Configuration Options
The Hatchet server and engine can be configured via SERVER and DATABASE environment variables. This document contains a list of all available options.
Runtime Configuration
| Variable | Description | Default Value |
|---|---|---|
SERVER_PORT | Port for the core server | 8080 |
SERVER_URL | Full server URL, including protocol | http://localhost:8080 |
SERVER_GRPC_PORT | Port for the GRPC service | 7070 |
SERVER_GRPC_BIND_ADDRESS | GRPC server bind address | 127.0.0.1 |
SERVER_GRPC_BROADCAST_ADDRESS | GRPC server broadcast address | 127.0.0.1:7070 |
SERVER_GRPC_INSECURE | Controls if the GRPC server is insecure | false |
SERVER_SHUTDOWN_WAIT | Shutdown wait duration | 20s |
SERVER_ENFORCE_LIMITS | Enforce tenant limits | false |
SERVER_ALLOW_SIGNUP | Allow new tenant signups | true |
SERVER_ALLOW_INVITES | Allow new invites | true |
SERVER_ALLOW_CREATE_TENANT | Allow tenant creation | true |
SERVER_ALLOW_CHANGE_PASSWORD | Allow password changes | true |
Database Configuration
| Variable | Description | Default Value |
|---|---|---|
DATABASE_URL | PostgreSQL connection string | 127.0.0.1 |
DATABASE_POSTGRES_HOST | PostgreSQL host | 127.0.0.1 |
DATABASE_POSTGRES_PORT | PostgreSQL port | 5431 |
DATABASE_POSTGRES_USERNAME | PostgreSQL username | hatchet |
DATABASE_POSTGRES_PASSWORD | PostgreSQL password | hatchet |
DATABASE_POSTGRES_DB_NAME | PostgreSQL database name | hatchet |
DATABASE_POSTGRES_SSL_MODE | PostgreSQL SSL mode | disable |
DATABASE_MAX_CONNS | Max database connections | 5 |
DATABASE_LOG_QUERIES | Log database queries | false |
CACHE_DURATION | Cache duration | 60s |
Security Check Configuration
| Variable | Description | Default Value |
|---|---|---|
SERVER_SECURITY_CHECK_ENABLED | Enable security check | true |
SERVER_SECURITY_CHECK_ENDPOINT | Security check endpoint | https://security.hatchet.run |
Limit Configuration
| Variable | Description | Default Value |
|---|---|---|
SERVER_LIMITS_DEFAULT_TENANT_RETENTION_PERIOD | Default tenant retention period | 720h |
SERVER_LIMITS_DEFAULT_WORKFLOW_RUN_LIMIT | Default workflow run limit | 1000 |
SERVER_LIMITS_DEFAULT_WORKFLOW_RUN_ALARM_LIMIT | Default workflow run alarm limit | 750 |
SERVER_LIMITS_DEFAULT_WORKFLOW_RUN_WINDOW | Default workflow run window | 24h |
SERVER_LIMITS_DEFAULT_WORKER_LIMIT | Default worker limit | 4 |
SERVER_LIMITS_DEFAULT_WORKER_ALARM_LIMIT | Default worker alarm limit | 2 |
SERVER_LIMITS_DEFAULT_EVENT_LIMIT | Default event limit | 1000 |
SERVER_LIMITS_DEFAULT_EVENT_ALARM_LIMIT | Default event alarm limit | 750 |
SERVER_LIMITS_DEFAULT_EVENT_WINDOW | Default event window | 24h |
SERVER_LIMITS_DEFAULT_CRON_LIMIT | Default cron limit | 5 |
SERVER_LIMITS_DEFAULT_CRON_ALARM_LIMIT | Default cron alarm limit | 2 |
SERVER_LIMITS_DEFAULT_SCHEDULE_LIMIT | Default schedule limit | 1000 |
SERVER_LIMITS_DEFAULT_SCHEDULE_ALARM_LIMIT | Default schedule alarm limit | 750 |
Alerting Configuration
| Variable | Description | Default Value |
|---|---|---|
SERVER_ALERTING_SENTRY_ENABLED | Enable Sentry for alerting | |
SERVER_ALERTING_SENTRY_DSN | Sentry DSN | |
SERVER_ALERTING_SENTRY_ENVIRONMENT | Sentry environment | development |
Encryption Configuration
| Variable | Description | Default Value |
|---|---|---|
SERVER_ENCRYPTION_MASTER_KEYSET | Raw master keyset, base64-encoded JSON string | |
SERVER_ENCRYPTION_MASTER_KEYSET_FILE | Path to the master keyset file | |
SERVER_ENCRYPTION_JWT_PUBLIC_KEYSET | Public JWT keyset, base64-encoded JSON string | |
SERVER_ENCRYPTION_JWT_PUBLIC_KEYSET_FILE | Path to the public JWT keyset file | |
SERVER_ENCRYPTION_JWT_PRIVATE_KEYSET | Private JWT keyset, base64-encoded JSON string | |
SERVER_ENCRYPTION_JWT_PRIVATE_KEYSET_FILE | Path to the private JWT keyset file | |
SERVER_ENCRYPTION_CLOUDKMS_ENABLED | Whether Google Cloud KMS is enabled | false |
SERVER_ENCRYPTION_CLOUDKMS_KEY_URI | URI of the key in Google Cloud KMS | |
SERVER_ENCRYPTION_CLOUDKMS_CREDENTIALS_JSON | JSON credentials for Google Cloud KMS |
Authentication Configuration
| Variable | Description | Default Value |
|---|---|---|
SERVER_AUTH_RESTRICTED_EMAIL_DOMAINS | Restricted email domains | |
SERVER_AUTH_BASIC_AUTH_ENABLED | Whether basic auth is enabled | true |
SERVER_AUTH_SET_EMAIL_VERIFIED | Whether the user’s email is set to verified automatically | false |
SERVER_AUTH_COOKIE_NAME | Name of the cookie | hatchet |
SERVER_AUTH_COOKIE_DOMAIN | Domain for the cookie | |
SERVER_AUTH_COOKIE_SECRETS | Cookie secrets | |
SERVER_AUTH_COOKIE_INSECURE | Whether the cookie is insecure | false |
SERVER_AUTH_GOOGLE_ENABLED | Whether Google auth is enabled | false |
SERVER_AUTH_GOOGLE_CLIENT_ID | Google auth client ID | |
SERVER_AUTH_GOOGLE_CLIENT_SECRET | Google auth client secret | |
SERVER_AUTH_GOOGLE_SCOPES | Google auth scopes | ["openid", "profile", "email"] |
SERVER_AUTH_GITHUB_ENABLED | Whether GitHub auth is enabled | false |
SERVER_AUTH_GITHUB_CLIENT_ID | GitHub auth client ID | |
SERVER_AUTH_GITHUB_CLIENT_SECRET | GitHub auth client secret | |
SERVER_AUTH_GITHUB_SCOPES | GitHub auth scopes | ["read:user", "user:email"] |
Task Queue Configuration
| Variable | Description | Default Value |
|---|---|---|
SERVER_MSGQUEUE_KIND | Message queue kind | |
SERVER_MSGQUEUE_RABBITMQ_URL | RabbitMQ URL | amqp://user:password@localhost:5672/ |
TLS Configuration
| Variable | Description | Default Value |
|---|---|---|
SERVER_TLS_STRATEGY | TLS strategy | |
SERVER_TLS_CERT | TLS certificate | |
SERVER_TLS_CERT_FILE | Path to the TLS certificate file | |
SERVER_TLS_KEY | TLS key | |
SERVER_TLS_KEY_FILE | Path to the TLS key file | |
SERVER_TLS_ROOT_CA | TLS root CA | |
SERVER_TLS_ROOT_CA_FILE | Path to the TLS root CA file | |
SERVER_TLS_SERVER_NAME | TLS server name |
Logging Configuration
| Variable | Description | Default Value |
|---|---|---|
SERVER_LOGGER_LEVEL | Logger level | |
SERVER_LOGGER_FORMAT | Logger format | |
DATABASE_LOGGER_LEVEL | Logger level | |
DATABASE_LOGGER_FORMAT | Logger format |
OpenTelemetry Configuration
| Variable | Description | Default Value |
|---|---|---|
SERVER_OTEL_SERVICE_NAME | Service name for OpenTelemetry | |
SERVER_OTEL_COLLECTOR_URL | Collector URL for OpenTelemetry | |
SERVER_OTEL_INSECURE | Whether to use an insecure connection to the collector URL |
Tenant Alerting Configuration
| Variable | Description | Default Value |
|---|---|---|
SERVER_TENANT_ALERTING_SLACK_ENABLED | Enable Slack for tenant alerting | |
SERVER_TENANT_ALERTING_SLACK_CLIENT_ID | Slack client ID | |
SERVER_TENANT_ALERTING_SLACK_CLIENT_SECRET | Slack client secret | |
SERVER_TENANT_ALERTING_SLACK_SCOPES | Slack scopes | ["incoming-webhook"] |