We use cookies

We use cookies to ensure you get the best experience on our website. For more information on how we use cookies, please see our cookie policy.

By clicking "Accept", you agree to our use of cookies.
Learn more.

Self HostingEngine Configuration Options

Configuration Options

The Hatchet server and engine can be configured via environment variables using several prefixes. This document contains a comprehensive list of all 193+ available options organized by component.

Environment Variable Prefixes

Hatchet uses the following environment variable prefixes:

  • SERVER_ (170 variables) - Main server configuration including runtime, authentication, encryption, monitoring, and integrations
  • DATABASE_ (13 variables) - PostgreSQL database connection and configuration
  • READ_REPLICA_ (4 variables) - Read replica database configuration
  • ADMIN_ (3 variables) - Administrator user setup for initial seeding
  • DEFAULT_ (3 variables) - Default tenant configuration
  • SCHEDULER_ (1 variable) - Scheduler-specific rate limiting
  • SEED_ (1 variable) - Development environment seeding
  • CACHE_ (1 variable) - Cache duration settings

_Note: This documentation excludes HATCHET*CLIENT*_ variables which are specific to Go SDK client configuration.*

Required Environment Variables

The following variables are absolutely required for Hatchet to start successfully:

Encryption Keys (Required - Choose One Strategy)

Option A: Local Encryption Keys

SERVER_ENCRYPTION_MASTER_KEYSET="<base64-encoded-keyset>"
SERVER_ENCRYPTION_JWT_PUBLIC_KEYSET="<base64-encoded-jwt-public>"
SERVER_ENCRYPTION_JWT_PRIVATE_KEYSET="<base64-encoded-jwt-private>"

Option B: File-based Keys

SERVER_ENCRYPTION_MASTER_KEYSET_FILE="/path/to/master.keyset"
SERVER_ENCRYPTION_JWT_PUBLIC_KEYSET_FILE="/path/to/jwt-public.keyset"
SERVER_ENCRYPTION_JWT_PRIVATE_KEYSET_FILE="/path/to/jwt-private.keyset"

Option C: Google Cloud KMS

SERVER_ENCRYPTION_CLOUDKMS_ENABLED=true
SERVER_ENCRYPTION_CLOUDKMS_KEY_URI="gcp-kms://your-key-uri"
SERVER_ENCRYPTION_CLOUDKMS_CREDENTIALS_JSON="<credentials-json>"

Authentication Secrets (Required)

SERVER_AUTH_COOKIE_SECRETS="<secret1> <secret2>"

Database Connection (Required)

Option A: Connection String

DATABASE_URL="postgresql://user:password@host:port/dbname"

Option B: Individual Parameters (uses defaults if not specified)

DATABASE_POSTGRES_HOST=your-postgres-host
DATABASE_POSTGRES_PASSWORD=your-secure-password

Minimal Configuration Example

# Database
DATABASE_URL='postgresql://hatchet:hatchet@127.0.0.1:5431/hatchet'
 
# Encryption (using key files - recommended for development)
SERVER_ENCRYPTION_MASTER_KEYSET_FILE=./keys/master.key
SERVER_ENCRYPTION_JWT_PRIVATE_KEYSET_FILE=./keys/private_ec256.key
SERVER_ENCRYPTION_JWT_PUBLIC_KEYSET_FILE=./keys/public_ec256.key
 
# Authentication
SERVER_AUTH_COOKIE_SECRETS="your-secret-key-1 your-secret-key-2"
SERVER_AUTH_SET_EMAIL_VERIFIED=true
 
# Basic server config
SERVER_PORT=8080
SERVER_URL=http://localhost:8080
 
# Development settings (optional but recommended)
SERVER_GRPC_INSECURE=true
SERVER_INTERNAL_CLIENT_BASE_STRATEGY=none
SERVER_LOGGER_LEVEL=error
SERVER_LOGGER_FORMAT=console
DATABASE_LOGGER_LEVEL=error
DATABASE_LOGGER_FORMAT=console

Generate encryption keys with:

go run ./cmd/hatchet-admin keyset create-local-keys --key-dir ./keys

Runtime Configuration

Variables marked with ⚠️ are conditionally required when specific features are enabled.

VariableDescriptionDefault Value
SERVER_PORTPort for the core server8080
SERVER_URLFull server URL, including protocolhttp://localhost:8080
SERVER_GRPC_PORTPort for the GRPC service7070
SERVER_GRPC_BIND_ADDRESSGRPC server bind address127.0.0.1
SERVER_GRPC_BROADCAST_ADDRESSGRPC server broadcast address127.0.0.1:7070
SERVER_GRPC_INSECUREControls if the GRPC server is insecurefalse
SERVER_SHUTDOWN_WAITShutdown wait duration20s
SERVER_ENFORCE_LIMITSEnforce tenant limitsfalse
SERVER_ALLOW_SIGNUPAllow new tenant signupstrue
SERVER_ALLOW_INVITESAllow new invitestrue
SERVER_ALLOW_CREATE_TENANTAllow tenant creationtrue
SERVER_ALLOW_CHANGE_PASSWORDAllow password changestrue
SERVER_HEALTHCHECKEnable healthcheck endpointtrue
SERVER_HEALTHCHECK_PORTHealthcheck port8733
SERVER_GRPC_MAX_MSG_SIZEgRPC max message size4194304
SERVER_GRPC_RATE_LIMITgRPC rate limit1000
SCHEDULER_CONCURRENCY_RATE_LIMITScheduler concurrency rate limit20
SERVER_SERVICESServices to run["all"]
SERVER_PAUSED_CONTROLLERSPaused controllers
SERVER_ENABLE_DATA_RETENTIONEnable data retentiontrue
SERVER_ENABLE_WORKER_RETENTIONEnable worker retentionfalse
SERVER_MAX_PENDING_INVITESMax pending invites100
SERVER_BUFFER_CREATE_WORKFLOW_RUNSBuffer workflow run creationtrue
SERVER_DISABLE_TENANT_PUBSDisable tenant pubsub
SERVER_MAX_INTERNAL_RETRY_COUNTMax internal retry count10
SERVER_PREVENT_TENANT_VERSION_UPGRADEPrevent tenant version upgradesfalse
SERVER_DEFAULT_ENGINE_VERSIONDefault engine versionV1
SERVER_REPLAY_ENABLEDEnable task replaytrue

Database Configuration

VariableDescriptionDefault Value
DATABASE_URLPostgreSQL connection string127.0.0.1
DATABASE_POSTGRES_HOSTPostgreSQL host127.0.0.1
DATABASE_POSTGRES_PORTPostgreSQL port5431
DATABASE_POSTGRES_USERNAMEPostgreSQL usernamehatchet
DATABASE_POSTGRES_PASSWORDPostgreSQL passwordhatchet
DATABASE_POSTGRES_DB_NAMEPostgreSQL database namehatchet
DATABASE_POSTGRES_SSL_MODEPostgreSQL SSL modedisable
DATABASE_MAX_CONNSMax database connections50
DATABASE_MIN_CONNSMin database connections10
DATABASE_MAX_QUEUE_CONNSMax queue connections50
DATABASE_MIN_QUEUE_CONNSMin queue connections10
DATABASE_LOG_QUERIESLog database queriesfalse
CACHE_DURATIONCache duration5s
ADMIN_EMAILAdmin email for seedingadmin@example.com
ADMIN_PASSWORDAdmin password for seedingAdmin123!!
ADMIN_NAMEAdmin name for seedingAdmin
DEFAULT_TENANT_NAMEDefault tenant nameDefault
DEFAULT_TENANT_SLUGDefault tenant slugdefault
DEFAULT_TENANT_IDDefault tenant ID
SEED_DEVELOPMENTDevelopment seeding flag
READ_REPLICA_ENABLEDEnable read replicafalse
READ_REPLICA_DATABASE_URLRead replica database URL
READ_REPLICA_MAX_CONNSRead replica max connections50
READ_REPLICA_MIN_CONNSRead replica min connections10
DATABASE_LOGGER_LEVELDatabase logger level
DATABASE_LOGGER_FORMATDatabase logger format

Security Check Configuration

VariableDescriptionDefault Value
SERVER_SECURITY_CHECK_ENABLEDEnable security checktrue
SERVER_SECURITY_CHECK_ENDPOINTSecurity check endpointhttps://security.hatchet.run

Limit Configuration

VariableDescriptionDefault Value
SERVER_LIMITS_DEFAULT_TENANT_RETENTION_PERIODDefault tenant retention period720h
SERVER_LIMITS_DEFAULT_WORKFLOW_RUN_LIMITDefault workflow run limit1000
SERVER_LIMITS_DEFAULT_WORKFLOW_RUN_ALARM_LIMITDefault workflow run alarm limit750
SERVER_LIMITS_DEFAULT_WORKFLOW_RUN_WINDOWDefault workflow run window24h
SERVER_LIMITS_DEFAULT_WORKER_LIMITDefault worker limit4
SERVER_LIMITS_DEFAULT_WORKER_ALARM_LIMITDefault worker alarm limit2
SERVER_LIMITS_DEFAULT_EVENT_LIMITDefault event limit1000
SERVER_LIMITS_DEFAULT_EVENT_ALARM_LIMITDefault event alarm limit750
SERVER_LIMITS_DEFAULT_EVENT_WINDOWDefault event window24h
SERVER_LIMITS_DEFAULT_CRON_LIMITDefault cron limit5
SERVER_LIMITS_DEFAULT_CRON_ALARM_LIMITDefault cron alarm limit2
SERVER_LIMITS_DEFAULT_SCHEDULE_LIMITDefault schedule limit1000
SERVER_LIMITS_DEFAULT_SCHEDULE_ALARM_LIMITDefault schedule alarm limit750
SERVER_LIMITS_DEFAULT_TASK_RUN_LIMITDefault task run limit2000
SERVER_LIMITS_DEFAULT_TASK_RUN_ALARM_LIMITDefault task run alarm limit1500
SERVER_LIMITS_DEFAULT_TASK_RUN_WINDOWDefault task run window24h
SERVER_LIMITS_DEFAULT_WORKER_SLOT_LIMITDefault worker slot limit4000
SERVER_LIMITS_DEFAULT_WORKER_SLOT_ALARM_LIMITDefault worker slot alarm limit3000

Alerting Configuration

VariableDescriptionDefault Value
SERVER_ALERTING_SENTRY_ENABLEDEnable Sentry for alerting
SERVER_ALERTING_SENTRY_DSNSentry DSN
SERVER_ALERTING_SENTRY_ENVIRONMENTSentry environmentdevelopment
SERVER_ALERTING_SENTRY_SAMPLE_RATESentry sample rate1.0
SERVER_ANALYTICS_POSTHOG_ENABLEDEnable PostHog analytics
SERVER_ANALYTICS_POSTHOG_API_KEYPostHog API key
SERVER_ANALYTICS_POSTHOG_ENDPOINTPostHog endpoint
SERVER_ANALYTICS_POSTHOG_FE_API_HOSTPostHog frontend API host
SERVER_ANALYTICS_POSTHOG_FE_API_KEYPostHog frontend API key
SERVER_PYLON_ENABLEDEnable Pylon
SERVER_PYLON_APP_ID ⚠️Pylon app ID (required if Pylon enabled)
SERVER_PYLON_SECRETPylon secret

Encryption Configuration

VariableDescriptionDefault Value
SERVER_ENCRYPTION_MASTER_KEYSETRaw master keyset, base64-encoded JSON string
SERVER_ENCRYPTION_MASTER_KEYSET_FILEPath to the master keyset file
SERVER_ENCRYPTION_JWT_PUBLIC_KEYSETPublic JWT keyset, base64-encoded JSON string
SERVER_ENCRYPTION_JWT_PUBLIC_KEYSET_FILEPath to the public JWT keyset file
SERVER_ENCRYPTION_JWT_PRIVATE_KEYSETPrivate JWT keyset, base64-encoded JSON string
SERVER_ENCRYPTION_JWT_PRIVATE_KEYSET_FILEPath to the private JWT keyset file
SERVER_ENCRYPTION_CLOUDKMS_ENABLEDWhether Google Cloud KMS is enabledfalse
SERVER_ENCRYPTION_CLOUDKMS_KEY_URIURI of the key in Google Cloud KMS
SERVER_ENCRYPTION_CLOUDKMS_CREDENTIALS_JSONJSON credentials for Google Cloud KMS

Authentication Configuration

VariableDescriptionDefault Value
SERVER_AUTH_RESTRICTED_EMAIL_DOMAINSRestricted email domains
SERVER_AUTH_BASIC_AUTH_ENABLEDWhether basic auth is enabledtrue
SERVER_AUTH_SET_EMAIL_VERIFIEDWhether the user’s email is set to verified automaticallyfalse
SERVER_AUTH_COOKIE_NAMEName of the cookiehatchet
SERVER_AUTH_COOKIE_DOMAINDomain for the cookie
SERVER_AUTH_COOKIE_SECRETSCookie secrets
SERVER_AUTH_COOKIE_INSECUREWhether the cookie is insecurefalse
SERVER_AUTH_GOOGLE_ENABLEDWhether Google auth is enabledfalse
SERVER_AUTH_GOOGLE_CLIENT_ID ⚠️Google auth client ID (required if Google auth enabled)
SERVER_AUTH_GOOGLE_CLIENT_SECRET ⚠️Google auth client secret (required if Google auth enabled)
SERVER_AUTH_GOOGLE_SCOPESGoogle auth scopes["openid", "profile", "email"]
SERVER_AUTH_GITHUB_ENABLEDWhether GitHub auth is enabledfalse
SERVER_AUTH_GITHUB_CLIENT_ID ⚠️GitHub auth client ID (required if GitHub auth enabled)
SERVER_AUTH_GITHUB_CLIENT_SECRET ⚠️GitHub auth client secret (required if GitHub auth enabled)
SERVER_AUTH_GITHUB_SCOPESGitHub auth scopes["read:user", "user:email"]

Task Queue Configuration

VariableDescriptionDefault Value
SERVER_MSGQUEUE_KINDMessage queue kindrabbitmq
SERVER_MSGQUEUE_RABBITMQ_URLRabbitMQ URLamqp://user:password@localhost:5672/
SERVER_MSGQUEUE_RABBITMQ_QOSRabbitMQ QoS100
SERVER_REQUEUE_LIMITRequeue limit100
SERVER_SINGLE_QUEUE_LIMITSingle queue limit100
SERVER_UPDATE_HASH_FACTORUpdate hash factor100
SERVER_UPDATE_CONCURRENT_FACTORUpdate concurrent factor10

TLS Configuration

VariableDescriptionDefault Value
SERVER_TLS_STRATEGYTLS strategy
SERVER_TLS_CERTTLS certificate
SERVER_TLS_CERT_FILEPath to the TLS certificate file
SERVER_TLS_KEYTLS key
SERVER_TLS_KEY_FILEPath to the TLS key file
SERVER_TLS_ROOT_CATLS root CA
SERVER_TLS_ROOT_CA_FILEPath to the TLS root CA file
SERVER_TLS_SERVER_NAMETLS server name
SERVER_INTERNAL_CLIENT_BASE_STRATEGYInternal client TLS strategy
SERVER_INTERNAL_CLIENT_BASE_INHERIT_BASEInherit base TLS configtrue
SERVER_INTERNAL_CLIENT_TLS_BASE_CERTInternal client TLS cert
SERVER_INTERNAL_CLIENT_TLS_BASE_CERT_FILEInternal client TLS cert file
SERVER_INTERNAL_CLIENT_TLS_BASE_KEYInternal client TLS key
SERVER_INTERNAL_CLIENT_TLS_BASE_KEY_FILEInternal client TLS key file
SERVER_INTERNAL_CLIENT_TLS_BASE_ROOT_CAInternal client TLS root CA
SERVER_INTERNAL_CLIENT_TLS_BASE_ROOT_CA_FILEInternal client TLS root CA file
SERVER_INTERNAL_CLIENT_TLS_SERVER_NAMEInternal client TLS server name
SERVER_INTERNAL_CLIENT_INTERNAL_GRPC_BROADCAST_ADDRESSInternal gRPC broadcast address

Logging Configuration

VariableDescriptionDefault Value
SERVER_LOGGER_LEVELLogger level
SERVER_LOGGER_FORMATLogger format
SERVER_LOG_INGESTION_ENABLEDEnable log ingestiontrue
SERVER_ADDITIONAL_LOGGERS_QUEUE_LEVELQueue logger level
SERVER_ADDITIONAL_LOGGERS_QUEUE_FORMATQueue logger format
SERVER_ADDITIONAL_LOGGERS_PGXSTATS_LEVELPGX stats logger level
SERVER_ADDITIONAL_LOGGERS_PGXSTATS_FORMATPGX stats logger format

OpenTelemetry Configuration

VariableDescriptionDefault Value
SERVER_OTEL_SERVICE_NAMEService name for OpenTelemetry
SERVER_OTEL_COLLECTOR_URLCollector URL for OpenTelemetry
SERVER_OTEL_INSECUREWhether to use an insecure connection to the collector URL
SERVER_OTEL_TRACE_ID_RATIOOpenTelemetry trace ID ratio
SERVER_PROMETHEUS_ENABLEDEnable Prometheusfalse
SERVER_PROMETHEUS_ADDRESSPrometheus address:9090
SERVER_PROMETHEUS_PATHPrometheus metrics path/metrics
SERVER_PROMETHEUS_SERVER_URLPrometheus server URL
SERVER_PROMETHEUS_SERVER_USERNAMEPrometheus server username
SERVER_PROMETHEUS_SERVER_PASSWORDPrometheus server password

Tenant Alerting Configuration

VariableDescriptionDefault Value
SERVER_TENANT_ALERTING_SLACK_ENABLEDEnable Slack for tenant alerting
SERVER_TENANT_ALERTING_SLACK_CLIENT_IDSlack client ID
SERVER_TENANT_ALERTING_SLACK_CLIENT_SECRETSlack client secret
SERVER_TENANT_ALERTING_SLACK_SCOPESSlack scopes["incoming-webhook"]
SERVER_EMAIL_POSTMARK_ENABLEDEnable Postmark
SERVER_EMAIL_POSTMARK_SERVER_KEYPostmark server key
SERVER_EMAIL_POSTMARK_FROM_EMAILPostmark from email
SERVER_EMAIL_POSTMARK_FROM_NAMEPostmark from nameHatchet Support
SERVER_EMAIL_POSTMARK_SUPPORT_EMAILPostmark support email
SERVER_MONITORING_ENABLEDEnable monitoringtrue
SERVER_MONITORING_PERMITTED_TENANTSPermitted tenants for monitoring
SERVER_MONITORING_PROBE_TIMEOUTMonitoring probe timeout30s
SERVER_MONITORING_TLS_ROOT_CA_FILEMonitoring TLS root CA file
SERVER_SAMPLING_ENABLEDEnable samplingfalse
SERVER_SAMPLING_RATESampling rate1.0
SERVER_OPERATIONS_JITTEROperations jitter in milliseconds0
SERVER_OPERATIONS_POLL_INTERVALOperations poll interval in seconds2
SERVER_WAIT_FOR_FLUSHDefault wait for flush1ms
SERVER_MAX_CONCURRENTDefault max concurrent50
SERVER_FLUSH_PERIOD_MILLISECONDSDefault flush period10ms
SERVER_FLUSH_ITEMS_THRESHOLDDefault flush threshold100
SERVER_FLUSH_STRATEGYDefault flush strategyDYNAMIC
SERVER_WORKFLOWRUNBUFFER_WAIT_FOR_FLUSHWorkflow run buffer wait for flush
SERVER_WORKFLOWRUNBUFFER_MAX_CONCURRENTMax concurrent workflow run buffer ops
SERVER_WORKFLOWRUNBUFFER_FLUSH_PERIOD_MILLISECONDSFlush period for workflow run buffer
SERVER_WORKFLOWRUNBUFFER_FLUSH_ITEMS_THRESHOLDItems threshold for workflow run buffer
SERVER_WORKFLOWRUNBUFFER_FLUSH_STRATEGYFlush strategy for workflow run buffer
SERVER_EVENTBUFFER_WAIT_FOR_FLUSHEvent buffer wait for flush
SERVER_EVENTBUFFER_MAX_CONCURRENTMax concurrent event buffer ops
SERVER_EVENTBUFFER_FLUSH_PERIOD_MILLISECONDSFlush period for event buffer
SERVER_EVENTBUFFER_FLUSH_ITEMS_THRESHOLDItems threshold for event buffer
SERVER_EVENTBUFFER_SERIAL_BUFFEREvent buffer serial mode
SERVER_EVENTBUFFER_FLUSH_STRATEGYFlush strategy for event buffer
SERVER_RELEASESEMAPHOREBUFFER_WAIT_FOR_FLUSHRelease semaphore buffer wait for flush
SERVER_RELEASESEMAPHOREBUFFER_MAX_CONCURRENTMax concurrent release semaphore buffer ops
SERVER_RELEASESEMAPHOREBUFFER_FLUSH_PERIOD_MILLISECONDSFlush period for release semaphore buffer
SERVER_RELEASESEMAPHOREBUFFER_FLUSH_ITEMS_THRESHOLDItems threshold for release semaphore buffer
SERVER_RELEASESEMAPHOREBUFFER_FLUSH_STRATEGYFlush strategy for release semaphore buffer
SERVER_QUEUESTEPRUNBUFFER_WAIT_FOR_FLUSHQueue step run buffer wait for flush
SERVER_QUEUESTEPRUNBUFFER_MAX_CONCURRENTMax concurrent queue step run buffer ops
SERVER_QUEUESTEPRUNBUFFER_FLUSH_PERIOD_MILLISECONDSFlush period for queue step run buffer
SERVER_QUEUESTEPRUNBUFFER_FLUSH_ITEMS_THRESHOLDItems threshold for queue step run buffer
SERVER_QUEUESTEPRUNBUFFER_FLUSH_STRATEGYFlush strategy for queue step run buffer