HelloJohn / docs
Self-Hosting

Environment Variables

Complete reference for all HelloJohn environment variables and configuration options.

Environment Variables

HelloJohn is configured entirely through environment variables. There are no configuration files.

Required variables

These must be set or HelloJohn will refuse to start.

VariableExampleDescription
DATABASE_URLpostgres://user:pass@host:5432/dbPostgreSQL connection string
JWT_SECRET<32+ random bytes>Secret used to sign JWTs. Generate with openssl rand -hex 32
APP_URLhttps://auth.yourdomain.comPublic base URL of the HelloJohn instance

Database

VariableDefaultDescription
DATABASE_URLFull PostgreSQL DSN
DATABASE_MAX_CONNECTIONS20Max open connections in the pool
DATABASE_IDLE_CONNECTIONS5Max idle connections
DATABASE_CONNECT_TIMEOUT10sConnection timeout
DATABASE_SSL_MODEpreferdisable, require, verify-ca, verify-full

Authentication & JWT

VariableDefaultDescription
JWT_SECRETRequired. HMAC secret or path to Ed25519 private key
JWT_ALGORITHMEdDSAEdDSA (default) or HS256
JWT_PRIVATE_KEY_PATHPath to PEM-encoded Ed25519 private key (preferred over secret)
JWT_PUBLIC_KEY_PATHPath to PEM-encoded Ed25519 public key
ACCESS_TOKEN_TTL15mAccess token lifetime
REFRESH_TOKEN_TTL720hRefresh token lifetime (30 days)
REFRESH_TOKEN_ROTATIONtrueRotate refresh tokens on each use

Application

VariableDefaultDescription
APP_URLRequired. Public base URL (no trailing slash)
PORT3000Port to listen on
HOST0.0.0.0Interface to bind to
LOG_LEVELinfodebug, info, warn, error
LOG_FORMATjsonjson or text
ENVproductiondevelopment or production

Email (SMTP)

Required for magic links, email verification, and password resets.

VariableDefaultDescription
SMTP_HOSTSMTP server hostname
SMTP_PORT587SMTP port
SMTP_USERSMTP username
SMTP_PASSSMTP password
SMTP_FROMSender address, e.g. HelloJohn <noreply@yourdomain.com>
SMTP_TLSstarttlsstarttls, tls, or none
SMTP_TIMEOUT10sConnection timeout
EMAIL_MAGIC_LINK_TTL15mMagic link expiry
EMAIL_VERIFICATION_TTL24hEmail verification link expiry

OAuth providers

Replace PROVIDER with GOOGLE, GITHUB, GITLAB, MICROSOFT, or DISCORD.

VariableExampleDescription
OAUTH_PROVIDER_CLIENT_IDOAuth app client ID
OAUTH_PROVIDER_CLIENT_SECRETOAuth app client secret
OAUTH_PROVIDER_ENABLEDtrueEnable this provider

Examples:

OAUTH_GOOGLE_CLIENT_ID=1234567890.apps.googleusercontent.com
OAUTH_GOOGLE_CLIENT_SECRET=GOCSPX-...
OAUTH_GOOGLE_ENABLED=true

OAUTH_GITHUB_CLIENT_ID=Iv1.abc123
OAUTH_GITHUB_CLIENT_SECRET=abc123...
OAUTH_GITHUB_ENABLED=true

Redis

VariableDefaultDescription
REDIS_URLRedis connection URL, e.g. redis://localhost:6379
REDIS_TLSfalseEnable TLS for Redis connection
REDIS_PASSWORDRedis AUTH password
REDIS_DB0Redis database index

When REDIS_URL is not set, HelloJohn falls back to in-memory rate limiting and session storage (not suitable for multi-instance deployments).

Rate limiting

VariableDefaultDescription
RATE_LIMIT_ENABLEDtrueEnable global rate limiting
RATE_LIMIT_LOGIN_MAX10Max login attempts per IP per window
RATE_LIMIT_LOGIN_WINDOW1mWindow duration for login attempts
RATE_LIMIT_SIGNUP_MAX5Max signup attempts per IP per window
RATE_LIMIT_SIGNUP_WINDOW1hWindow duration for signup attempts
RATE_LIMIT_MAGIC_LINK_MAX5Max magic link requests per email per window
RATE_LIMIT_MAGIC_LINK_WINDOW10mWindow duration for magic link requests

MFA

VariableDefaultDescription
MFA_TOTP_ISSUERHelloJohnTOTP issuer name shown in authenticator apps
MFA_TOTP_PERIOD30TOTP period in seconds
MFA_TOTP_DIGITS6TOTP digit count (6 or 8)
MFA_TOTP_DRIFT1Allowed clock drift in periods (1 = ±30s)
MFA_WEBAUTHN_RP_IDWebAuthn Relying Party ID (e.g. yourdomain.com)
MFA_WEBAUTHN_RP_NAMEHuman-readable RP name shown in browser prompts
MFA_WEBAUTHN_ORIGINAllowed origin, e.g. https://yourdomain.com
MFA_BACKUP_CODE_COUNT10Number of backup codes generated per user

Storage (avatars & assets)

VariableDefaultDescription
STORAGE_DRIVERlocallocal, s3, or r2
STORAGE_LOCAL_PATH./storageLocal storage directory
STORAGE_S3_BUCKETS3 bucket name
STORAGE_S3_REGIONAWS region
STORAGE_S3_ACCESS_KEYAWS access key ID
STORAGE_S3_SECRET_KEYAWS secret access key
STORAGE_S3_ENDPOINTCustom endpoint (for R2, MinIO, etc.)
STORAGE_PUBLIC_URLBase URL for public assets

Webhooks

VariableDefaultDescription
WEBHOOK_TIMEOUT10sTimeout for webhook delivery
WEBHOOK_MAX_RETRIES5Number of retry attempts
WEBHOOK_SIGNING_SECRETDefault HMAC signing secret (per-endpoint secrets override this)

Admin

VariableDefaultDescription
ADMIN_EMAILEmail of the first admin (seeded on first start)
ADMIN_PASSWORDPassword for the first admin (seeded on first start)
DASHBOARD_ENABLEDtrueEnable the built-in admin dashboard
DASHBOARD_PATH/_hj/adminAdmin dashboard path

Security

VariableDefaultDescription
CORS_ALLOWED_ORIGINS*Comma-separated list of allowed CORS origins
CORS_ALLOWED_METHODSGET,POST,PUT,DELETE,OPTIONSAllowed HTTP methods
SESSION_COOKIE_SECUREtrueSet Secure flag on session cookies
SESSION_COOKIE_SAME_SITELaxStrict, Lax, or None
TRUST_PROXYtrueTrust X-Forwarded-For headers from reverse proxy
TRUST_PROXY_HOPS1Number of trusted proxy hops

Generating secrets

# JWT secret (HMAC)
openssl rand -hex 32

# Ed25519 key pair (recommended)
openssl genpkey -algorithm ed25519 -out private.pem
openssl pkey -in private.pem -pubout -out public.pem

# Webhook signing secret
openssl rand -hex 32

Store secrets in a secret manager (AWS Secrets Manager, HashiCorp Vault, Doppler) — never commit them to version control.

Kubernetes Deployment

Deploy HelloJohn on Kubernetes using Helm or raw manifests, with PostgreSQL, Redis, and ingress configuration.

Database Setup

PostgreSQL configuration, schema migrations, connection pooling, and backup strategies for HelloJohn.

On this page

Environment VariablesRequired variablesDatabaseAuthentication & JWTApplicationEmail (SMTP)OAuth providersRedisRate limitingMFAStorage (avatars & assets)WebhooksAdminSecurityGenerating secrets