Skip to main content
Configuration is supplied via environment variables in a .env file. Sensitive values must never be committed to version control.

License

VariableRequiredDescription
INTRACE_LICENSE_KEYYesLicense key issued by Intrace. Validated at startup and periodically.
INTRACE_DEPLOYMENT_IDYesUnique identifier for this deployment, issued alongside the license key.
INTRACE_LICENSE_CHECK_INTERVALNoHow often (in seconds) to re-validate the license with Intrace servers. Default: 3600.

Database

The engine uses PostgreSQL to store lookup results and the audit log.
VariableRequiredDescription
DATABASE_URLYesPostgreSQL connection string. Format: postgresql://user:password@host:5432/dbname
DATABASE_POOL_SIZENoConnection pool size. Default: 10.
DATABASE_MAX_OVERFLOWNoAdditional connections above pool size allowed under load. Default: 5.

Authentication

VariableRequiredDescription
AUTH_MODEYesoidc, saml, api_key, or both. Use both to support SSO and API key simultaneously.
OIDC_ISSUER_URLIf AUTH_MODE includes oidcOIDC discovery URL of your identity provider.
OIDC_AUDIENCEIf AUTH_MODE includes oidcExpected aud claim in issued JWTs.
SAML_METADATA_URLIf AUTH_MODE includes samlURL to your IdP’s SAML metadata XML.
SAML_ENTITY_IDIf AUTH_MODE includes samlEntity ID registered with your IdP.
SAML_ACS_URLIf AUTH_MODE includes samlAssertion Consumer Service URL for this deployment.
API_KEY_HASH_SECRETIf AUTH_MODE includes api_keySecret used to hash API keys at rest. Generate with a cryptographically secure random generator.
See Identity Provider Setup for detailed SAML/OIDC configuration instructions.

Connectors

VariableRequiredDescription
CONNECTOR_TIMEOUT_SECONDSNoPer-connector request timeout. Default: 10.
CONNECTOR_ENABLEDNoComma-separated list of connector IDs to enable. Defaults to all licensed connectors.
For connectors using BYOK (bring your own key), connector-specific credential variables are documented in Connector Reference.

Report signing

VariableRequiredDescription
SIGNING_PRIVATE_KEY_PATHYesPath to the PEM-encoded RSA private key used to sign reports.
SIGNING_KEY_IDYesIdentifier for the signing key, included in report signatures to support key rotation.
The private key must be RSA-4096 minimum. Generate one with: 
openssl genrsa -out signing.key 4096
Store the key as a Docker secret. Do not place it in the .env file in production.

Data retention

VariableRequiredDescription
RESULT_RETENTION_DAYSNoHow long to retain lookup results. Default: 365. Set to 0 to disable retention (results are not retrievable after the initial response).
AUDIT_RETENTION_DAYSNoHow long to retain audit records. Default: 2555 (7 years). Audit records cannot be set to 0; they must be retained for the configured period.

Rate limiting

VariableRequiredDescription
RATE_LIMIT_REQUESTS_PER_MINUTENoPer-API-key or per-user request limit. Default: 60.
RATE_LIMIT_BURSTNoMaximum burst above the per-minute rate. Default: 10.

Observability

VariableRequiredDescription
LOG_LEVELNodebug, info, warning, error. Default: info.
LOG_FORMATNojson or text. Default: json. Use text for local development.
METRICS_ENABLEDNoExpose Prometheus metrics at /metrics. Default: true.
METRICS_PORTNoPort for the metrics endpoint. Default: 9090.
OTEL_EXPORTER_OTLP_ENDPOINTNoOpenTelemetry collector endpoint for distributed tracing.