Self-Hosting
Configure
Custom Configurations
These variables are present inside your machine’s docker-compose file. Restart the docker containers if you change any variables for them to take effect.
Variable | Description | Required | Default |
---|---|---|---|
WEBAPP_URL | Base URL of the site. | required | http://localhost:3000 |
NEXTAUTH_URL | Location of the auth server. This should normally be the same as WEBAPP_URL | required | http://localhost:3000 |
DATABASE_URL | Database URL with credentials. | required | |
NEXTAUTH_SECRET | Secret for NextAuth, used for session signing and encryption. | required | (Generated by the user, must not exceed 32 bytes, openssl rand -hex 32 ) |
ENCRYPTION_KEY | Secret for used by Formbricks for data encryption | required | (Generated by the user, must not exceed 32 bytes, openssl rand -hex 32 ) |
CRON_SECRET | API Secret for running cron jobs. | required | (Generated by the user, must not exceed 32 bytes, openssl rand -hex 32 ) |
UPLOADS_DIR | Local directory for storing uploads. | optional | ./uploads |
S3_ACCESS_KEY | Access key for S3. | optional | (resolved by the AWS SDK) |
S3_SECRET_KEY | Secret key for S3. | optional | (resolved by the AWS SDK) |
S3_REGION | Region for S3. | optional | (resolved by the AWS SDK) |
S3_BUCKET_NAME | S3 bucket name for data storage. Formbricks enables S3 storage when this is set. | optional (required if S3 is enabled) | |
S3_ENDPOINT_URL | Endpoint for S3. | optional | (resolved by the AWS SDK) |
PRIVACY_URL | URL for privacy policy. | optional | |
TERMS_URL | URL for terms of service. | optional | |
IMPRINT_URL | URL for imprint. | optional | |
EMAIL_AUTH_DISABLED | Disables the ability for users to signup or login via email and password if set to 1. | optional | |
PASSWORD_RESET_DISABLED | Disables password reset functionality if set to 1. | optional | |
EMAIL_VERIFICATION_DISABLED | Disables email verification if set to 1. | optional | |
RATE_LIMITING_DISABLED | Disables rate limiting if set to 1. | optional | |
INVITE_DISABLED | Disables the ability for invited users to create an account if set to 1. | optional | |
MAIL_FROM | Email address to send emails from. | optional (required if email services are to be enabled) | |
SMTP_HOST | Host URL of your SMTP server. | optional (required if email services are to be enabled) | |
SMTP_PORT | Host Port of your SMTP server. | optional (required if email services are to be enabled) | |
SMTP_USER | Username for your SMTP Server. | optional (required if email services are to be enabled) | |
SMTP_PASSWORD | Password for your SMTP Server. | optional (required if email services are to be enabled) | |
SMTP_SECURE_ENABLED | SMTP secure connection. For using TLS, set to 1 else to 0. | optional (required if email services are to be enabled) | |
SMTP_REJECT_UNAUTHORIZED_TLS | If set to 0, the server will accept connections without requiring authorization from the list of supplied CAs. | optional | 1 |
GITHUB_ID | Client ID for GitHub. | optional (required if GitHub auth is enabled) | |
GITHUB_SECRET | Secret for GitHub. | optional (required if GitHub auth is enabled) | |
GOOGLE_CLIENT_ID | Client ID for Google. | optional (required if Google auth is enabled) | |
GOOGLE_CLIENT_SECRET | Secret for Google. | optional (required if Google auth is enabled) | |
STRIPE_SECRET_KEY | Secret key for Stripe integration. | optional | |
STRIPE_WEBHOOK_SECRET | Webhook secret for Stripe integration. | optional | |
TELEMETRY_DISABLED | Disables telemetry if set to 1. | optional | |
DEFAULT_BRAND_COLOR | Default brand color for your app (Can be overwritten from the UI as well). | optional | #64748b |
DEFAULT_ORGANIZATION_ID | Automatically assign new users to a specific organization when joining | optional | |
DEFAULT_ORGANIZATION_ROLE | Role of the user in the default organization. | optional | owner |
OIDC_DISPLAY_NAME | Display name for Custom OpenID Connect Provider | optional | |
OIDC_CLIENT_ID | Client ID for Custom OpenID Connect Provider | optional (required if OIDC auth is enabled) | |
OIDC_CLIENT_SECRET | Secret for Custom OpenID Connect Provider | optional (required if OIDC auth is enabled) | |
OIDC_ISSUER | Issuer URL for Custom OpenID Connect Provider (should have .well-known configured at this) | optional (required if OIDC auth is enabled) | |
OIDC_SIGNING_ALGORITHM | Signing Algorithm for Custom OpenID Connect Provider | optional | RS256 |
OPENTELEMETRY_LISTENER_URL | URL for OpenTelemetry listener inside Formbricks. | optional | |
CUSTOM_CACHE_DISABLED | Disables custom cache handler if set to 1 (required for deployment on Vercel) | optional |
Note: If you want to configure something that is not possible via above, please open an issue on our GitHub repo here or reach out to us on Github Discussions and we’ll try our best to work out a solution with you.
OAuth Configuration
Single Sign-On (SSO) functionality, including OAuth integrations with Google, Microsoft Entra ID, Github and OpenID Connect, requires a valid Formbricks Enterprise License.
Google OAuth
Integrating Google OAuth with your Formbricks instance allows users to log in using their Google credentials, ensuring a secure and streamlined user experience. This guide will walk you through the process of setting up Google OAuth for your Formbricks instance.
Requirements:
- A Google Cloud Platform (GCP) account.
- A Formbricks instance running and accessible.
Steps:
-
Create a GCP Project:
- Navigate to the GCP Console.
- From the projects list, select a project or create a new one.
-
Setting up OAuth 2.0:
- If the APIs & services page isn't already open, open the console left side menu and select APIs & services.
- On the left, click Credentials.
- Click Create Credentials, then select OAuth client ID.
-
Configure OAuth Consent Screen:
- If this is your first time creating a client ID, configure your consent screen by clicking Consent Screen.
- Fill in the necessary details and under Authorized domains, add the domain where your Formbricks instance is hosted.
-
Create OAuth 2.0 Client IDs:
- Select the application type Web application for your project and enter any additional information required.
- Ensure to specify authorized JavaScript origins and authorized redirect URIs.
Configuration URLs
Authorized JavaScript origins: {WEBAPP_URL}
Authorized redirect URIs: {WEBAPP_URL}/api/auth/callback/google
- Update Environment Variables in Docker:
- To integrate the Google OAuth, you have two options: either update the environment variables in the docker-compose file or directly add them to the running container.
- In your Docker setup directory, open the
.env
file, and add or update the following lines with theClient ID
andClient Secret
obtained from Google Cloud Platform: - Alternatively, you can add the environment variables directly to the running container using the following commands (replace
container_id
with your actual Docker container ID):
Set env vars
docker exec -it container_id /bin/bash
export GOOGLE_CLIENT_ID=your-client-id-here
export GOOGLE_CLIENT_SECRET=your-client-secret-here
exit
- Restart Your Formbricks Instance:
- Note: Restarting your Docker containers may cause a brief period of downtime. Plan accordingly.
- Once the environment variables have been updated, it's crucial to restart your Docker containers to apply the changes. This ensures that your Formbricks instance can utilize the new Google OAuth configuration for user authentication. Here's how you can do it:
- Navigate to your Docker setup directory where your
docker-compose.yml
file is located. - Run the following command to bring down your current Docker containers and then bring them back up with the updated environment configuration:
Microsoft Entra ID (Azure Active Directory) SSO OAuth
Do you have a Microsoft Entra ID Tenant? Integrate it with your Formbricks instance to allow users to log in using their existing Microsoft credentials. This guide will walk you through the process of setting up an Application Registration for your Formbricks instance.
Requirements
- A Microsoft Entra ID Tenant populated with users. Create a tenant as per Microsoft's documentation.
- A Formbricks instance running and accessible.
- The callback URI for your Formbricks instance:
{WEBAPP_URL}/api/auth/callback/azure-ad
Creating an App Registration
- Login to the Microsoft Entra admin center.
- Go to Applications > App registrations in the left menu.
- Click the New registration button at the top.
- Name your application something descriptive, such as
Formbricks SSO
.
- If you have multiple tenants/organizations, choose the appropriate Supported account types option. Otherwise, leave the default option for Single Tenant.
- Under Redirect URI, select Web for the platform and paste your Formbricks callback URI (see Requirements above).
-
Click Register to create the App registration. You will be redirected to your new app's Overview page after it is created.
-
On the Overview page, under Essentials:
- Copy the entry for Application (client) ID to populate the
AZUREAD_CLIENT_ID
variable. - Copy the entry for Directory (tenant) ID to populate the
AZUREAD_TENANT_ID
variable.
- From your App registration's Overview page, go to Manage > Certificates & secrets.
- Make sure you have the Client secrets tab active, and click New client secret.
- Enter a Description, set an Expires period, then click Add.
You will need to create a new client secret using these steps whenever your chosen expiry period ends.
- Copy the entry under Value to populate the
AZUREAD_CLIENT_SECRET
variable.
Microsoft will only show this value to you immediately after creation, and you will not be able to access it again. If you lose it, simply start from step 9 to create a new secret.
- Update these environment variables in your
docker-compose.yml
or pass it like your other environment variables to the Formbricks container.
You must wrap the AZUREAD_CLIENT_SECRET
value in double quotes (e.g., "THis~iS4faKe.53CreTvALu3"
) to
prevent issues with special characters.
An example .env
for Microsoft Entra ID in Formbricks would look like:
Formbricks Env for Microsoft Entra ID SSO
AZUREAD_CLIENT_ID=a25cadbd-f049-4690-ada3-56a163a72f4c
AZUREAD_TENANT_ID=2746c29a-a3a6-4ea1-8762-37816d4b7885
AZUREAD_CLIENT_SECRET="THis~iS4faKe.53CreTvALu3"
- Restart your Formbricks instance.
- You're all set! Users can now sign up & log in using their Microsoft credentials associated with your Entra ID Tenant.
OpenID Configuration
Integrating your own OIDC (OpenID Connect) instance with your Formbricks instance allows users to log in using their OIDC credentials, ensuring a secure and streamlined user experience. Please follow the steps below to set up OIDC for your Formbricks instance.
- Configure your OIDC provider & get the following variables:
OIDC_CLIENT_ID
OIDC_CLIENT_SECRET
OIDC_ISSUER
OIDC_SIGNING_ALGORITHM
Make sure the Redirect URI for your OIDC Client is set to {WEBAPP_URL}/api/auth/callback/openid
.
- Update these environment variables in your
docker-compose.yml
or pass it directly to the running container.
An example configuration for a FusionAuth OpenID Connect in Formbricks would look like:
Formbricks Env for FusionAuth OIDC
OIDC_CLIENT_ID=59cada54-56d4-4aa8-a5e7-5823bbe0e5b7
OIDC_CLIENT_SECRET=4f4dwP0ZoOAqMW8fM9290A7uIS3E8Xg29xe1umhlB_s
OIDC_ISSUER=http://localhost:9011
OIDC_DISPLAY_NAME=FusionAuth OIDC_SIGNING_ALGORITHM=HS256
-
Set an environment variable
OIDC_DISPLAY_NAME
to the display name of your OIDC provider. -
Restart your Formbricks instance.
-
You're all set! Users can now signup & log in using their OIDC credentials.