ghostfolio/.env.example

COMPOSE_PROJECT_NAME=ghostfolio

# CACHE
REDIS_HOST=redis
REDIS_PORT=6379
REDIS_PASSWORD=<INSERT_REDIS_PASSWORD>

# POSTGRES
POSTGRES_DB=ghostfolio-db
POSTGRES_USER=user
POSTGRES_PASSWORD=<INSERT_POSTGRES_PASSWORD>

# VARIOUS
ACCESS_TOKEN_SALT=<INSERT_RANDOM_STRING>
DATABASE_URL=postgresql://${POSTGRES_USER}:${POSTGRES_PASSWORD}@postgres:5432/${POSTGRES_DB}?connect_timeout=300&sslmode=prefer
JWT_SECRET_KEY=<INSERT_RANDOM_STRING>

ROOT_URL=https://<your_domain>

# Enable social login (Google, OIDC, etc.)
# ENABLE_FEATURE_SOCIAL_LOGIN=true

# Enable access token login (anonymous login)
# Set to false to disable login by access token when using OAuth providers
ENABLE_ACCESS_TOKEN_LOGIN=true

# OIDC AUTHENTICATION (Optional)
# Enable/disable OIDC authentication
OIDC_ENABLED=false
# OIDC Issuer URL (with trailing slash, must be HTTPS in production)
# Examples:
#   - Keycloak: https://your-keycloak.com/realms/your-realm/
#   - Auth0: https://your-tenant.auth0.com/
#   - Authentik: https://your-authentik.com/application/o/app-name/
#   - Azure AD: https://login.microsoftonline.com/your-tenant-id/v2.0/
OIDC_ISSUER=https://your-oidc-provider.com/
# OAuth 2.0 Client credentials
OIDC_CLIENT_ID=<YOUR_CLIENT_ID>
OIDC_CLIENT_SECRET=<YOUR_CLIENT_SECRET>
# Callback URL (where OIDC provider redirects after authentication)
OIDC_CALLBACK_URL=${ROOT_URL}/api/auth/oidc/callback
# OpenID Connect scopes (space-separated)
OIDC_SCOPE=openid profile email
# Optional: Override default endpoints (auto-constructed from issuer if not set)
# Only set these if your provider has non-standard endpoint paths
# OIDC_AUTHORIZATION_URL=https://your-oidc-provider.com/authorize
# OIDC_TOKEN_URL=https://your-oidc-provider.com/token
# OIDC_USER_INFO_URL=https://your-oidc-provider.com/userinfo