Environment Variables
Reference of all supported environment variables, grouped by category.
Client var prefix differs by app. Browser-exposed (client) variables are build-time inlined and the prefix depends on which dashboard you run:
App Client prefix Read via apps/dashboard(Next.js, legacy)NEXT_PUBLIC_*process.env.NEXT_PUBLIC_*apps/dashboard-tsr(TanStack Start)VITE_*import.meta.env.VITE_*Same variable, different prefix — e.g.
NEXT_PUBLIC_AUTH_PROVIDER↔VITE_AUTH_PROVIDER,NEXT_PUBLIC_CLERK_PUBLISHABLE_KEY↔VITE_CLERK_PUBLISHABLE_KEY. The tables below list the legacyNEXT_PUBLIC_*names; for the TanStack app substitute theVITE_prefix. Worker[vars]are runtime-only and never reach the client, so these MUST be set at build time (CI build step /vite.config.ts). Authoritative TanStack reference:apps/dashboard-tsr/.env.example.
ClickHouse Connection
Required. At minimum set CLICKHOUSE_HOST.
| Variable | Default | Description |
|---|---|---|
CLICKHOUSE_HOST | — (required) | Comma-separated ClickHouse host URLs. |
CLICKHOUSE_USER | default | Comma-separated usernames. |
CLICKHOUSE_PASSWORD | "" | Comma-separated passwords. |
CLICKHOUSE_NAME | — | Comma-separated custom labels shown in the host selector. |
Each position across the comma-separated values maps to the same host index. All four vars must have the same number of values.
Query Execution
| Variable | Default | Description |
|---|---|---|
CLICKHOUSE_MAX_EXECUTION_TIME | 60 | Query timeout in seconds. |
CLICKHOUSE_TZ | server default | Time zone for date/time formatting. |
NEXT_QUERY_CACHE_TTL | 3600 | Server-side query cache TTL in seconds. |
CLICKHOUSE_DATABASE | system | Database for app-owned tables (events, dashboards). |
EVENTS_TABLE_NAME | system.monitoring_events | Full override for the self-tracking events table. |
Connection Pool
| Variable | Default | Description |
|---|---|---|
CLICKHOUSE_POOL_SIZE | 10 | Max concurrent ClickHouse clients per host config. |
CLICKHOUSE_POOL_TIMEOUT | 300000 | Idle client timeout in ms (5 min). |
CLICKHOUSE_POOL_CLEANUP_INTERVAL | 60000 | Stale-client cleanup interval in ms (1 min). |
Health Alerting (Cron Sweep)
The autonomous health sweep (GET /api/cron/health-sweep, triggered by the
Cloudflare Cron Trigger every 5 minutes) runs the same health checks as the
Health dashboard over all configured hosts and dispatches webhook alerts —
even when no browser tab is open. Unlike the in-app alert settings (stored
per-browser in localStorage), the cron sweep reads its configuration from env.
| Variable | Default | Description |
|---|---|---|
CRON_SECRET | — | Shared secret guarding /api/cron/health-sweep. Sent as Authorization: Bearer <secret> or ?secret=. When unset, the endpoint is open. |
HEALTH_ALERT_ENABLED | false | Set to true to POST webhook alerts. When false, checks still run but no alert is sent. |
HEALTH_ALERT_WEBHOOK_URL | — | Slack/Discord-compatible webhook URL. Required for alerts to dispatch. |
HEALTH_ALERT_MIN_SEVERITY | warning | Minimum severity to alert on: warning (warning + critical) or critical (critical only). |
# Example: alert to Slack on warning-or-worse, every 5 minutes
CRON_SECRET=a-long-random-string
HEALTH_ALERT_ENABLED=true
HEALTH_ALERT_WEBHOOK_URL=https://hooks.slack.com/services/T000/B000/XXXX
HEALTH_ALERT_MIN_SEVERITY=warning
Feature Permissions
All features are public and enabled by default. Override only what needs different behavior.
| Variable | Default | Description |
|---|---|---|
CHM_CONFIG_FILE | — | Path to TOML/YAML config file for feature overrides. |
CHM_DISABLED_FEATURES | — | Comma-separated feature ids to disable. |
CHM_AUTH_REQUIRED_FEATURES | — | Comma-separated feature ids that require authentication. |
CHM_FEATURE_{ID}_ACCESS | public | Per-feature access level: public, guest, authenticated. |
CHM_FEATURE_{ID}_ENABLED | true | Per-feature enabled/disabled flag. |
Replace {ID} with an uppercase feature id: AGENT, TABLES, METRICS,
SETTINGS, ACTIONS, MCP, PEERDB, INSIGHTS, SECURITY, LOGS,
CLUSTER, OPERATIONS, DASHBOARD, OVERVIEW, QUERIES, HEALTH, DOCS,
ABOUT.
# Examples
CHM_FEATURE_AGENT_ACCESS=authenticated
CHM_FEATURE_METRICS_ENABLED=false
CHM_FEATURE_SETTINGS_ACCESS=authenticated
See the Feature Permissions guide for full details.
Authentication
The active server-side auth provider is chosen by CHM_AUTH_PROVIDER. See the
Authentication reference for the full model
(public, API key, Clerk, and reverse-proxy methods).
| Variable | Default | Description |
|---|---|---|
CHM_AUTH_PROVIDER | none | Server auth provider: none, clerk, proxy. |
NEXT_PUBLIC_AUTH_PROVIDER | none | Client-side auth provider (mirror CHM_AUTH_PROVIDER). |
NEXT_PUBLIC_CLERK_PUBLISHABLE_KEY | — | Clerk publishable key (pk_...). |
CLERK_SECRET_KEY | — | Clerk secret key (sk_...). |
CHM_API_KEY_SECRET | — | Shared secret for chm_ API keys (/api/v1/auth/api-key + MCP auth). When set, API-key auth is always on alongside the provider. |
Reverse proxy (CHM_AUTH_PROVIDER=proxy)
Trust a reverse proxy that already authenticated the user. Either mechanism below authenticates a request; whichever succeeds first wins.
| Variable | Default | Description |
|---|---|---|
CHM_CF_ACCESS_TEAM_DOMAIN | — | Cloudflare Access team URL (https://<team>.cloudflareaccess.com). Enables Cf-Access-Jwt-Assertion JWT verification. |
CHM_CF_ACCESS_AUD | — | Access application AUD tag the JWT must carry. |
CHM_PROXY_AUTH_SECRET | — | Shared secret. When set, a trusted identity header is honored only if the request also presents this secret (constant-time compared). Set via wrangler secret put. |
CHM_PROXY_SHARED_SECRET_HEADER | X-Chm-Proxy-Secret | Header the proxy sets to the shared secret. |
CHM_PROXY_AUTH_HEADER | X-Forwarded-User | Header the proxy sets to the authenticated user identity. |
Without
CHM_PROXY_AUTH_SECRET, the trusted-header mechanism is disabled — any client could forgeX-Forwarded-Useron a publicly-reachable worker.
AI Agent / LLM Provider
The AI agent uses an OpenAI-compatible API. At minimum set LLM_API_KEY.
| Variable | Default | Description |
|---|---|---|
LLM_API_KEY | — | Provider API key. |
LLM_API_BASE | https://openrouter.ai/api/v1 | API base URL. |
LLM_MODEL | openrouter:openrouter/free | Model identifier. |
Provider-Specific
| Variable | Default | Description |
|---|---|---|
ANYROUTER_API_KEY | — | AnyRouter API key. |
ANYROUTER_API_BASE | — | AnyRouter API base URL. |
OPENROUTER_API_KEY | — | OpenRouter API key. |
OPENROUTER_API_BASE | — | OpenRouter API base URL. |
OPENROUTER_REFERER | — | OpenRouter referer header for rankings. |
OPENROUTER_APP_NAME | — | OpenRouter app name for rankings. |
OPENROUTER_MODELS_API | https://openrouter.ai/api/v1/models | OpenRouter models list endpoint. |
NVIDIA_API_KEY | — | NVIDIA NIM API key. |
NVIDIA_API_BASE | — | NVIDIA NIM API base URL. |
Agent Behaviour
| Variable | Default | Description |
|---|---|---|
AGENT_API_TOKEN | — | Shared token for agent API Bearer auth. |
AGENT_ENABLE_CONTROL_TOOLS | false | Enables kill-query, optimize, and other write actions. |
Conversation Store
| Variable | Default | Description |
|---|---|---|
AGENT_CONVERSATION_PERSISTENCE | false | Enables server-side agent conversation persistence. |
AGENT_CONVERSATION_STORE | auto | Backend: auto, agentstate, d1, durable-object, clickhouse, postgres, memory, or local. |
NEXT_PUBLIC_FEATURE_CONVERSATION_DB | false | Deprecated alias for AGENT_CONVERSATION_PERSISTENCE=true. |
AGENTSTATE_API_KEY | — | AgentState API key. Required for agentstate; must start with as_live_. |
AGENTSTATE_API_BASE | https://agentstate.app/api | AgentState API base URL. |
CONVERSATIONS_D1_DATABASE_ID | — | Cloudflare D1 database UUID for the optional CONVERSATIONS_D1 binding. Required to enable D1-backed conversation storage in deployed environments. |
AGENT_CONVERSATIONS_D1_DATABASE_ID | — | Alias accepted by deploy prep for CONVERSATIONS_D1_DATABASE_ID. |
AGENT_CONVERSATIONS_DO_BINDING | AGENT_CONVERSATIONS_DO | Durable Object binding used by durable-object. |
CLICKHOUSE_AGENT_CONVERSATIONS_TABLE | ${CLICKHOUSE_DATABASE}.agent_conversations | ClickHouse table for clickhouse store. In auto, ClickHouse is tried only when this is explicitly set. |
CLICKHOUSE_AGENT_CONVERSATIONS_AUTO_CREATE | true | Create the ClickHouse conversation table at runtime if missing. |
DATABASE_URL | — | PostgreSQL connection string for postgres. |
POSTGRES_URL | — | Alternative PostgreSQL connection string. |
POSTGRES_PRISMA_URL | — | Prisma-specific PostgreSQL connection string. |
See Agent Conversation Storage for setup commands, backend permissions, and fallback behavior.
PeerDB Monitoring
Optional, view-only. Set PEERDB_API_URL to enable the PeerDB section
(Mirrors and Peers) in the sidebar. When unset, the section shows a
"not configured" state and the proxy returns 503.
| Variable | Default | Description |
|---|---|---|
PEERDB_API_URL | — | Base URL of the PeerDB REST API. For the PeerDB UI (NextAuth), include the /api suffix — e.g. https://peerdb.example.com/api — since it proxies /api/v1/* to the flow-api. For a raw flow-api, use the bare origin — e.g. http://localhost:8113. |
PEERDB_PASSWORD | — | PeerDB UI/API password. Sent as HTTP Basic with an empty username (base64(":" + password)). Leave empty if the API has no auth. Server-side only — never exposed to the browser. |
PEERDB_CACHE_TTL_MS | 10000 | TTL for the server-side response cache (ms). Set 0 to disable. |
PEERDB_CACHE_MAX_ENTRIES | 500 | Max cached responses before oldest entries are evicted. |
PEERDB_FETCH_TIMEOUT_MS | 10000 | Upstream PeerDB request timeout (ms). |
CHM proxies only a read-only allowlist of PeerDB endpoints
(app/api/v1/peerdb/[...slug]); mutating endpoints (create/drop/pause,
alert config, maintenance) are rejected with 403.
# Example: PeerDB UI behind NextAuth
PEERDB_API_URL=https://peerdb.example.com/api
PEERDB_PASSWORD=your-peerdb-ui-password
# Example: raw flow-api (no auth)
PEERDB_API_URL=http://localhost:8113
For local development without a PeerDB instance, run the bundled mock:
bun run peerdb:mock # serves :8113
PEERDB_API_URL=http://localhost:8113 bun run dev
Analytics & Branding
| Variable | Default | Description |
|---|---|---|
NEXT_PUBLIC_TITLE_SHORT | ClickHouse | Browser tab title (short form). |
NEXT_PUBLIC_LOGO | — | Custom logo URL (header branding). |
NEXT_PUBLIC_AUTOCOMPLETE_LIMIT | — | Max results in autocomplete dropdowns. |
NEXT_PUBLIC_MEASUREMENT_ID | — | Google Analytics measurement ID (G-...). |
NEXT_PUBLIC_SELINE_ENABLED | false | Enable Seline analytics. |
NEXT_PUBLIC_VERCEL_ANALYTICS | false | Enable Vercel Analytics. |
NEXT_PUBLIC_POSTHOG_KEY | — | PostHog project API key. |
NEXT_PUBLIC_POSTHOG_HOST | https://us.i.posthog.com | PostHog host URL. |
Runtime & Build
| Variable | Default | Description |
|---|---|---|
NODE_ENV | development | Runtime environment (development, production, test). |
ENABLE_CLOUDFLARE | false | Enable Cloudflare-specific build configuration. |
CLOUDFLARE_WORKERS | — | Set to 1 when running on Cloudflare Workers. |
CF_PAGES | — | Set by Cloudflare Pages at runtime. |
MINIFLARE | — | Set to 1 when running locally with Miniflare. |
DOCS_CONTENT_ROOT | — | Override docs content source directory. |
Build-Time
These are injected at build time for the About page:
| Variable | Description |
|---|---|
NEXT_PUBLIC_GIT_SHA | Current commit SHA. |
NEXT_PUBLIC_GIT_REF | Current git branch or tag. |
NEXT_PUBLIC_BUILD_TIMESTAMP | ISO build timestamp. |
NEXT_PUBLIC_CI | Set to true in CI environments. |
Legacy / Migration
| Variable | Default | Description |
|---|---|---|
CLICKHOUSE_CACHE_TAG | — | Legacy cache tag override (prefer NEXT_QUERY_CACHE_TTL). |
DATABASE_URL | — | Migration / conversation store database URL. |
POSTGRES_URL | — | Migration / conversation store database URL (fallback). |