrape
METRICS_INCLUDE_ORG_IDfalseInclude org IDs in Prometheus labels
METRICS_SCRAPE_IP_ALLOWLISTRestrict metrics scraping by IP
LOG_LEVELinfoLog verbosity: debug, info, warn, error
LOG_JSONtrueStructured JSON logging
GRAFANA_ADMIN_USERadminGrafana admin username
GRAFANA_ADMIN_PASSWORDGrafana admin password
GRAFANA_PORT3000Grafana web UI port (monitoring stack)
GRAFANA_ROOT_URLhttp://localhost:3000Grafana public root URL (monitoring stack)
PROMETHEUS_PORT9090Prometheus web UI port (monitoring stack)
ALERTMANAGER_PORT9093Alertmanager web UI port (monitoring stack)
LOKI_PORT3100Loki log aggregation API port (monitoring stack)

Sentry

Section titled “Sentry”

Both API and web Sentry integrations are off by default. Leave the DSN variables blank to disable. See Error Tracking & Privacy for what gets collected and how scrubbing works.

VariableDefaultDescription
SENTRY_DSNAPI Sentry DSN. Leave blank to disable server-side error tracking.
SENTRY_ENVIRONMENTproductionSentry environment tag
SENTRY_RELEASESentry release tag (e.g. git SHA)
SENTRY_TRACES_SAMPLE_RATE0.1Sentry performance trace sample rate (0.0-1.0)
PUBLIC_SENTRY_DSN_WEBWeb Sentry DSN. Leave blank to disable browser error tracking and on-error session replay. Inlined into the web bundle at build time.
SENTRY_AUTH_TOKENSentry auth token used during the web build to upload source maps. If unset, source map upload is skipped and the build still succeeds.

Rate Limiting

Section titled “Rate Limiting”

Two rate-limit tiers protect the API. The generic per-user limit covers logged-in dashboard usage; the per-org agent limit caps how much traffic a single tenant’s fleet can generate, even with thousands of agents.

VariableDefaultDescription
RATE_LIMIT_WINDOW_MS60000Sliding window duration (ms)
RATE_LIMIT_MAX_REQUESTS100Max requests per window
AGENT_ORG_RATE_LIMIT_PER_MIN600Per-organization sliding-window rate limit on agent-authenticated endpoints. Returns 429 with Retry-After: 60 when exceeded. Sized for ~5 active agents per org; raise for MSPs with very large fleets.

Database

Section titled “Database”
VariableDefaultDescription
DB_POOL_MAX30Maximum postgres-js connection pool size. Tune up if you see cascading 504s during heartbeat storms; confirm Postgres max_connections has headroom (default 100 is fine for a single API replica).

File Transfer & Remote Sessions

Section titled “File Transfer & Remote Sessions”
VariableDefaultDescription
TRANSFER_STORAGE_PATH./data/transfersFile transfer storage directory
MAX_TRANSFER_SIZE_MB100Max file transfer size
MAX_ACTIVE_TRANSFERS_PER_ORG20Concurrent transfer limit per org
MAX_ACTIVE_TRANSFERS_PER_USER10Concurrent transfer limit per user
MAX_ACTIVE_REMOTE_SESSIONS_PER_ORG10Concurrent remote sessions per org
MAX_ACTIVE_REMOTE_SESSIONS_PER_USER5Concurrent remote sessions per user
PATCH_REPORT_STORAGE_PATH./data/patch-reportsPatch compliance report storage

Feature Flags

Section titled “Feature Flags”
VariableDefaultDescription
ENABLE_REGISTRATIONtrueAllow new user registration
ENABLE_2FAtrueEnable two-factor authentication
ENABLE_API_DOCSfalseEnable Swagger API documentation
ENABLE_API_DOCS_UIfalseEnable interactive Swagger UI (requires ENABLE_API_DOCS=true)
USE_AGENT_SDKUse Claude Agent SDK for AI chat
PORTAL_STATE_BACKENDmemoryPortal state backend: memory or redis (auto redis in production)

MCP Server

Section titled “MCP Server”
VariableDefaultDescription
MCP_SSE_RATE_LIMIT_PER_MINUTE30SSE connection rate limit per API key
MCP_MESSAGE_RATE_LIMIT_PER_MINUTE120Message rate limit per API key
MCP_MAX_SSE_SESSIONS_PER_KEY5Max concurrent SSE sessions per API key
MCP_REQUIRE_EXECUTE_ADMINfalseRequire ai:execute_admin scope for Tier 3 tools
MCP_EXECUTE_TOOL_ALLOWLISTComma-separated allowed Tier 3 tools (empty = deny all)

Cloudflare mTLS

Section titled “Cloudflare mTLS”
VariableDefaultDescription
CLOUDFLARE_API_TOKENCloudflare API token with Client Certificates permission
CLOUDFLARE_ZONE_IDCloudflare zone ID for your domain

Cloud-to-Cloud Backup (M365)

Section titled “Cloud-to-Cloud Backup (M365)”
VariableDefaultDescription
C2C_M365_CLIENT_IDAzure AD app (client) ID for multi-tenant M365 backup. When set with the secret below, enables one-click admin consent flow for connecting Microsoft 365 backups.
C2C_M365_CLIENT_SECRETAzure AD app client secret for multi-tenant M365 backup

Docker Deployment

Section titled “Docker Deployment”
VariableDefaultDescription
BREEZE_VERSIONlatestBreeze release tag for Docker images (e.g. 0.50.0). Also used by GitHub redirect mode for agent binary downloads.
DOCKER_PLATFORMlinux/amd64Container platform. GHCR images are amd64 only. On Apple Silicon, use docker-compose.override.yml.local-build to build native arm64 images instead.
REDIS_MAXMEMORY256mbMaximum memory Redis is allowed to use. Redis runs with noeviction policy so BullMQ jobs are never silently dropped.

MSI Installer Signing

Section titled “MSI Installer Signing”
VariableDefaultDescription
MSI_SIGNING_URLURL of the remote Windows signing service. When set, pre-configured MSI installer downloads are code-signed before delivery.
MSI_SIGNING_CF_ACCESS_IDCloudflare Access service token Client ID for authenticating to the signing service
MSI_SIGNING_CF_ACCESS_SECRETCloudflare Access service token Client Secret for authenticating to the signing service

Billing

Section titled “Billing”
VariableDefaultDescription
BILLING_SERVICE_URLURL of the billing service for AI credit checks and deductions. When unset, AI usage is unlimited.
BILLING_SERVICE_API_KEYAPI key for authenticating to the billing service

AI

Section titled “AI”
VariableDefaultDescription
ANTHROPIC_API_KEYAnthropic API key for AI assistant (BYOK)