The following table contains a list of environment variables that you can set to configure the DocSpring application. Variables are required unless they are marked as Optional.
| Environment Variable | Details |
|---|---|
| DOCSPRING_LICENSE | Your DocSpring license key (required) |
| DOMAIN_NAME | The host or IP address that you will use to access the DocSpring server. You can include a port, e.g. docspring.local:8080 |
Tip: Add an entry to /etc/hosts if you haven’t set up DNS yet. E.g. *.*.*.* docspring-enterprise.local |
|
| (You might also want to configure a static IP for your instance.) | |
| APP_DOMAIN_NAME | Optional: Host or IP address to access the DocSpring web application paths (/templates, /submissions, etc.) |
| API_DOMAIN_NAME | Optional: Host or IP address to access the DocSpring API endpoints (/api/v1/*.) Default: DOMAIN_NAME |
| ADMIN_DOMAIN_NAME | Optional: Host or IP address to access the DocSpring admin URLs (/admin/*) Default: DOMAIN_NAME |
| EMAIL_DOMAIN_NAME | The host for the “from” address in any notification emails. E.g. support@<yourdomain>. Default: support@<DOMAIN_NAME> |
| FROM_EMAIL | Name/email for email notifications, e.g. DocSpring [email protected] |
| ALLOW_ALL_HOSTS | Set ALLOW_ALL_HOSTS=true to allow requests from any host. The default behavior is that the application will only respond to requests from a known host (e.g. DOMAIN_NAME, APP_DOMAIN_NAME, API_DOMAIN_NAME, ADMIN_DOMAIN_NAME), and all other requests will be blocked. We recommend leaving the ALLOW_ALL_HOSTS variable blank, because the default blocking behavior protects against DNS rebinding attacks. |
| FORCE_SSL | Set *FORCE_SSL=true* if you have deployed the application behind a load balancer with SSL enabled. This ensures that all URLs will use the https scheme instead of http. (Otherwise, all URLs will use http by default.) |
| TIMEZONE | Timezone for your server. Default: “Eastern Time (US & Canada)”. Must be one of the values in this list (under MAPPING): https://www.rubydoc.info/gems/activesupport/ActiveSupport/TimeZone |
| GOOGLE_OAUTH_CLIENT_ID | Optional: Client ID for Google OAuth (“Sign in with Google”) |
| GOOGLE_OAUTH_CLIENT_SECRET | Optional: Client Secret for Google OAuth (“Sign in with Google”) |
| GOOGLE_OAUTH_DOMAIN | Optional: Only allow users to sign in and sign up with Google if they have an email address ending in this domain. New users will automatically join the first account (instead of creating a new account.) |
| GOOGLE_OAUTH_ACCOUNT_ID | Optional: Specify the account ID that new users should join when they sign in / sign up with Google. (e.g. acc_**********) Default: Use the first account. |
| GITHUB_OAUTH_CLIENT_ID | Optional: GitHub App Client ID for OAuth |
| GITHUB_OAUTH_CLIENT_SECRET | Optional: GitHub App Client Secret for OAuth |
| OPENID_CLIENT_ID | Optional: Client ID for OpenID Connect |
| OPENID_CLIENT_SECRET | Optional: Client Secret for OpenID Connect |
| OPENID_REDIRECT_URI | Optional: Redirect URL for OpenID Connect |
| OPENID_HOST | Optional: Host for OpenID Connect server |
| OPENID_SCHEME | Optional: Scheme for OpenID Connect server (http or https) |
| OPENID_PORT | Optional: Port for OpenID Connect server (e.g. 443) |
| OPENID_ISSUER | Optional: OpenID Connect issuer |
| OPENID_DISCOVERY | Optional: Enable discovery for OpenID Connect |
| OPENID_CLIENT_AUTH_METHOD | Optional: Client auth method for OpenID Connect (default: query) |
| OPENID_UID_FIELD | Optional: UID field for OpenID Connect (default: sub) |
| DISABLE_PWNED_PASSWORD_CHECK | DocSpring uses the Pwned Passwords API to ensure that passwords have not appeared in a data breach. Set this variable to any value (e.g. 1, true) to disable this check. This will allow you to use weak passwords such as “password1”. (NOT RECOMMENDED. Only use this on a test or staging server, or for an air-gapped deployment with no internet access.) |
| MANDATORY_OTP | Optional: Set this variable to force all users to set up 2FA after they sign up or log in. |
| REQUIRE_RAILS_CONSOLE_AUTH | Optional: Set this variable to require authentication when accessing the Rails console. Only admin users with 2FA enabled will be allowed to sign in. |
| DATABASE_URL | Rails uses this to connect to the database. This URL includes your database username, password, host, port, and name. |
| If you are using Convox on AWS: Convox sets this variable automatically. | |
If you are using Google Cloud SQL: the host must be *cloudsql-proxy* (this proxy service is configured with docker-compose.) Example: |
|
*postgres://postgres:DB_PASSWORD@cloudsql-proxy:5432/docspring_production* |
|
| REDIS_URL | |
| (Optional. Default: redis://redis:6379) | IMPORTANT: Your Redis version must be at least 4.0. (I recommend running the latest version available on AWS ElastiCache.) |
If you are using Convox on AWS: Convox sets this variable automatically.
If you are using Google Cloud: We run an instance of Redis on the server, and this is configured by default. You can set the *REDIS_URL* variable to use a different Redis. |
| SECRET_KEY_BASE | 64 random bytes used for security in Rails (e.g. user sessions.) Run the following command in your terminal to generate this string:
openssl rand -hex 64 |
| SUBMISSION_DATA_ENCRYPTION_KEY | 32 random bytes used as the encryption key for data in the database. Run the following command in your terminal to generate this string:
openssl rand -hex 32 |
| ADMIN_EMAIL
(Optional. Default: [email protected]) | When the server starts, it will connect to postgres, set up the database, and create an admin user with the email ADMIN_EMAIL. |
| ADMIN_NAME
(Optional. Default: Admin) | Full name of the admin user. |
| ADMIN_PASSWORD
(Optional. Default: 075d082e403) | Password for the admin user. Tip: Generate a secure password by running:
openssl rand -base64 9 |
| DOCSPRING_ECR_AWS_ACCESS_KEY_ID | (For Google Cloud Setup) AWS API token that is used to access the DocSpring Enterprise docker image from ECR (Elastic Container Registry.) This API token will be provided to you via email and is unique to your organization.. |
| FORMAPI_ECR_AWS_ACCESS_KEY_SECRET | AWS API token secret to access the DocSpring Enterprise docker image. |
| GOOGLE_MAPS_GEOCODING_API_KEY
(Optional: Leave blank to disable geolocation.) | Google Maps API key. Used to geolocate submission IP addresses when people fill out the online form. Leave blank to disable IP address geolocation. |
| GOOGLE_CLOUD_SQL_INSTANCE_NAME | Optional (for Google Cloud): The “Instance connection name” for your Cloud SQL database. e.g. docspring-enterprise-202617:us-central1:docspring-production |
| GCS_ACCESS_KEY_ID | Google Cloud Storage API access key (from the Interoperability tab) |
| GCS_ACCESS_KEY_SECRET | Google Cloud Storage API secret (from the Interoperability tab) |
| GCS_UPLOADS_BUCKET | The name of your Google Cloud Storage bucket. |
| AWS_ACCESS_KEY_ID | AWS S3 access key for file storage |
| AWS_ACCESS_KEY_SECRET | AWS S3 secret key for file storage |
| AWS_UPLOADS_S3_BUCKET | AWS S3 bucket to store files |
| AWS_UPLOADS_S3_REGION | Region for AWS S3 bucket, e.g. us-east-1 |
| PDF_URL_EXPIRATION_TIME | Set the expiration time (in seconds) for PDF download URLs. Must be an integer between 60 and 604801 (7 days.) (AWS does not allow higher values.) Default: 900 |
| POSTMARK_API_TOKEN | API token for your PostMark account |
| DISABLE_EMAILS | Set to true to disable sending emails. (Can be useful during the initial setup.) Make sure you unset this variable before configuring an email service. |
| POSTMARK_API_TOKEN | API key for your Postmark account |
| SENDGRID_API_KEY | API key for your SendGrid account |
| SENDGRID_USERNAME | Note: This is only for legacy support. You should use SENDGRID_API_KEY
Username for your SendGrid account. |
| SENDGRID_PASSWORD | Note: This is only for legacy support. You should use SENDGRID_API_KEY
Password for your SendGrid account. (Make sure you have 2FA disabled.) |
| MAILGUN_API_KEY | Mailgun API key |
| MAILGUN_DOMAIN | Email domain to use for Mailgun |
| GMAIL_USERNAME | Gmail Username |
| GMAIL_PASSWORD | Gmail Password |
| GMAIL_DOMAIN | Your G Suite domain |
| AWS_SES_ACCESS_KEY_ID | AWS SES Access Key ID (for sending emails) |
| AWS_SES_SECRET_ACCESS_KEY | AWS SES Secret Access Key |
| SENTRY_DSN | Sentry DSN for error reporting (backend errors) |
| SENTRY_JS_DSN | Sentry DSN for error reporting (frontend errors) |
| SKYLIGHT_AUTHENTICATION | Authentication token for Skylight.io (performance monitoring) |
| DISABLE_BECOME_USER | Set to true to disable the “Become User” feature in the admin interface. |
| ADMIN_API_TOKEN | Set a predefined API token that can be used to authenticate for any API endpoints. Authenticate using a basic auth Authorization header where the username is the string ADMIN_API_TOKEN, and the password is the token that you set in the ADMIN_API_TOKEN environment variable. (This authentication method can be used for admin API endpoints that allow templates to be imported and exported, among other things.) See: Admin API Endpoints |
| FIELD_NAME_DEBOUNCE_INTERVAL | Default: 350.
Set this to a higher number of milliseconds to increase the debounce time when typing a field name in the template editor. |
| AWS_CLOUDWATCH_ACCESS_KEY_ID | Optional: AWS access key ID for an IAM user that has the CloudWatchAgentServerPolicy policy, for sending Sidekiq metrics to Cloudwatch |
| AWS_CLOUDWATCH_ACCESS_KEY_SECRET | Optional: AWS access key secret for an IAM user that has the CloudWatchAgentServerPolicy policy, for sending Sidekiq metrics to Cloudwatch |
| AWS_CLOUDWATCH_REGION | Optional: e.g. us-east-1 |
| AWS_CLOUDWATCH_SIDEKIQ_NAMESPACE | Optional: Namespace for the Sidekiq metrics in CloudWatch. “Sidekiq” (default), “Sidekiq-Staging”, “Sidekiq-Prod”, etc. |
| TEMPLATE_DEFAULT_TYPEFACE | Optional: Set the default typeface for templates. Default: Helvetica |
| TEMPLATE_DEFAULT_FONT_SIZE | Optional: Set the default text font size for templates. Default: 11 |
| TEMPLATE_DEFAULT_TEXT_COLOR | Optional: Set the default text color for templates. Default: 444444 |
| SYNCHRONOUS_API | Optional: Enable long-lived synchronous API requests. (e.g. Wait before returning processed PDFs.) This is fine for most workloads, but not recommended for high volumes. If you process very high volumes of PDFs and need better concurrency for long-lived HTTP requests, you may want to deploy our Go API proxy service in front of the application. Contact us for more details. |
Please contact [email protected] if you have any questions or feature requests.