Configuration

import { Aside } from ‘@astrojs/starlight/components’;

Orimora is configured entirely through environment variables (and team-level preferences in the database). The source of truth is .env.example at the repository root; this page gives a structured overview and links related behavior.

Core application

Variable	Required	Description
APP_URL	Yes (prod)	Public base URL, e.g. https://wiki.example.com. Drives magic links and OAuth redirects. Dev: http://localhost:5173.
NODE_ENV	—	development or production.
PORT	—	HTTP listen port (default 3000 in Docker; Vite dev uses its own port).

Database and cache

Variable	Required	Description
DATABASE_URL	Yes	PostgreSQL 16+ connection string.
REDIS_URL	Yes	Used for sessions, rate limiting, queues, and BullMQ workers.

Authentication secrets

Variable	Required	Description
SESSION_SECRET	Yes	64 hex chars (32 bytes). Signs session cookies.
MAGIC_LINK_SECRET	Yes	64 hex chars. Signs magic-link JWTs.

Generate both with:

node -e "console.log(require('crypto').randomBytes(32).toString('hex'))"

Email (magic link)

If SMTP is unset, magic-link email is not sent (use OAuth or another strategy in dev).

Variable	Description
SMTP_HOST	Server hostname
SMTP_PORT	Usually 587 (STARTTLS) or 465
SMTP_USER	Username
SMTP_PASSWORD	Password (name in .env.example)
SMTP_FROM	From address

OAuth

Google

Variable	Description
GOOGLE_CLIENT_ID	OAuth client ID
GOOGLE_CLIENT_SECRET	OAuth client secret

Authorized redirect URI (replace host with yours):

{APP_URL}/auth/google/callback

Generic OIDC

Variable	Description
OIDC_ISSUER	Issuer URL
OIDC_CLIENT_ID	Client ID
OIDC_CLIENT_SECRET	Client secret
OIDC_SCOPE	Space-separated scopes (default openid email profile)

Redirect URI pattern:

{APP_URL}/auth/oidc/callback

Collaboration (Yjs / Hocuspocus)

Variable	Description
COLLAB_SECRET	Optional shared secret for the collab endpoint
COLLAB_MAX_CONNECTIONS	Max concurrent WebSocket connections

The editor connects to /collab on the same origin as the app.

Object storage (optional)

S3-compatible storage for attachments when enabled in the product:

Variable	Description
S3_BUCKET	Bucket name
S3_REGION	Region
S3_ACCESS_KEY / S3_SECRET_KEY	Credentials
S3_ENDPOINT	Custom endpoint (e.g. MinIO)

AI / LLM (Settings → AI in UI)

Variable	Required	Description
LLM_ENCRYPTION_KEY	Yes	64 hex chars — encrypts API keys stored for LLM providers.

Scheduled jobs

Variable	Description
CRON_SECRET	Bearer token for POST /api/admin/cron.cleanup — trash purge, pending invite reminders. If empty, external cron must not call the endpoint (or it will reject).

API keys (CLI / MCP)

Variable	Description
ORIMORA_API_KEY	Convenience for local tooling / MCP (yarn mcp) — create a key in Settings → Developers and paste it here.

Team preferences (HTTP API)

Some defaults are stored per team and updated via the app or internal APIs, for example:

Concern	Notes
Default document width	normal / wide
Default language for members	Locale string
Revision retention	Upper bound of stored snapshots per document

See the admin settings UI and REST API overview for integration boundaries.

Security notes

Store `SESSION_SECRET`, `MAGIC_LINK_SECRET`, `LLM_ENCRYPTION_KEY`, and database credentials in a **secret manager** in production. Never commit `.env`.

See also

• Installation — local dev checklist
• Deployment — Docker Compose and migrations
• REST API overview — Bearer keys and rate limits