Reference
Environment variables
Important environment variables for self-hosted 143 deployments.
Use these settings as the deployment contract for a self-hosted 143 environment. The main sections apply across deployment topologies. The single-node quickstart fields are grouped separately because they are specific to .env.single-node and docker-compose.single-node.yml.
Application
BASE_URLurlPublic backend/app origin used for callbacks and internal links.
FRONTEND_URLurlPublic frontend origin used for browser redirects.
CORS_ALLOWED_ORIGINSstringComma-separated browser origins allowed to call the API.
PREVIEW_ORIGIN_TEMPLATEstringPreview wildcard URL template, such as https://{id}.preview.example.com.
SESSION_SECRETsecretSecret used for session signing.
CSRF_SIGNING_KEYsecretSecret used for CSRF token signing in production.
ENCRYPTION_MASTER_KEYsecretMaster key for encrypted credentials at rest.
DATABASE_URLsecretPostgres connection string.
REDIS_URLsecretRedis connection string.
GitHub
GITHUB_APP_IDstringGitHub App ID.
GITHUB_OAUTH_CLIENT_IDstringGitHub OAuth client ID.
GITHUB_OAUTH_CLIENT_SECRETsecretGitHub OAuth client secret.
GITHUB_WEBHOOK_SECRETsecretSecret used to verify GitHub webhooks.
GITHUB_APP_PRIVATE_KEYsecretPrivate key for the GitHub App.
Workers
NODE_IDstringStable node identifier used for worker heartbeats and preview routing.
WORKER_PROCESS_COUNTintegerWorker loops per host.
WORKER_MAX_ACTIVE_SANDBOXESintegerMaximum live sandboxes on a worker host.
SESSION_EXECUTOR_IMAGEstringServer image used for durable session-executor containers in production worker-capable modes.
SESSION_EXECUTOR_DOCKER_NETWORKstringDocker network session executors join to reach Postgres and worker APIs.
SANDBOX_IMAGEstringSandbox runtime image used by worker-created sandbox containers.
SANDBOX_RUNTIMEstringDocker runtime for sandboxes, usually runsc in production.
SANDBOX_REQUIRE_GVISORbooleanFail worker startup when gVisor is unavailable.
SANDBOX_REQUIRE_DISK_QUOTAbooleanFail or allow startup when Docker cannot enforce sandbox rootfs disk quotas.
SANDBOX_CPU_LIMITstringSandbox CPU limit.
SANDBOX_MEMORY_LIMIT_MBintegerSandbox memory limit.
SANDBOX_DISK_LIMIT_GBintegerSandbox disk limit.
Single-node quickstart
These fields are for .env.single-node and the bundled Docker Compose quickstart. Split deployments should use their own image release, proxy, storage, and worker-host provisioning conventions instead of copying this section directly.
IMAGE_REGISTRYstringContainer registry prefix for the single-node runtime images. Defaults to ghcr.io/assembledhq.
IMAGE_TAGstringRuntime image tag or release SHA used by docker-compose.single-node.yml.
DOMAINstringPublic domain served by the bundled Caddy service.
CLOUDFLARE_API_TOKENsecretCloudflare DNS token used by the bundled Caddy wildcard certificate flow.
DB_PASSWORDsecretPassword for the local Postgres container; compose uses it to construct DATABASE_URL.
DOCKER_GIDstringHost docker group id printed by prepare-single-node.sh and passed to the API/worker container for docker.sock access.
SINGLE_NODE_DATA_DIRpathHost-backed durable data root mounted into the API/worker container and, by default, durable session executors. Defaults to /var/lib/143.
HOST_143_DIRpathHost directory mounted read-only at /etc/143 for sandbox resolver and capability files. Defaults to /etc/143.
SANDBOX_RESOLV_CONFpathResolver config file passed to sandbox containers. Defaults to /etc/143/sandbox-resolv.conf.
SANDBOX_AUTH_SOCKET_DIRpathHost directory for the worker-owned sandbox credential socket. Defaults to /var/run/143/sandbox-auth and must be 0750 or stricter.
PREVIEW_DEPENDENCY_CACHE_LOCAL_DIRpathHost-backed local preview dependency cache. Defaults to /var/cache/143/preview-dependency-cache.
SESSION_EXECUTOR_EXTRA_BINDSstringComma-separated extra host bind mounts for session executors. In the single-node compose file, the default is derived from SINGLE_NODE_DATA_DIR; if overriding directly, keep the data root included.
Secret handling
Production secrets should live in the deployment's encrypted secret system. Do not commit plaintext .env files.