Configuration

Both Rust binaries (klaxon-server and klaxon-auth) read config from environment variables with sensible local defaults. Many env vars are shared (DB, CORS, logging, OTel); the IdP and Stripe vars are specific to one binary.

Shared — klaxon-server and klaxon-auth

Variable	Default	Description
DATABASE_URL	postgres://klaxon:klaxon@localhost:5432/klaxon	Postgres connection string
DATABASE_MAX_CONNECTIONS	10	Max pool connections
LISTEN_ADDR	0.0.0.0:3000 server / 0.0.0.0:3001 auth	Bind address
CORS_ORIGINS	*	Comma-separated allowed origins
RUST_LOG	info	tracing EnvFilter
OTEL_ENABLED	false	Enable OTel export
OTEL_EXPORTER_OTLP_ENDPOINT	http://localhost:4317	OTLP/gRPC collector endpoint
OTEL_SERVICE_NAME	klaxon-server / klaxon-auth	Service name in traces
DEPLOYMENT_ENVIRONMENT	development	Attached as deployment.environment resource attr
K8S_POD_NAME / K8S_NAMESPACE_NAME	—	Injected via downward API in Helm
APP_URL	http://localhost:5173	Public URL of the web UI; used in emails + invitation links

klaxon-server only

Variable	Default	Description
MAX_BODY_SIZE	5242880	Max request body in bytes (5 MiB)
REDIS_URL	—	Redis connection for rate limiting; Postgres fallback if unset
RATE_LIMIT_PER_MINUTE	60	Requests per minute per agent/user
RESOURCE_URL	APP_URL	Public URL of the resource — used in WWW-Authenticate: Bearer resource_metadata="…"
ISSUER_URL	—	Public URL of the AS — used when validating tokens against the AS
FCM_SERVICE_ACCOUNT_JSON	—	Firebase service-account key (JSON). Needed for mobile + Web Push
STRIPE_SECRET_KEY	—	sk_live_… / sk_test_…; unset disables billing endpoints
STRIPE_WEBHOOK_SECRET	—	whsec_… for /webhooks/stripe HMAC verification
STRIPE_PRICE_TEAM	—	Stripe Price ID for the Team plan
STRIPE_PRICE_ENTERPRISE	—	Stripe Price ID for the Enterprise plan

klaxon-auth only

Variable	Default	Description
ISSUER_URL	required	Public URL of the AS — issuer in OAuth discovery
RESOURCE_URL	required	Public URL of klaxon-server — the aud hint in WWW-Authenticate
OAUTH_SIGNING_KEY	required	32+ random bytes (openssl rand -base64 32). Signs the browser session cookie + OAuth state param
DEV_LOGIN_ENABLED	false	Enable POST /auth/login dev bypass — never set in production
SMTP_HOST / SMTP_PORT / SMTP_USER / SMTP_PASS / SMTP_FROM	port 587, from noreply@klaxon.sh	Magic-link delivery
RESEND_API_KEY	—	Resend API key for invitation emails; falls back to logging if unset
KLAXON_INVITE_FROM_ADDRESS	invites@klaxon.sh	From: address for Resend invites
GITHUB_CLIENT_ID / GITHUB_CLIENT_SECRET	—	GitHub OAuth
GOOGLE_CLIENT_ID / GOOGLE_CLIENT_SECRET	—	Google OAuth
APPLE_CLIENT_ID / APPLE_TEAM_ID / APPLE_KEY_ID / APPLE_PRIVATE_KEY	—	Sign in with Apple (ES256)

.env File

The server loads .env automatically via dotenvy:

# .env
DATABASE_URL=postgres://klaxon:klaxon@localhost:5432/klaxon
RUST_LOG=info,klaxon_server=debug
CORS_ORIGINS=http://localhost:5173,http://localhost:1420

Runtime Settings

Some settings are stored in the database settings table (per-org, JSONB values) and can be changed at runtime without restarting the server:

Key	Type	Default	Description
auto_archive_after_days	int	0	Auto-archive old items (0 = disabled)
audit_retention_days	int	0	Purge audit entries older than N days
archived_item_retention_days	int	0	Hard-delete archived items older than N days
stale_warning_days	int	0	Flag items older than N days as stale

These are checked by the background worker on each sweep cycle.

CORS

In production, set CORS_ORIGINS to your actual frontend origins:

CORS_ORIGINS=https://app.klaxon.sh,https://klaxon.sh

Using * (the default) allows all origins — fine for development, not recommended for production.

Logging

The server outputs structured JSON logs:

{ "timestamp": "2026-04-10T03:00:00Z", "level": "INFO", "message": "listening on 0.0.0.0:3000" }

Use RUST_LOG for granular control:

RUST_LOG=warn,klaxon_server=debug,sqlx=info