Skip to main content

Custom Configurations

These variables are present inside your machine’s docker-compose file. Restart the docker containers if you change any variables for them to take effect.
Upgrading from Formbricks 4.x to 5.0? Read the migration guide first. Formbricks v5 makes Hub part of the standard self-hosted runtime and changes how rate limiting is enforced.
For AI_PROVIDER=google, use a Gemini model ID such as gemini-3.5-flash together with Google Cloud credentials. gemini-3.5-flash must use AI_GOOGLE_CLOUD_LOCATION=global, us, or eu; keep regional locations such as europe-west3 or me-central2 only for models Google lists as supported there, such as gemini-2.5-flash. Formbricks uses Google Cloud naming here, even though the underlying SDK still talks to Vertex AI endpoints for Gemini model access. For AI_PROVIDER=openai-compatible, the LLM GA v1 self-hosted path is Qwen served by vLLM through an OpenAI-compatible /v1 endpoint. Set only the variables for the provider you use; unused provider variables can be omitted.
VariableDescriptionRequiredDefault
WEBAPP_URLBase URL of the site.requiredhttp://localhost:3000
PUBLIC_URLBase URL for the public domain where surveys and public-facing content are served. If not set, uses WEBAPP_URL.optionalWEBAPP_URL
NEXTAUTH_URLLocation of the auth server. This should normally be the same as WEBAPP_URLrequiredhttp://localhost:3000
DATABASE_URLDatabase URL with credentials.required
NEXTAUTH_SECRETSecret for NextAuth, used for session signing and encryption.required(Generated by the user, must not exceed 32 bytes, openssl rand -hex 32)
ENCRYPTION_KEYSecret used by Formbricks for data encryption and audit log hashing.required(Generated by the user, must not exceed 32 bytes, openssl rand -hex 32)
CRON_SECRETAPI Secret for running cron jobs.required(Generated by the user, must not exceed 32 bytes, openssl rand -hex 32)
LOG_LEVELMinimum log level (debug, info, warn, error, fatal)optionalinfo
S3_ACCESS_KEYAccess key for S3.optional(resolved by the AWS SDK)
S3_SECRET_KEYSecret key for S3.optional(resolved by the AWS SDK)
S3_REGIONRegion for S3.optional(resolved by the AWS SDK)
S3_BUCKET_NAMES3 bucket name for data storage. Formbricks enables S3 storage when this is set.optional (required if S3 is enabled)
S3_ENDPOINT_URLEndpoint for S3.optional(resolved by the AWS SDK)
S3_FORCE_PATH_STYLESet to 1 to force path-style S3 URLs. Required for S3-compatible storage (MinIO, RustFS, LocalStack). Leave unset or 0 for standard AWS S3.optional0
SAML_DATABASE_URLDatabase URL for SAML.optionalpostgres://postgres:@localhost:5432/formbricks-saml
PRIVACY_URLURL for privacy policy.optional
TERMS_URLURL for terms of service.optional
IMPRINT_URLURL for imprint.optional
IMPRINT_ADDRESSAddress for imprint.optional
EMAIL_AUTH_DISABLEDDisables the ability for users to signup or login via email and password if set to 1.optional
PASSWORD_RESET_DISABLEDDisables password reset functionality if set to 1.optional
PASSWORD_RESET_TOKEN_LIFETIME_MINUTESConfigures how long password reset links remain valid in minutes. Accepted values are integers from 5 to 120.optional30
EMAIL_VERIFICATION_DISABLEDDisables email verification if set to 1.optional
DISABLE_ACCOUNT_DELETION_SSO_CONFIRMATIONSkips the SSO identity confirmation redirect for passwordless SSO account deletion if set to 1. Users can delete SSO accounts with only the in-app email text confirmation. Keep unset unless you accept this security trade-off.optional
RATE_LIMITING_DISABLEDDisables only the application-level rate limiter if set to 1. It does not disable Envoy or an equivalent edge rate limiter.optional
TELEMETRY_DISABLEDDisables telemetry reporting if set to 1. Ignored when an Enterprise License is active.optional
DANGEROUSLY_ALLOW_WEBHOOK_INTERNAL_URLSAllows webhook URLs to point to internal/private network addresses (e.g. localhost, 192.168.x.x) if set to 1. Useful for self-hosted instances that need to send webhooks to internal services.optional
INVITE_DISABLEDDisables the ability for invited users to create an account if set to 1.optional
MAIL_FROMEmail address to send emails from.optional (required if email services are to be enabled)
MAIL_FROM_NAMEEmail name/title to send emails from.optional (required if email services are to be enabled)
SMTP_HOSTHost URL of your SMTP server.optional (required if email services are to be enabled)
SMTP_PORTHost Port of your SMTP server.optional (required if email services are to be enabled)
SMTP_USERUsername for your SMTP Server.optional (required if email services are to be enabled)
SMTP_PASSWORDPassword for your SMTP Server.optional (required if email services are to be enabled)
SMTP_AUTHENTICATEDIf set to 0, the server will not require SMTP_USER and SMTP_PASSWORD(default is 1)optional
SMTP_SECURE_ENABLEDSMTP secure connection. For using TLS, set to 1 else to 0.optional (required if email services are to be enabled)
SMTP_REJECT_UNAUTHORIZED_TLSIf set to 0, the server will accept connections without requiring authorization from the list of supplied CAs.optional1
TURNSTILE_SITE_KEYSite key for Turnstile.optional
TURNSTILE_SECRET_KEYSecret key for Turnstile.optional
RECAPTCHA_SITE_KEYSite key for survey responses recaptcha bot protectionoptional
RECAPTCHA_SECRET_KEYSecret key for recaptcha bot protection.optional
GITHUB_IDClient ID for GitHub.optional (required if GitHub auth is enabled)
GITHUB_SECRETSecret for GitHub.optional (required if GitHub auth is enabled)
GOOGLE_CLIENT_IDClient ID for Google.optional (required if Google auth is enabled)
GOOGLE_CLIENT_SECRETSecret for Google.optional (required if Google auth is enabled)
AI_PROVIDERInstance-level AI provider used in the background. Supported values: aws, google, azure, openai-compatible.optional (required if AI is enabled)
AI_MODELInstance-level AI model or deployment name used by the active provider.optional (required if AI_PROVIDER is set)
AI_GOOGLE_CLOUD_PROJECTGoogle Cloud project ID for the google AI provider.optional (required if AI_PROVIDER=google)
AI_GOOGLE_CLOUD_LOCATIONGoogle Cloud location for google AI requests. For gemini-3.5-flash, use global, us, or eu.optional (required if AI_PROVIDER=google)
AI_GOOGLE_CLOUD_CREDENTIALS_JSONOptional service account credentials JSON override for the google AI provider. Omit when Application Default Credentials are available.optional
AI_GOOGLE_CLOUD_APPLICATION_CREDENTIALSOptional path to Google Application Default Credentials used by the google AI provider.optional
AI_AWS_REGIONAWS region for Amazon Bedrock.optional (required if AI_PROVIDER=aws)
AI_AWS_ACCESS_KEY_IDAWS access key ID for Amazon Bedrock.optional (required if AI_PROVIDER=aws)
AI_AWS_SECRET_ACCESS_KEYAWS secret access key for Amazon Bedrock.optional (required if AI_PROVIDER=aws)
AI_AWS_SESSION_TOKENAWS session token for Amazon Bedrock temporary credentials.optional
AI_AZURE_BASE_URLAzure OpenAI / Foundry base URL. When set, this is preferred over AI_AZURE_RESOURCE_NAME.optional (one of this or AI_AZURE_RESOURCE_NAME required if AI_PROVIDER=azure)
AI_AZURE_RESOURCE_NAMEAzure resource name used to assemble the Azure OpenAI URL.optional (one of this or AI_AZURE_BASE_URL required if AI_PROVIDER=azure)
AI_AZURE_API_KEYAPI key for Azure OpenAI / Foundry.optional (required if AI_PROVIDER=azure)
AI_AZURE_API_VERSIONAzure API version for OpenAI-compatible calls.optionalv1
AI_OPENAI_COMPATIBLE_BASE_URLBase URL for a Qwen/vLLM OpenAI-compatible /v1 endpoint, e.g. http://vllm:8000/v1.optional (required if AI_PROVIDER=openai-compatible)
AI_OPENAI_COMPATIBLE_API_KEYOptional API key for the OpenAI-compatible endpoint.optional
AI_OPENAI_COMPATIBLE_PROVIDER_NAMEProvider name passed to the OpenAI-compatible adapter. Use vllm for the supported Qwen/vLLM self-hosted path.optionalopenai-compatible
AI_OPENAI_COMPATIBLE_SUPPORTS_STRUCTURED_OUTPUTSSet to 1 when the Qwen/vLLM endpoint supports structured outputs.optional0
AI_OPENAI_COMPATIBLE_HEADERS_JSONOptional JSON object of string-valued headers to send with OpenAI-compatible requests.optional
AI_OPENAI_COMPATIBLE_QUERY_PARAMS_JSONOptional JSON object of string-valued query parameters to send with OpenAI-compatible requests.optional
STRIPE_SECRET_KEYSecret key for Stripe integration.optional
STRIPE_WEBHOOK_SECRETWebhook secret for Stripe integration.optional
DEFAULT_BRAND_COLORDefault brand color for your app (Can be overwritten from the UI as well).optional#64748b
DEFAULT_ORGANIZATION_IDAutomatically assign new users to a specific organization when joiningoptional
OIDC_DISPLAY_NAMEDisplay name for Custom OpenID Connect Provideroptional
OIDC_CLIENT_IDClient ID for Custom OpenID Connect Provideroptional (required if OIDC auth is enabled)
OIDC_CLIENT_SECRETSecret for Custom OpenID Connect Provideroptional (required if OIDC auth is enabled)
OIDC_ISSUERIssuer URL for Custom OpenID Connect Provider (should have .well-known configured at this)optional (required if OIDC auth is enabled)
OIDC_SIGNING_ALGORITHMSigning Algorithm for Custom OpenID Connect ProvideroptionalRS256
OTEL_EXPORTER_OTLP_ENDPOINTBase OTLP HTTP endpoint for traces and metrics export (e.g. http://collector:4318).optional
OTEL_EXPORTER_OTLP_PROTOCOLOTLP protocol to use for export.optionalhttp/protobuf
OTEL_SERVICE_NAMEService name reported in OpenTelemetry resource attributes.optionalformbricks
OTEL_RESOURCE_ATTRIBUTESComma-separated resource attributes in OTel format (key=value,key2=value2).optional
OTEL_TRACES_SAMPLERTrace sampler strategy (always_on, always_off, traceidratio, parentbased_traceidratio).optionalalways_on
OTEL_TRACES_SAMPLER_ARGSampling argument used by ratio-based samplers (0 to 1).optional
PROMETHEUS_ENABLEDEnables Prometheus metrics if set to 1.optional
PROMETHEUS_EXPORTER_PORTPort for Prometheus metrics.optional9090
AUTH_SSO_DEFAULT_TEAM_IDID of the team that new SSO users are automatically added to. The owning organization is derived from this team. Must be set together with AUTH_SKIP_INVITE_FOR_SSO=1 for auto-provisioning to work.optional
AUTH_SKIP_INVITE_FOR_SSOSet to 1 to allow SSO users to create an account without a manual invite. Keep unset (or 0) for stricter access control where only invited users can join.optional0
HTTP_PROXYHTTP proxy URL used for outbound requests (e.g., license checks). When both are set, HTTPS_PROXY takes precedence.optional
HTTPS_PROXYHTTPS proxy URL used for outbound requests. Takes precedence over HTTP_PROXY.optional
SENTRY_DSNSet this to track errors and monitor performance in Sentry.optional
SENTRY_ENVIRONMENTSet this to identify the environment in Sentryoptional
SENTRY_AUTH_TOKENSet this if you want to make errors more readable in Sentry.optional
SESSION_MAX_AGEConfigure the maximum age for the session in seconds.optional86400 (24 hours)
USER_MANAGEMENT_MINIMUM_ROLESet this to control which roles can access user management features. Accepted values: “owner”, “manager”, “disabled”optionalmanager
REDIS_URLRedis URL for caching, rate limiting, and audit logging. Application will not start without this.requiredredis://localhost:6379
AUDIT_LOG_ENABLEDSet this to 1 to enable audit logging. Requires Redis to be configured with the REDIS_URL env variable.optional0
AUDIT_LOG_GET_USER_IPSet to 1 to include user IP addresses in audit logs from request headersoptional0

Formbricks Hub

Starting with Formbricks v5, Hub is part of the standard self-hosted runtime. When you run Formbricks with the bundled Docker Compose or Helm assets, the following variables apply:
VariableDescriptionRequiredDefault
HUB_API_KEYAPI key used by the Formbricks Hub API. Generate a strong secret and use the same value wherever your deployment supplies Hub auth configuration.required(e.g. openssl rand -hex 32)
HUB_API_URLBase URL the Formbricks app uses to call Hub. With the bundled Docker stack, keep this at http://hub:8080 unless Hub runs elsewhere.requiredhttp://hub:8080 (bundled Docker), http://localhost:8080 (local dev)
HUB_DATABASE_URLPostgreSQL connection URL for Hub. Omit to use the same database as Formbricks.optionalSame as Formbricks DATABASE_URL (shared database)

Cube Analytics

Cube is part of the baseline Formbricks v5 stack and is required. Formbricks generates the backend Cube JWT from CUBEJS_API_SECRET, so CUBEJS_API_TOKEN is not part of the supported setup contract.
VariableDescriptionRequiredDefault
CUBEJS_API_URLBase URL the Formbricks app uses to call Cube. Local dev (app on host): http://localhost:4000. Docker/container: http://cube:4000 (service name).required
CUBEJS_API_SECRETShared secret Formbricks uses to sign Cube API JWTs. Generate with openssl rand -hex 32.required
CUBEJS_JWT_ISSUERJWT issuer expected by Cube and used by Formbricks when signing per-request Cube tokens.optionalformbricks-web
CUBEJS_JWT_AUDIENCEJWT audience expected by Cube and used by Formbricks when signing per-request Cube tokens.optionalformbricks-cube
CUBEJS_DB_HOSTDatabase host for the Cube service. Only needed when you run Cube yourself and override defaults.optionalDepends on your Cube deployment
CUBEJS_DB_PORTDatabase port for the Cube service. Only needed when you run Cube yourself and override defaults.optionalDepends on your Cube deployment
CUBEJS_DB_NAMEDatabase name for the Cube service. Only needed when you run Cube yourself and override defaults.optionalDepends on your Cube deployment
CUBEJS_DB_USERDatabase user for the Cube service. Only needed when you run Cube yourself and override defaults.optionalDepends on your Cube deployment
CUBEJS_DB_PASSDatabase password for the Cube service. Only needed when you run Cube yourself and override defaults.optionalDepends on your Cube deployment
The bundled Docker Compose Cube service sets CUBEJS_DEFAULT_API_SCOPES=meta,data directly on the Cube container. If you run Cube outside the bundled Compose stack, configure the equivalent Cube service environment there rather than adding it to the Formbricks app environment. For Helm deployments, the chart deploys Cube by default (cube.enabled: true). To use an external Cube cluster instead, set cube.enabled: false, point CUBEJS_API_URL at your endpoint, and supply CUBEJS_API_SECRET through your existing secret management setup. Note: If you want to configure something that is not possible via above, please open an issue on our GitHub repo here or reach out to us on Github Discussions and we’ll try our best to work out a solution with you.