Reference
Environment Variables
Complete reference for all Atlas environment variables with defaults and examples.
Self-hosted only
Environment variables are used for self-hosted deployments. Hosted users at app.useatlas.dev can skip this — the platform manages all configuration through the admin console. See Workspace Settings.
Atlas can be configured entirely via environment variables. Most have safe defaults — a minimal deployment needs only an LLM provider key and a datasource URL. For multi-datasource setups or advanced configuration, see the Configuration reference.
Precedence
Config loading is binary — when atlas.config.ts exists, it is used exclusively for structure. Env vars like ATLAS_DATASOURCE_URL are not merged in as fallbacks. Fields omitted from the config file get Zod schema defaults, not env var values.
- Config file found → all structural config (
datasources,tools,semanticLayer,plugins,actions,rls,scheduler) comes from the file - No config file → all configuration comes from environment variables
- Some vars are always env-only — secrets (
ANTHROPIC_API_KEY,BETTER_AUTH_SECRET), runtime hints (ATLAS_RUNTIME), and networking (PORT,ATLAS_CORS_ORIGIN) are always read from environment variables regardless of config file presence - Auth mode can be set via the config file
authfield orATLAS_AUTH_MODEenv var. Priority: env var → config file → auto-detection
See the Configuration reference for the full atlas.config.ts guide.
Run atlas doctor to verify your environment is correctly configured — it checks database connectivity, LLM providers, semantic layer, and sandbox availability.
LLM Provider
LLM provider and model configuration.
| Variable | Default | Description |
|---|---|---|
ATLAS_PROVIDER | anthropic (gateway on Vercel) | LLM provider: anthropic, openai, bedrock, ollama, openai-compatible, gateway |
ATLAS_MODEL | Provider default | Model ID override (e.g. claude-sonnet-4-6, gpt-4o). Required for openai-compatible (no default) |
OLLAMA_BASE_URL | http://localhost:11434/v1 | Ollama server URL. Only used when ATLAS_PROVIDER=ollama |
OPENAI_COMPATIBLE_BASE_URL | — | Base URL for OpenAI-compatible servers (vLLM, TGI, LiteLLM). Required when ATLAS_PROVIDER=openai-compatible |
OPENAI_COMPATIBLE_API_KEY | not-needed | API key for OpenAI-compatible servers. Most local servers don't require one |
ANTHROPIC_API_KEY | — | API key for anthropic provider |
OPENAI_API_KEY | — | API key for openai provider |
AWS_ACCESS_KEY_ID | — | AWS access key ID for bedrock provider |
AWS_SECRET_ACCESS_KEY | — | AWS secret access key for bedrock provider |
AWS_REGION | — | AWS region for bedrock provider (e.g. us-east-1) |
AI_GATEWAY_API_KEY | — | API key for gateway provider (Vercel AI Gateway) |
When ATLAS_PROVIDER is not set, the default depends on the runtime environment. On Vercel (detected via the platform-set VERCEL env var), the default is gateway. Everywhere else, the default is anthropic.
Each provider requires its own API key:
| Provider | API Key Variable |
|---|---|
anthropic | ANTHROPIC_API_KEY |
openai | OPENAI_API_KEY |
bedrock | AWS_ACCESS_KEY_ID + AWS_SECRET_ACCESS_KEY + AWS_REGION |
ollama | None (local) |
openai-compatible | OPENAI_COMPATIBLE_API_KEY (optional) |
gateway | AI_GATEWAY_API_KEY |
Default models per provider:
| Provider | Default Model |
|---|---|
anthropic | claude-opus-4-6 |
openai | gpt-4o |
bedrock | anthropic.claude-opus-4-6-v1:0 |
ollama | llama3.1 |
openai-compatible | None — ATLAS_MODEL required |
gateway | anthropic/claude-opus-4.6 |
# Anthropic (default provider)
ATLAS_PROVIDER=anthropic
ANTHROPIC_API_KEY=sk-ant-...
# Optional: override the default model
# ATLAS_MODEL=claude-sonnet-4-6# OpenAI
ATLAS_PROVIDER=openai
OPENAI_API_KEY=sk-...
# Optional: override the default model
# ATLAS_MODEL=gpt-4o# AWS Bedrock (uses IAM credentials)
ATLAS_PROVIDER=bedrock
AWS_REGION=us-east-1
AWS_ACCESS_KEY_ID=AKIA...
AWS_SECRET_ACCESS_KEY=...# Ollama (local, no API key needed)
ATLAS_PROVIDER=ollama
OLLAMA_BASE_URL=http://localhost:11434/v1
# Optional: override the default model
# ATLAS_MODEL=llama3.1# Any OpenAI-compatible server (vLLM, TGI, LiteLLM, LocalAI)
ATLAS_PROVIDER=openai-compatible
ATLAS_MODEL=llama3.1 # Required — no default
OPENAI_COMPATIBLE_BASE_URL=http://localhost:8000/v1 # Required
# OPENAI_COMPATIBLE_API_KEY=... # Optional — most local servers don't need oneDatabase
| Variable | Default | Description |
|---|---|---|
ATLAS_DATASOURCE_URL | — | Analytics datasource connection string (PostgreSQL or MySQL). Optional when datasources are defined in atlas.config.ts |
DATABASE_URL | — | Atlas internal Postgres (auth, audit, conversations). Optional — Atlas works without it |
DATABASE_URL_UNPOOLED | — | Unpooled Postgres connection string (e.g. Neon direct URL). When ATLAS_DEMO_DATA=true and ATLAS_DATASOURCE_URL is unset, checked before DATABASE_URL in the demo data fallback chain |
ATLAS_DEMO_DATA | — | Set true to use the internal DB as both analytics datasource and internal DB |
Demo data fallback chain: When ATLAS_DEMO_DATA=true and ATLAS_DATASOURCE_URL is not set, Atlas resolves the analytics datasource by checking DATABASE_URL_UNPOOLED first, then DATABASE_URL. This lets a single Postgres instance (e.g. Neon on Vercel) serve as both the analytics datasource and Atlas's internal database.
# Local dev: Docker Compose provisions both databases
DATABASE_URL=postgresql://atlas:atlas@localhost:5432/atlas
ATLAS_DATASOURCE_URL=postgresql://atlas:atlas@localhost:5432/atlas_demo# Production: separate databases for isolation
DATABASE_URL=postgresql://user:pass@internal-host:5432/atlas
ATLAS_DATASOURCE_URL=postgresql://readonly:pass@analytics-host:5432/warehouseAgent
| Variable | Default | Description |
|---|---|---|
ATLAS_AGENT_MAX_STEPS | 25 | Maximum tool-call steps per agent run. Range: 1–100. Increase for complex multi-step queries; decrease to limit token spend |
Security
Query safety and SQL validation settings. See SQL Validation Pipeline for how these are enforced.
| Variable | Default | Description |
|---|---|---|
ATLAS_ROW_LIMIT | 1000 | Max rows returned per query |
ATLAS_QUERY_TIMEOUT | 30000 | Query timeout in milliseconds |
ATLAS_TABLE_WHITELIST | true | Only allow queries against tables defined in the semantic layer |
ATLAS_SCHEMA | — | PostgreSQL schema name. When set to a non-public value, the API sets search_path to "<schema>", public on each connection. When unset, no search_path is set and PostgreSQL uses its server default (typically public). Also used by atlas doctor to verify the schema exists |
ATLAS_ENCRYPTION_KEY | — | Dedicated encryption key for connection URLs stored at rest. Takes precedence over BETTER_AUTH_SECRET. Recommended for production when managing datasource connections via the admin UI |
ATLAS_POOL_WARMUP | 2 | Number of warmup probes per connection at startup. Set to 0 to disable warmup |
ATLAS_POOL_DRAIN_THRESHOLD | 5 | Consecutive query errors before the pool is automatically drained and recreated |
ATLAS_CACHE_ENABLED | true | Enable query result caching. Set to false to disable |
ATLAS_CACHE_TTL | 300000 | Cache TTL in milliseconds (default: 5 minutes) |
ATLAS_CACHE_MAX_SIZE | 1000 | Maximum number of cached query results |
Non-SELECT SQL (INSERT, UPDATE, DELETE, DROP, etc.) is always rejected — there is no toggle to disable this. The ATLAS_TABLE_WHITELIST setting only controls whether queries are restricted to semantic layer tables.
# Production: tighter limits
ATLAS_ROW_LIMIT=500 # Fewer rows per query
ATLAS_QUERY_TIMEOUT=15000 # 15s timeout (default: 30s)
ATLAS_TABLE_WHITELIST=true # Only semantic layer tables (default)
ATLAS_SCHEMA=analytics # Non-default PostgreSQL schemaAuth
Authentication mode and per-mode settings. See Authentication for full setup guides.
| Variable | Default | Description |
|---|---|---|
ATLAS_AUTH_MODE | Auto-detected | Explicit auth mode: none, api-key, managed, byot |
When ATLAS_AUTH_MODE is not set, Atlas auto-detects based on which variables are present (checked in this order):
ATLAS_AUTH_JWKS_URLset → BYOTBETTER_AUTH_SECRETset → ManagedATLAS_API_KEYset → Simple Key- None of the above → No auth
Simple Key
| Variable | Default | Description |
|---|---|---|
ATLAS_API_KEY | — | Shared secret. Clients send Authorization: Bearer <key> or X-API-Key: <key> |
ATLAS_API_KEY_ROLE | analyst | Role for API key users: viewer, analyst, admin |
# Simple key auth for headless integrations
ATLAS_API_KEY=your-secret-key-here
ATLAS_API_KEY_ROLE=analystManaged (Better Auth)
| Variable | Default | Description |
|---|---|---|
BETTER_AUTH_SECRET | — | Session signing secret. Min 32 chars, cryptographically random. Requires DATABASE_URL. Also used to encrypt connection URLs at rest (unless ATLAS_ENCRYPTION_KEY is set) |
ATLAS_ENCRYPTION_KEY | — | Dedicated encryption key for connection URLs at rest. Takes precedence over BETTER_AUTH_SECRET |
BETTER_AUTH_URL | Auto-detected | Base URL for auth endpoints. Auto-detected on Vercel; set explicitly for Railway/Docker |
BETTER_AUTH_TRUSTED_ORIGINS | — | Comma-separated CSRF-allowed origins |
ATLAS_ADMIN_EMAIL | — | User matching this email gets admin role on signup. If unset, first signup gets admin |
Never use the default dev secret in production. Generate a cryptographically random secret: openssl rand -base64 32
# Managed auth for multi-user web apps
BETTER_AUTH_SECRET=$(openssl rand -base64 32)
BETTER_AUTH_URL=https://api.example.com
BETTER_AUTH_TRUSTED_ORIGINS=https://app.example.com
ATLAS_ADMIN_EMAIL=admin@example.com
DATABASE_URL=postgresql://user:pass@host:5432/atlasSocial Login (OAuth)
Optional. Only applies to managed auth. Uncomment a provider block to enable social sign-in alongside email/password. Providers are auto-detected — only those with both CLIENT_ID and CLIENT_SECRET set are enabled.
| Variable | Default | Description |
|---|---|---|
GOOGLE_CLIENT_ID | — | Google OAuth 2.0 client ID |
GOOGLE_CLIENT_SECRET | — | Google OAuth 2.0 client secret |
GITHUB_CLIENT_ID | — | GitHub OAuth app client ID |
GITHUB_CLIENT_SECRET | — | GitHub OAuth app client secret |
MICROSOFT_CLIENT_ID | — | Microsoft Entra ID (Azure AD) application client ID |
MICROSOFT_CLIENT_SECRET | — | Microsoft Entra ID client secret |
MICROSOFT_TENANT_ID | common | Tenant restriction: common, organizations, consumers, or a specific tenant UUID |
# Enable Google + GitHub social login
GOOGLE_CLIENT_ID=123456789.apps.googleusercontent.com
GOOGLE_CLIENT_SECRET=GOCSPX-...
GITHUB_CLIENT_ID=Iv1.abc123
GITHUB_CLIENT_SECRET=ghs_...BYOT (Bring Your Own Token)
| Variable | Default | Description |
|---|---|---|
ATLAS_AUTH_JWKS_URL | — | JWKS endpoint URL for JWT signature verification |
ATLAS_AUTH_ISSUER | — | Expected JWT iss claim (required) |
ATLAS_AUTH_AUDIENCE | — | Expected JWT aud claim (optional) |
ATLAS_AUTH_ROLE_CLAIM | role then atlas_role | Dot-delimited JWT claim path for role extraction (e.g. app_metadata.role). Default is a fallback chain: Atlas checks the role claim first, then falls back to atlas_role if role is not present |
# BYOT with Auth0
ATLAS_AUTH_JWKS_URL=https://your-tenant.auth0.com/.well-known/jwks.json
ATLAS_AUTH_ISSUER=https://your-tenant.auth0.com/
ATLAS_AUTH_AUDIENCE=https://api.example.com
# Nested claim for role extraction
ATLAS_AUTH_ROLE_CLAIM=app_metadata.atlas_roleRate Limiting
| Variable | Default | Description |
|---|---|---|
ATLAS_RATE_LIMIT_RPM | 0 (disabled) | Max requests per minute per user. 0 or unset = unlimited |
ATLAS_TRUST_PROXY | false | Trust X-Forwarded-For / X-Real-IP headers. Set true behind a reverse proxy |
# Production rate limiting behind a reverse proxy
ATLAS_RATE_LIMIT_RPM=30
ATLAS_TRUST_PROXY=trueSee Rate Limiting & Retry for client-side handling, SDK retry patterns, and troubleshooting.
Abuse Prevention
| Variable | Default | Description |
|---|---|---|
ATLAS_ABUSE_QUERY_RATE | 200 | Max queries per workspace per sliding window |
ATLAS_ABUSE_WINDOW_SECONDS | 300 | Sliding window duration in seconds |
ATLAS_ABUSE_ERROR_RATE | 0.5 | Max error rate (0–1) before escalation |
ATLAS_ABUSE_UNIQUE_TABLES | 50 | Max unique tables accessed per window |
ATLAS_ABUSE_THROTTLE_DELAY_MS | 2000 | Delay injected for throttled workspaces (ms) |
# Stricter abuse detection for production
ATLAS_ABUSE_QUERY_RATE=100
ATLAS_ABUSE_ERROR_RATE=0.3
ATLAS_ABUSE_THROTTLE_DELAY_MS=5000See Abuse Prevention for details on graduated response and admin reinstatement.
Session Timeouts
| Variable | Default | Description |
|---|---|---|
ATLAS_SESSION_IDLE_TIMEOUT | 0 (disabled) | Seconds of inactivity before a session is invalidated |
ATLAS_SESSION_ABSOLUTE_TIMEOUT | 0 (disabled) | Maximum session lifetime in seconds from creation |
# 1 hour idle timeout, 24 hour absolute timeout
ATLAS_SESSION_IDLE_TIMEOUT=3600
ATLAS_SESSION_ABSOLUTE_TIMEOUT=86400These can also be configured via atlas.config.ts or changed at runtime via Admin > Settings.
Multi-Tenancy
| Variable | Default | Description |
|---|---|---|
ATLAS_ORG_ID | — | Organization ID for org-scoped semantic layer selection. CLI-only — when set, the CLI reads/writes to semantic/.orgs/{orgId}/ instead of semantic/. Requires managed auth (DATABASE_URL + BETTER_AUTH_SECRET). Can also be passed via --org flag. The API server derives the org from the authenticated session, not this variable |
Semantic Layer
| Variable | Default | Description |
|---|---|---|
ATLAS_SEMANTIC_ROOT | semantic/ under cwd (absolute) | Development/testing override for the semantic layer directory. For production path customization, use the semanticLayer field in atlas.config.ts instead |
ATLAS_SEMANTIC_INDEX_ENABLED | true | Set false to disable the pre-computed semantic index. The index pre-computes a summary of the semantic layer and injects it into the agent system prompt to reduce explore tool calls |
For additional index configuration, use atlas.config.ts.
# Development: override semantic layer location (for production, use atlas.config.ts)
ATLAS_SEMANTIC_ROOT=/tmp/test-semantic
# Disable pre-computed index (agent will use explore tool instead)
ATLAS_SEMANTIC_INDEX_ENABLED=falseRow-Level Security
Env var shorthand for a single global RLS policy. For per-table policies, use atlas.config.ts. See Row-Level Security for the full guide.
| Variable | Default | Description |
|---|---|---|
ATLAS_RLS_ENABLED | — | Set true to enable RLS filtering on queries |
ATLAS_RLS_COLUMN | — | Column name used for filtering (e.g. tenant_id) |
ATLAS_RLS_CLAIM | — | JWT/session claim path for RLS value extraction (e.g. org_id) |
ATLAS_RLS_CLAIMS | — | Static JSON claims for RLS with simple-key auth |
ATLAS_RLS_CLAIMS is only used with simple-key (ATLAS_API_KEY) auth, where there is no JWT or session to extract claims from. For managed and BYOT auth, RLS claims are extracted from the user's JWT/session automatically.
# Single global RLS policy via env vars
ATLAS_RLS_ENABLED=true
ATLAS_RLS_COLUMN=tenant_id
ATLAS_RLS_CLAIM=org_id
# Static claims for simple-key auth
ATLAS_RLS_CLAIMS='{"tenant_id": "acme-corp"}'Sandbox & Isolation
Explore tool isolation backends. See Sandbox Architecture for the full selection priority.
| Variable | Default | Description |
|---|---|---|
ATLAS_RUNTIME | — | Runtime hint: vercel enables Vercel-specific sandbox and optimizations |
ATLAS_SANDBOX | — | Set nsjail to enforce nsjail isolation (hard fail if unavailable) |
ATLAS_SANDBOX_URL | — | Sidecar service URL for explore isolation (e.g. http://sandbox-sidecar:8080) |
SIDECAR_AUTH_TOKEN | — | Shared secret for sidecar auth (set on both API and sidecar) |
SEMANTIC_DIR | /semantic | Sidecar only: directory where the sidecar serves semantic layer files. Defaults to /semantic via the sidecar Dockerfile, but can be overridden at container runtime. Not used by the main API |
ATLAS_NSJAIL_PATH | Auto-detected | Explicit path to nsjail binary |
ATLAS_NSJAIL_TIME_LIMIT | 10 | nsjail per-command time limit in seconds |
ATLAS_NSJAIL_MEMORY_LIMIT | 256 | nsjail per-command memory limit in MB |
ATLAS_SANDBOX_PRIORITY | — | Comma-separated backend priority order (e.g. sidecar,nsjail,just-bash). Valid values: vercel-sandbox, nsjail, sidecar, just-bash. Plugin backends always take highest priority. See Configuration |
# Local dev: sidecar via docker compose (bun run db:up)
ATLAS_SANDBOX_URL=http://localhost:8080# Production: sidecar as a separate service
ATLAS_SANDBOX_URL=http://sandbox-sidecar:8080
# Optional: shared secret for sidecar auth
SIDECAR_AUTH_TOKEN=your-shared-secret# Self-hosted: nsjail for process isolation
ATLAS_SANDBOX=nsjail
# Optional: tune limits
ATLAS_NSJAIL_TIME_LIMIT=10
ATLAS_NSJAIL_MEMORY_LIMIT=256Networking & CORS
| Variable | Default | Description |
|---|---|---|
ATLAS_PUBLIC_URL | — | Public base URL for constructing action approval URLs. When not set, derived from request headers. Set explicitly in production for reliable approve/deny links in /api/v1/query responses |
ATLAS_CORS_ORIGIN | * | CORS allowed origin. Must set explicitly for cross-origin + managed auth (cookie-based) |
NEXT_PUBLIC_ATLAS_API_URL | — | Next.js frontend: cross-origin API URL. When unset, same-origin via Next.js rewrites |
NEXT_PUBLIC_ATLAS_AUTH_MODE | — | Enables proxy-level route protection in the Next.js frontend. When set to managed, unauthenticated users are redirected to /signup. Other auth modes skip proxy enforcement |
ATLAS_API_URL | http://localhost:3001 | Rewrite target for same-origin mode (only used when NEXT_PUBLIC_ATLAS_API_URL is unset) |
# Production: cross-origin setup
ATLAS_CORS_ORIGIN=https://app.example.com
NEXT_PUBLIC_ATLAS_API_URL=https://api.example.com
ATLAS_PUBLIC_URL=https://api.example.comData Residency
Settings for multi-region deployments with per-workspace region routing. See also residency in atlas.config.ts and the Data Residency guide.
| Variable | Default | Description |
|---|---|---|
ATLAS_API_REGION | — | Region identity of this API instance (e.g. us-west, eu-west, ap-southeast). Used for misrouting detection. Falls back to residency.defaultRegion from config if unset |
ATLAS_STRICT_ROUTING | false | When true, misrouted requests receive 421 Misdirected Request with a correctApiUrl hint instead of being served with a warning log |
ATLAS_INTERNAL_SECRET | — | Shared secret for cross-region service-to-service auth. Required for region migration operations. Both the source and target API instances must share the same secret |
Appearance
| Variable | Default | Description |
|---|---|---|
ATLAS_BRAND_COLOR | oklch(0.759 0.148 167.71) | Primary brand color in oklch format. Used for theme tokens across the chat UI and admin console |
Actions
Action framework settings. These can also be configured via atlas.config.ts. See the Actions guide for the full setup.
| Variable | Default | Description |
|---|---|---|
ATLAS_ACTIONS_ENABLED | — | Set true to enable the action framework (approval-gated write operations) |
ATLAS_ACTION_APPROVAL | manual | Default approval mode for actions: auto, manual, or admin-only |
ATLAS_ACTION_TIMEOUT | — | Per-action execution timeout in milliseconds |
ATLAS_ACTION_MAX_PER_CONVERSATION | — | Maximum number of actions allowed per conversation |
ATLAS_EMAIL_ALLOWED_DOMAINS | — | Comma-separated list of allowed email recipient domains for the email action plugin. When unset, all domains are allowed |
# Enable actions with admin-only approval
ATLAS_ACTIONS_ENABLED=true
ATLAS_ACTION_APPROVAL=admin-only
# Restrict email recipients to your domain
ATLAS_EMAIL_ALLOWED_DOMAINS=example.com,trusted-partner.comScheduler
Scheduled task execution. Can also be configured via atlas.config.ts. See Scheduled Tasks for the full guide.
| Variable | Default | Description |
|---|---|---|
ATLAS_SCHEDULER_ENABLED | — | Set true to enable scheduled task execution |
ATLAS_SCHEDULER_BACKEND | bun | Execution backend: bun, webhook, or vercel |
ATLAS_SCHEDULER_SECRET | — | Shared secret for the /tick endpoint (non-Vercel). On Vercel, use CRON_SECRET instead |
CRON_SECRET | — | Vercel-native alternative to ATLAS_SCHEDULER_SECRET. When set, the /tick endpoint requires Authorization: Bearer <secret>. Takes precedence over ATLAS_SCHEDULER_SECRET |
ATLAS_SCHEDULER_MAX_CONCURRENT | 5 | Max concurrent task executions per tick |
ATLAS_SCHEDULER_TIMEOUT | 60000 | Per-task timeout in milliseconds |
ATLAS_SCHEDULER_TICK_INTERVAL | 60 | Tick interval in seconds |
Scheduler backend options:
bun— In-process tick loop. Simplest for single-instance deployments.webhook— External cron service hitsPOST /:id/run. Use when you need external scheduling.vercel— Vercel Cron hitsPOST /tick. Use on Vercel deployments.
Dynamic Learning
| Variable | Default | Description |
|---|---|---|
ATLAS_LEARN_CONFIDENCE_THRESHOLD | 0.7 | Minimum confidence score (0–1) for a learned pattern to be eligible for auto-promotion. Used by the atlas learn CLI command and the dynamic learning loop. Can also be set via atlas.config.ts |
Python Tool
| Variable | Default | Description |
|---|---|---|
ATLAS_PYTHON_ENABLED | — | Set true to enable the executePython agent tool. Requires ATLAS_SANDBOX_URL to be set (Python runs in the sandbox sidecar for isolation) |
ATLAS_PYTHON_TIMEOUT | 30000 | Python execution timeout in milliseconds |
See Python Tool for the full guide.
Email Delivery
| Variable | Default | Description |
|---|---|---|
RESEND_API_KEY | — | Resend API key for email delivery in scheduled tasks and onboarding emails |
ATLAS_EMAIL_FROM | Atlas <noreply@useatlas.dev> | From address for scheduled task and onboarding emails |
ATLAS_SMTP_URL | — | Webhook URL for email delivery (POST JSON with from, to, subject, html). Alternative to Resend |
ATLAS_ONBOARDING_EMAILS_ENABLED | false | Enable automated onboarding drip campaign for new signups. Requires DATABASE_URL and either RESEND_API_KEY or ATLAS_SMTP_URL |
Slack Integration
| Variable | Default | Description |
|---|---|---|
SLACK_SIGNING_SECRET | — | Enables Slack integration. Used to verify request signatures |
SLACK_BOT_TOKEN | — | Single-workspace mode (skip OAuth) |
SLACK_CLIENT_ID | — | Multi-workspace OAuth app client ID |
SLACK_CLIENT_SECRET | — | Multi-workspace OAuth app client secret |
See Slack guide for the full setup.
Discord Integration
| Variable | Default | Description |
|---|---|---|
DISCORD_CLIENT_ID | — | Discord OAuth application client ID. Enables Discord integration routes. Required for Discord OAuth connect flow |
DISCORD_CLIENT_SECRET | — | Discord OAuth application client secret. Required for Discord OAuth token exchange |
# Discord integration for guild (server) authorization
DISCORD_CLIENT_ID=123456789012345678
DISCORD_CLIENT_SECRET=your-discord-client-secretTeams Integration
| Variable | Default | Description |
|---|---|---|
TEAMS_APP_ID | — | Microsoft Teams app ID. Enables Teams integration routes. Required for Teams connect flow |
# Teams integration via Azure AD admin consent
TEAMS_APP_ID=your-teams-app-idJIRA Integration
| Variable | Default | Description |
|---|---|---|
JIRA_BASE_URL | — | Jira instance URL (e.g. https://yourorg.atlassian.net) |
JIRA_EMAIL | — | Jira account email for API authentication |
JIRA_API_TOKEN | — | Jira API token. Generate at id.atlassian.com |
JIRA_DEFAULT_PROJECT | — | Default project key for issue creation (e.g. PROJ). Can be overridden per-action |
Requires the action framework to be enabled (ATLAS_ACTIONS_ENABLED=true).
# JIRA integration for the createJiraTicket action
JIRA_BASE_URL=https://yourorg.atlassian.net
JIRA_EMAIL=you@example.com
JIRA_API_TOKEN=your-api-token
JIRA_DEFAULT_PROJECT=PROJStripe Billing
Stripe billing integration for SaaS deployments. Self-hosted deployments do not need these — the self-hosted experience has no billing or usage limits.
| Variable | Default | Description |
|---|---|---|
STRIPE_SECRET_KEY | — | Stripe secret key (test or live). Enables billing routes and Better Auth Stripe plugin when set |
STRIPE_WEBHOOK_SECRET | — | Stripe webhook signing secret for verifying webhook events |
STRIPE_TEAM_PRICE_ID | — | Stripe Price ID for the Team plan (monthly) |
STRIPE_TEAM_ANNUAL_PRICE_ID | — | Stripe Price ID for the Team plan (annual discount) |
STRIPE_ENTERPRISE_PRICE_ID | — | Stripe Price ID for the Enterprise plan |
When STRIPE_SECRET_KEY is set, billing routes are mounted at /api/v1/billing and the Better Auth Stripe plugin handles checkout, webhooks, and subscription lifecycle at /api/auth/stripe/*.
For local development, use Stripe CLI to forward webhooks:
stripe listen --forward-to localhost:3001/api/auth/stripe/webhookEnterprise
| Variable | Default | Description |
|---|---|---|
ATLAS_DEPLOY_MODE | auto | Deployment mode: saas (hosted product features, enterprise-gated), self-hosted, or auto (detect from environment). When auto, resolves to saas if enterprise is enabled and an internal database is configured |
ATLAS_ENTERPRISE_ENABLED | false | Set true to enable enterprise features (SSO, SCIM, PII detection, custom roles). Requires a valid license key for production use |
ATLAS_ENTERPRISE_LICENSE_KEY | — | License key for enterprise features. Obtain from useatlas.dev/enterprise |
ATLAS_APPROVAL_EXPIRY_HOURS | 24 | Hours before pending approval requests auto-expire. See Approval Workflows |
These can also be configured via atlas.config.ts.
SLA Monitoring
SaaS only. Thresholds for SLA alerting.
| Variable | Default | Description |
|---|---|---|
ATLAS_SLA_LATENCY_P99_MS | — | P99 latency threshold in milliseconds. When unset, the system applies an internal default of 5000ms for alert evaluation |
ATLAS_SLA_ERROR_RATE_PCT | — | Error rate threshold as a percentage (0–100). When unset, the system applies an internal default of 5% for alert evaluation |
ATLAS_SLA_WEBHOOK_URL | — | Webhook URL for SLA alert notifications. Receives POST requests with alert payloads |
Backups
SaaS only. Automated internal database backups.
| Variable | Default | Description |
|---|---|---|
ATLAS_BACKUP_SCHEDULE | 0 3 * * * | Cron expression (5 fields) for automated backup schedule |
ATLAS_BACKUP_RETENTION_DAYS | 30 | Number of days to retain backups before automatic deletion |
ATLAS_BACKUP_STORAGE_PATH | ./backups | Directory path for backup file storage. Must not contain .. |
Custom Domains (Railway)
SaaS only. Required for custom domain support via Railway.
| Variable | Default | Description |
|---|---|---|
RAILWAY_API_TOKEN | — | Workspace-scoped Railway API token |
RAILWAY_PROJECT_ID | — | Railway project ID for the Atlas deployment |
RAILWAY_ENVIRONMENT_ID | — | Railway environment ID (e.g. production) |
RAILWAY_WEB_SERVICE_ID | — | Railway service ID for the web service (custom domains point here) |
Demo Mode
| Variable | Default | Description |
|---|---|---|
ATLAS_DEMO_ENABLED | false | Enable demo mode at /demo. Allows unauthenticated users to try Atlas against the sample database with an email gate |
ATLAS_DEMO_RATE_LIMIT_RPM | 10 | Max requests per minute per demo user |
ATLAS_DEMO_MAX_STEPS | 10 | Max agent steps per demo request (lower than authenticated default of 25) |
Requires BETTER_AUTH_SECRET for demo token signing.
Runtime
| Variable | Default | Description |
|---|---|---|
PORT | 3001 | HTTP port for the standalone Hono API server. Most platforms (Railway, Vercel) set this automatically |
Settings
| Variable | Default | Description |
|---|---|---|
ATLAS_SETTINGS_REFRESH_INTERVAL | 30000 | Hot-reload interval for settings in milliseconds (default: 30s). Controls how often the API re-reads workspace-level settings from the database. Set to 0 to disable periodic refresh |
Status Page
| Variable | Default | Description |
|---|---|---|
NEXT_PUBLIC_STATUS_URL | — | External status page URL. When set, the built-in status page redirects here and the app shows incident banners from the feed |
NEXT_PUBLIC_OPENSTATUS_SLUG | — | OpenStatus status page slug for JSON feed. Used to fetch and display incident banners in the web frontend |
Logging & Observability
| Variable | Default | Description |
|---|---|---|
ATLAS_LOG_LEVEL | info | Pino log level: trace, debug, info, warn, error, fatal |
OTEL_EXPORTER_OTLP_ENDPOINT | — | OpenTelemetry collector endpoint (e.g. http://localhost:4318). When set, the API server (atlas-api) and web frontend (atlas) emit distributed trace spans for HTTP requests, agent steps, SQL queries, and explore commands |
See Observability for the full setup guide.
See Also
- Configuration — Declarative
atlas.config.tsfor multi-datasource, plugins, and RLS - Deploy — Platform-specific env var setup for Railway, Vercel, and Docker
- Authentication — Auth mode setup and required variables
- CLI Reference —
atlas doctorvalidates your environment configuration - Troubleshooting — Diagnosing startup errors from missing or invalid variables
Edit on GitHub
Last updated on