Skip to content
Caracal

Environment Variables

Every Caracal service is configured entirely through environment variables. This page lists all variables grouped by service. Variables marked required will cause the service to fail at startup if absent. Variables with defaults are optional.

Shared secrets

Section titled “Shared secrets”

These three secrets must be generated before the stack starts. Generate each with openssl rand -hex 32.

VariableServices that use itDescription
ZONE_KEKSTS, API32-byte hex-encoded key encryption key. Encrypts zone signing key material at rest. Must not be all zeros.
AUDIT_HMAC_KEYSTS, Audit32-byte hex-encoded key for audit event chain HMAC. Required in production.
STREAMS_HMAC_KEYAPI, Gateway, Coordinator, Audit32-byte hex-encoded key for signing Redis stream messages. Optional but strongly recommended in production.

Postgres

Section titled “Postgres”
VariableDefaultDescription
POSTGRES_USERcaracalDatabase user
POSTGRES_PASSWORDRequired. Database password
POSTGRES_DBcaracalDatabase name

Services accept either a DATABASE_URL connection string or the individual POSTGRES_* variables (API and Coordinator build the URL if DATABASE_URL is absent).

Redis

Section titled “Redis”
VariableDefaultDescription
REDIS_PASSWORDRequired. Redis auth password
REDIS_HOSTlocalhostRedis host (used when REDIS_URL is absent)
REDIS_PORT6379Redis port

Services accept either REDIS_URL or the individual REDIS_* variables.

STS

Section titled “STS”
VariableDefaultDescription
DATABASE_URLRequired. Postgres connection string
REDIS_URLRequired. Redis connection string
ZONE_KEKRequired. 32-byte hex-encoded KEK
AUDIT_HMAC_KEYRequired. 32-byte hex-encoded HMAC key
ISSUER_URLRequired. Absolute URL of the STS (e.g., http://localhost:8080). Written into JWT iss claim.
PORT8080Listen port. Must be 8080.
ZONE_KEK_PROVIDERlocalKEK provider. Currently only local is supported.
STREAMS_HMAC_KEY32-byte hex-encoded key for signing Redis stream messages
MAX_GRANT_TTL_SECONDS3600Maximum token lifetime in seconds
OPA_POLL_SECONDS60Interval (seconds) between OPA policy bundle polls
LOG_LEVELinfoLog verbosity (debug, info, warn, error)
CARACAL_ENVdevelopmentEnvironment label

API

Section titled “API”
VariableDefaultDescription
DATABASE_URLRequired. Postgres connection string
REDIS_URLRequired. Redis connection string
STS_URLRequired. STS base URL (e.g., http://sts:8080)
ZONE_KEKRequired. 32-byte hex-encoded KEK
CARACAL_ADMIN_TOKENBootstrap admin token. Seeded into the database on first startup.
PORT3000Listen port
STREAMS_HMAC_KEY32-byte hex-encoded key for signing outbox stream messages
CARACAL_LOCAL_BOOTSTRAP_ENABLEDfalseSet true to enable local-dev auto-bootstrap on startup
LOG_LEVELinfoLog verbosity
CARACAL_SHUTDOWN_TIMEOUT_MS15000Graceful shutdown window in milliseconds
CARACAL_API_BODY_LIMIT_BYTES1048576Request body size limit (1 MB)
Database pool
CARACAL_DB_POOL_MAX20Maximum Postgres connection pool size
CARACAL_DB_STATEMENT_TIMEOUT_MS15000Per-statement timeout
CARACAL_DB_IDLE_IN_TX_TIMEOUT_MS30000Idle-in-transaction timeout
CARACAL_DB_CONNECTION_TIMEOUT_MS5000Connection acquisition timeout
CARACAL_DB_IDLE_TIMEOUT_MS30000Idle connection eviction timeout
Outbox dispatcher
CARACAL_OUTBOX_POLL_MS250Outbox poll interval in milliseconds
CARACAL_OUTBOX_BATCH32Messages to lock per poll cycle
CARACAL_OUTBOX_LOCK_SEC30Advisory lock duration for outbox rows
CARACAL_OUTBOX_MAX_ATTEMPTS100Max delivery attempts before a message is marked dead
CARACAL_OUTBOX_STREAM_MAXLEN100000XADD MAXLEN for all outbox-published streams
READY_RATE_LIMIT_PER_MIN120Rate limit for /ready health probe per source IP per minute (0 to disable)

Gateway

Section titled “Gateway”
VariableDefaultDescription
DATABASE_URLRequired. Postgres connection string
REDIS_URLRequired. Redis connection string
STS_URLRequired. STS base URL with scheme (http or https)
STREAMS_HMAC_KEYRequired in production. 32-byte hex-encoded key for verifying stream signatures
PORTMust be 8081. Enforced at startup; any other value panics.
CARACAL_ENVproductionMust be production or dev. Controls which safety checks are enforced.
INSECURE_HTTPfalseSet true to run without TLS. Forbidden when CARACAL_ENV=production.
INSECURE_STSfalseSet true to allow HTTP to STS. Forbidden when CARACAL_ENV=production.
TLS_CERT_FILEPath to TLS certificate. Required unless INSECURE_HTTP=true.
TLS_KEY_FILEPath to TLS private key. Required unless INSECURE_HTTP=true.
ALLOW_PRIVATE_UPSTREAMSfalseAllow proxying to private/loopback upstream URLs
UPSTREAM_HOST_ALLOWLISTComma-separated upstream host allowlist. Required in production when ALLOW_PRIVATE_UPSTREAMS=true.
JTI_FAIL_OPENfalseSkip JTI replay check on Redis error. Forbidden in production.
STS_TIMEOUT5sSTS request timeout (duration format, e.g., 5s, 500ms)
UPSTREAM_TIMEOUT30sUpstream proxy timeout
READ_HEADER_TIMEOUT5sHTTP read header timeout
READ_TIMEOUT30sHTTP read timeout
WRITE_TIMEOUT60sHTTP write timeout
IDLE_TIMEOUT120sHTTP keep-alive idle timeout
MAX_REQUEST_BYTES10485760Maximum request body size (10 MB)
LOG_LEVELinfoLog verbosity

Audit

Section titled “Audit”
VariableDefaultDescription
DATABASE_URLRequired. Postgres connection string
REDIS_URLRequired. Redis connection string
AUDIT_HMAC_KEYRequired in production. 32-byte hex-encoded HMAC key for audit chain verification
PORTMust be 9090.
AUDIT_RETENTION_DAYS365Number of days to retain audit events. Older monthly partitions are dropped.
AUDIT_MAX_DELIVERIES5Max delivery attempts for an audit event before DLQ routing
AUDIT_CLAIM_IDLE_SECS30Seconds before an unclaimed PEL entry is reclaimed by another consumer
AUDIT_TAMPER_ROLLING_HOURS4Rolling window for tamper detection sweep
AUDIT_EXPORT_S3_ENDPOINTS3-compatible endpoint URL for Parquet export (e.g., MinIO)
AUDIT_EXPORT_S3_BUCKETS3 bucket name for Parquet export. Leave empty to disable export.
AUDIT_EXPORT_S3_REGIONus-east-1AWS region for S3 export
HOSTNAMEaudit-worker-0Consumer name for the audit stream consumer group
LOG_LEVELinfoLog verbosity
CARACAL_ENVdevelopmentEnvironment label

Coordinator

Section titled “Coordinator”
VariableDefaultDescription
DATABASE_URLRequired. Postgres connection string
REDIS_URLRequired. Redis connection string
STS_URLRequired. STS base URL
ISSUER_URLRequired. STS issuer URL (same as ISSUER_URL in STS). Also the required aud claim on bearer JWTs.
AGENT_COORDINATOR_SCOPERequired. Required scope for coordinator calls (e.g., agent:lifecycle)
PORT4000Listen port
STREAMS_HMAC_KEY32-byte hex-encoded key for signing outbox stream messages
Database pool
DB_POOL_MAX20Maximum Postgres connection pool size
DB_STATEMENT_TIMEOUT_MS10000Per-statement timeout
DB_CONNECTION_TIMEOUT_MS5000Connection acquisition timeout
DB_IDLE_TIMEOUT_MS30000Idle connection eviction timeout
Outbox publisher
OUTBOX_INTERVAL_MS1000Outbox poll interval
OUTBOX_BATCH_SIZE50Messages to lock per poll cycle
OUTBOX_MAX_ATTEMPTS10Max delivery attempts before dead status
STREAMS_MAXLEN100000XADD MAXLEN for coordinator-published streams
Background jobs
TTL_SWEEP_INTERVAL_MS60000Interval between agent session TTL sweeps
DEADLINE_SWEEP_INTERVAL_MS5000Interval between invocation deadline enforcement sweeps
SWEEPER_BATCH_SIZE500Rows processed per sweep batch
RETENTION_CLEANUP_INTERVAL_MS900000Interval between delegation/outbox retention cleanup runs (15 min)
RETENTION_CLEANUP_BATCH_SIZE500Rows deleted per cleanup batch
DELEGATION_RETENTION_DAYS90Days to retain completed delegation edges
OUTBOX_RETENTION_DAYS7Days to retain published/dead outbox rows
SHUTDOWN_GRACE_MS15000Graceful shutdown window
VERIFY_RATE_LIMIT_PER_MIN60Token verify rate limit per client per minute (minimum 0)
INVOCATION_RATE_LIMIT_PER_MIN120Invocation mutation rate limit per application per zone per minute (minimum 0)
V1_RATE_LIMIT_PER_MIN300V1 façade (begin/end/exchange) rate limit per source IP per minute (0 to disable)
COORDINATOR_RATE_LIMIT_PER_MIN600Global coordinator rate limit per source IP per minute (0 to disable)
RELAY_DEDUPE_WINDOW_SEC3600Window for relay deduplication (Go relay)
JWKS_CACHE_MAX256Maximum JWKS cache entries
LOG_LEVELinfoLog verbosity