Skip to main content

Environment Variables Reference

Auto-generated

This page is auto-generated from backend/.env.example. Do not edit manually.

Server​

VariableDefaultRequiredDescription
PORT4005Yesβ€”
NODE_ENVdevelopmentYesβ€”

Licensing & Deployment​

VariableDefaultRequiredDescription
LICENSE_KEYyour_license_jwt_hereYesSigned JWT issued by the ThreatWeaver License Manager (TLM). Resolution order: 1) license_config DB table (set via UI), 2) this env var. Obtain from https://license.threatweaver.ai or your self-hosted TLM instance.
DEPLOYMENT_ID*NoUnique identifier that binds this instance to its license. Use * to accept any deployment in development/air-gapped environments. In production, set to the ID provided with your license.
DEPLOYMENT_MODEβ€”NoDeployment mode. Controls multi-tenant vs single-tenant behaviour. Valid values: saas | dedicated | (empty string for standalone/self-hosted)
LICENSE_CHECKIN_URLhttps://license.threatweaver.aiNoPhone-home URL. Omit for offline/air-gapped deployments. The app calls POST /api/license/checkin every 24 h against this URL.
MACHINE_IDβ€”NoOverride the machine identity used for license binding. Useful in containers where the host fingerprint changes between restarts.
TW_DATA_DIR./dataNoDirectory for persistent license state and instance-id file. Defaults to ./data relative to the working directory.

Multi-tenant Configuration​

VariableDefaultRequiredDescription
DEDICATED_TENANT_SLUGβ€”NoOnly needed when DEPLOYMENT_MODE=dedicated or when connecting to a TLM. Slug for the tenant this dedicated instance serves (e.g. "acme-corp").
DEDICATED_TENANT_PLANenterpriseNoPlan tier for the dedicated tenant. Default: enterprise Valid values: starter | professional | enterprise
TLM_BASE_URLhttps://tlm.threatweaver.aiNoBase URL of the ThreatWeaver License Manager (TLM) API.
TLM_VENDOR_API_KEYyour-tlm-vendor-api-key-hereNoVendor API key issued by TLM for instance-to-TLM communication.
TW_INTERNAL_API_KEYβ€”NoInternal API key used for service-to-service calls within the platform. Generate with: openssl rand -hex 32
TENANT_CACHE_TTL_SECONDS300NoHow long (seconds) to cache resolved tenant records. Default: 300
TENANCY_MODEβ€”NoTenancy mode for the migration guard. Typically set automatically by TLM. Valid values: multi | single | (empty)
TW_SERVICE_PRIVATE_KEYβ€”NoSERVICE-TO-SERVICE AUTH (ES256 JWT Tokens) Replaces simple API keys with asymmetric JWT service tokens for TLM ↔ TW. Generate key pairs with: npx tsx scripts/generate-service-keypair.ts tw This service's ES256 private key (PEM, base64-encoded for single-line storage) Used to SIGN outbound tokens when calling TLM.
TLM_SERVICE_PUBLIC_KEYβ€”NoTLM's ES256 public key (PEM, base64-encoded) Used to VERIFY inbound tokens from TLM on /api/internal/* routes.

Initial Admin User​

VariableDefaultRequiredDescription
INITIAL_ADMIN_EMAILadmin@company.comNoUsed only during first-time database bootstrap when no admin exists. Change the password immediately after first login!
INITIAL_ADMIN_PASSWORDchangeme123Noβ€”
INITIAL_ADMIN_NAMESystem AdministratorNoβ€”

Tenable Api​

VariableDefaultRequiredDescription
TENABLE_ACCESS_KEYyour_tenable_access_key_hereYesObtain your API keys from https://cloud.tenable.com/ β†’ Settings β†’ API Keys.
TENABLE_SECRET_KEYyour_tenable_secret_key_hereYesβ€”
TENABLE_API_URLhttps://cloud.tenable.comNoβ€”
DATABASE_URLpostgresql://tenable:tenable_secure_password_change_me@localhost:5432/tenable_dashboardYesDATABASE (PostgreSQL) Primary connection string (takes precedence over individual DB_* vars).
DB_HOSTlocalhostNoIndividual connection parameters (used by seeds/scripts when DATABASE_URL is absent).
DB_PORT5432Noβ€”
DB_NAMEtenable_dashboardNoβ€”
DB_USERtenableNoβ€”
DB_PASSWORDtenable_secure_password_change_meNoβ€”
DB_READ_REPLICA_URLpostgresql://tenable:password@replica-host:5432/tenable_dashboardNoRead replica connection string for heavy read workloads. Leave unset to route all queries to the primary.
DB_POOL_MAX10NoMaximum connections in the TypeORM connection pool. Default: 10
DB_SSL_REJECT_UNAUTHORIZEDtrueNoSet to false to allow self-signed TLS certs (never in production). Default: true (reject unauthorized certificates).
ENCRYPTION_SALTβ€”YesSalt for key derivation (min 8 chars). Generate with: openssl rand -hex 16 WARNING: Changing this after data has been encrypted will break decryption.

Security & Encryption​

VariableDefaultRequiredDescription
ENCRYPTION_KEYyour_32_character_encryption_keyYes32-character hex key for encrypting secrets at rest (e.g. 2FA seeds, API keys). Must be exactly 32+ characters. Generate with: openssl rand -hex 16
APPSEC_ENCRYPTION_KEYβ€”NoSeparate encryption key for AppSec payload sanitization. Falls back to ENCRYPTION_KEY if not set.

Jwt​

VariableDefaultRequiredDescription
JWT_SECRETyour_super_secret_jwt_key_change_in_production_min_32_charsYesSecret for signing access tokens. Minimum 32 characters. Generate with: openssl rand -hex 32
JWT_EXPIRES_IN1dNoAccess token lifetime. Default: 15m (short for security).
JWT_REFRESH_SECRETyour_refresh_token_secret_change_in_productionYesSeparate secret for refresh tokens. Generate with: openssl rand -hex 32
JWT_REFRESH_EXPIRES_IN7dNoRefresh token lifetime. Default: 7d

Session​

VariableDefaultRequiredDescription
SESSION_TIMEOUT_MINUTES30NoIdle session timeout in minutes. Default: 30

Rate Limiting​

VariableDefaultRequiredDescription
RATE_LIMIT_WINDOW_MS60000NoRolling window duration in milliseconds. Default: 60000 (1 minute)
RATE_LIMIT_MAX_REQUESTS100NoMax requests per IP per window. Default: 100

Cors​

VariableDefaultRequiredDescription
CORS_ORIGINhttp://localhost:3005,http://127.0.0.1:3005NoComma-separated list of allowed origins. Wildcards are NOT supported.

App Urls​

VariableDefaultRequiredDescription
BASE_URLhttps://api.threatweaver.aiNoOverride the public-facing URLs. The app infers these from the request when not set, but explicit values are recommended for production deployments. Public base URL of this backend (no trailing slash).
FRONTEND_URLhttps://threatweaver.aiNoPublic URL of the frontend (used in email links, OAuth redirects, etc.).
BACKEND_URLhttps://api.threatweaver.aiNoExplicit backend URL (used by SSO callbacks and CI/CD status webhooks). Falls back to BASE_URL or the incoming request host if not set.

Redis​

VariableDefaultRequiredDescription
REDIS_URLredis://localhost:6379NoRedis is optional locally β€” the app degrades gracefully without it. In production, Redis is strongly recommended for session and response caching.
REDIS_HOSTlocalhostNoβ€”
REDIS_PORT6379Noβ€”
REDIS_ENABLEDtrueNoSet to false to explicitly disable Redis (e.g. for local-only deploys). Default: true

Runtime Tuning​

VariableDefaultRequiredDescription
REQUEST_TIMEOUT_MS30000NoHTTP request timeout in milliseconds. Default: 30000 (30 s)

Feature Flags​

VariableDefaultRequiredDescription
ALLOW_DEMO_LOGINtrueNoAllow demo/test login credentials (admin@company.com / changeme123). ONLY enable in non-production environments. Never set to true in production.
SYNC_STREAMING_ENABLEDtrueNoEnable streaming (chunked transfer) for large Tenable sync responses. Default: true
SYNC_CHUNK_SIZE100NoNumber of records per chunk during streaming sync. Default: 100

Logging​

VariableDefaultRequiredDescription
LOG_LEVELdebugNoValid values: debug | info | warn | error

Cache Ttl​

VariableDefaultRequiredDescription
CACHE_TTL3600NoDefault server-side cache TTL in seconds. Default: 3600 (1 h)
API_CACHE_TTL21600NoTenable API response cache TTL in seconds. Default: 21600 (6 h)
AZURE_CLIENT_IDβ€”NoSSO β€” AZURE AD (OPTIONAL) Register an app at https://portal.azure.com β†’ Azure Active Directory β†’ App registrations.
AZURE_CLIENT_SECRETβ€”Noβ€”
AZURE_TENANT_IDβ€”Noβ€”
OKTA_DOMAINβ€”NoSSO β€” OKTA (OPTIONAL) Create an OIDC app at https://developer.okta.com/.
OKTA_CLIENT_IDβ€”Noβ€”
OKTA_CLIENT_SECRETβ€”Noβ€”
GOOGLE_CLIENT_IDβ€”NoSSO β€” GOOGLE OAUTH (OPTIONAL) Configure at https://console.cloud.google.com/ β†’ APIs & Services β†’ Credentials.
GOOGLE_CLIENT_SECRETβ€”Noβ€”
SMTP_HOSTsmtp.example.comNoSMTP β€” EMAIL NOTIFICATIONS (OPTIONAL) Required for password-reset emails, alert notifications, and scan reports.
SMTP_PORT587Noβ€”
SMTP_USERnotifications@example.comNoβ€”
SMTP_PASSyour-smtp-password-hereNoβ€”
SMTP_FROMThreatWeaver <noreply@threatweaver.io>Noβ€”

Appsec / Pentest AI (Optional)​

VariableDefaultRequiredDescription
APPSEC_AI_PROVIDERopenaiNoEnables AI-assisted vulnerability analysis and report generation. Provider for AI features. Valid values: openai | anthropic | azure_openai
APPSEC_AI_API_KEYyour-ai-api-key-hereNoAPI key for the chosen AI provider.
APPSEC_AI_MODELgpt-4oNoModel name to use (e.g. gpt-4o, claude-3-5-sonnet-20241022).
APPSEC_AI_RESIDENCY_MODEcloud_hybridNoData residency mode for AI calls. Valid values: cloud_hybrid | cloud_only | on_prem Default: cloud_hybrid
APPSEC_CALLBACK_URLhttps://oob.threatweaver.aiNoPublic URL for out-of-band (OOB) callback server (Blind SSRF/XXE probes). Defaults to http://localhost:4005 if not set.
APPSEC_CALLBACK_DOMAINoob.threatweaver.aiNoDomain used for DNS-based OOB detection (Blind SSRF via DNS).

Intelligence Feeds (Optional)​

VariableDefaultRequiredDescription
NVD_API_KEYyour-nvd-api-key-hereNoAPI keys for external threat intelligence data sources. NVD (National Vulnerability Database) API key β€” increases rate limits. Register at https://nvd.nist.gov/developers/request-an-api-key
GITHUB_TOKENghp_your-github-token-hereNoGitHub personal access token β€” used for zero-day PoC discovery via GitHub search. Requires at minimum: public_repo read scope. Create at https://github.com/settings/tokens
SHODAN_API_KEYyour-shodan-api-key-hereNoShodan API key β€” used by the OSINT scanner agent for internet exposure data. Obtain at https://account.shodan.io/

Generated on 2026-04-05