| Core | | | |
DATABASE_URL | Yes | PostgreSQL connection string | — |
NEXT_PUBLIC_BASE_URL | Yes | Public URL where app is hosted (e.g., https://yourdomain.com) | — |
INTERNAL_API_KEY | Yes | Secret key for internal API calls. Generate with openssl rand -hex 32 | — |
AUTH_SECRET | Yes | better-auth secret. Generate with openssl rand -hex 32 | — |
NODE_ENV | No | Environment mode | development |
| Encryption | | | |
EMAIL_ENCRYPT_SECRET | Yes | Secret for encrypting OAuth tokens. Generate with openssl rand -hex 32 | — |
EMAIL_ENCRYPT_SALT | Yes | Salt for encrypting OAuth tokens. Generate with openssl rand -hex 16 | — |
| Google OAuth | | | |
GOOGLE_CLIENT_ID | Yes | OAuth client ID from Google Cloud Console | — |
GOOGLE_CLIENT_SECRET | Yes | OAuth client secret from Google Cloud Console | — |
| Microsoft OAuth | | | |
MICROSOFT_CLIENT_ID | No | OAuth client ID from Azure Portal | — |
MICROSOFT_CLIENT_SECRET | No | OAuth client secret from Azure Portal | — |
MICROSOFT_WEBHOOK_CLIENT_STATE | No | Secret for Microsoft webhook verification. Generate with openssl rand -hex 32 | — |
| Messaging Adapters | | | |
TEAMS_BOT_APP_ID | No | Microsoft Teams bot app ID | — |
TEAMS_BOT_APP_PASSWORD | No | Microsoft Teams bot app password/secret | — |
TEAMS_BOT_APP_TENANT_ID | No | Tenant ID for single-tenant Teams bot setups | — |
TEAMS_BOT_APP_TYPE | No | Teams bot app type (MultiTenant or SingleTenant) | — |
TELEGRAM_BOT_TOKEN | No | Telegram bot token from BotFather | — |
TELEGRAM_BOT_SECRET_TOKEN | No | Optional Telegram webhook secret token (sent in x-telegram-bot-api-secret-token) | — |
| Google PubSub | | | |
GOOGLE_PUBSUB_TOPIC_NAME | Yes | Full topic name (e.g., projects/my-project/topics/gmail) | — |
GOOGLE_PUBSUB_VERIFICATION_TOKEN | No | Token for webhook verification | — |
| Redis | | | |
UPSTASH_REDIS_URL | No* | Upstash Redis URL or any Upstash-compatible HTTP Redis endpoint (*required if not using Docker Compose with local Redis) | — |
UPSTASH_REDIS_TOKEN | No* | Upstash Redis token or serverless-redis-http token (*required if not using Docker Compose) | — |
REDIS_URL | No | Redis URL for subscriptions and the optional BullMQ worker | — |
| LLM Provider Selection | | | |
DEFAULT_LLM_PROVIDER | Yes | Primary LLM provider (anthropic, azure, vertex, google, openai, bedrock, openrouter, groq, aigateway, ollama) | — |
DEFAULT_LLM_MODEL | No | Model to use with default provider | Provider default |
DEFAULT_LLM_FALLBACKS | No | Ordered fallback chain (provider:model,provider:model, explicit model required) | — |
DEFAULT_OPENROUTER_PROVIDERS | No | Comma-separated list of OpenRouter providers | — |
ECONOMY_LLM_PROVIDER | No | Provider for cheaper operations | — |
ECONOMY_LLM_MODEL | No | Model for economy provider | — |
ECONOMY_LLM_FALLBACKS | No | Fallback chain for economy model type (provider:model, explicit model required) | — |
ECONOMY_OPENROUTER_PROVIDERS | No | OpenRouter providers for economy model | — |
CHAT_LLM_PROVIDER | No | Provider for chat operations | Falls back to default |
CHAT_LLM_MODEL | No | Model for chat provider | — |
CHAT_LLM_FALLBACKS | No | Fallback chain for chat model type (provider:model, explicit model required) | — |
CHAT_OPENROUTER_PROVIDERS | No | OpenRouter providers for chat | — |
| LLM Provider Credentials | | | |
LLM_API_KEY | No | Shared fallback API key for LLM providers. Used when a provider-specific key is not set. | — |
ANTHROPIC_API_KEY | No | Anthropic API key | — |
OPENAI_API_KEY | No | OpenAI API key | — |
GOOGLE_API_KEY | No | Google Gemini API key | — |
GOOGLE_THINKING_BUDGET | No | Override the thinking budget for Gemini 2.x/2.5 models used through Google, Vertex, or AI Gateway. Set to 0 to omit the budget. Gemini 3 models still use minimal thinking. | 128 |
GROQ_API_KEY | No | Groq API key | — |
OPENROUTER_API_KEY | No | OpenRouter API key | — |
AI_GATEWAY_API_KEY | No | AI Gateway API key | — |
PERPLEXITY_API_KEY | No | Perplexity API key for guest research for meeting briefs | — |
| Azure OpenAI | | | |
AZURE_API_KEY | No | Azure OpenAI API key (required when azure is used and LLM_API_KEY is not set) | — |
AZURE_RESOURCE_NAME | No | Azure OpenAI resource name (required when azure is used as a default or fallback provider) | — |
AZURE_API_VERSION | No | Azure OpenAI API version override | — |
| Google Vertex | | | |
GOOGLE_VERTEX_PROJECT | No | Google Cloud project ID for Vertex AI (required when vertex is used as a default or fallback provider) | — |
GOOGLE_VERTEX_LOCATION | No | Vertex AI location | us-central1 |
GOOGLE_VERTEX_CLIENT_EMAIL | No | Service account client email for Vertex auth (when not using ADC file) | — |
GOOGLE_VERTEX_PRIVATE_KEY | No | Service account private key for Vertex auth (supports \n escaped newlines) | — |
GOOGLE_APPLICATION_CREDENTIALS | No | Path to a Google service account JSON file for ADC/Vertex auth | — |
| AWS Bedrock | | | |
BEDROCK_ACCESS_KEY | No | AWS access key for Bedrock. See AI SDK Bedrock documentation. | — |
BEDROCK_SECRET_KEY | No | AWS secret key for Bedrock | — |
BEDROCK_REGION | No | AWS region for Bedrock | us-west-2 |
| Ollama (Local LLM) | | | |
OLLAMA_BASE_URL | No | Ollama API endpoint (e.g., http://localhost:11434/api) | — |
| OpenAI-Compatible (Local LLM) | | | |
OPENAI_COMPATIBLE_BASE_URL | No | Base URL for an OpenAI-compatible server (e.g. LM Studio: http://localhost:1234/v1) | http://localhost:1234/v1 |
| Background Jobs (QStash, optional) | | | |
QSTASH_TOKEN | No | QStash API token (optional; fallback runs jobs via internal API + cron) | — |
QSTASH_CURRENT_SIGNING_KEY | No | Current signing key for webhooks | — |
QSTASH_NEXT_SIGNING_KEY | No | Next signing key for key rotation | — |
QUEUE_BACKEND | No | Background job transport: qstash, bullmq, or internal | Auto-detect (qstash when configured, else internal) |
| Sentry | | | |
SENTRY_AUTH_TOKEN | No | Auth token for source maps | — |
SENTRY_ORGANIZATION | No | Organization slug | — |
SENTRY_PROJECT | No | Project slug | — |
NEXT_PUBLIC_SENTRY_DSN | No | Client-side DSN | — |
| Resend | | | |
RESEND_API_KEY | No | API key for transactional emails | — |
RESEND_AUDIENCE_ID | No | Audience ID for contacts | — |
RESEND_FROM_EMAIL | No | From email address | Inbox Zero <updates@transactional.getinboxzero.com> |
NEXT_PUBLIC_IS_RESEND_CONFIGURED | No | Client-side flag indicating if Resend is configured | — |
| Other | | | |
CRON_SECRET | No | Secret for cron job authentication | — |
HEALTH_API_KEY | No | API key for health checks | — |
WEBHOOK_URL | No | External webhook URL | — |
| Digest Controls | | | |
DIGEST_MAX_SUMMARIES_PER_24H | No | Maximum digest summaries per email account in a rolling 24-hour window. Set to 0 to disable the cap. | 50 |
| Admin & Access Control | | | |
ADMINS | No | Comma-separated list of admin emails | — |
AUTO_ENABLE_ORG_ANALYTICS | No | Default new organization memberships to analytics enabled | false |
| Feature Flags | | | |
NEXT_PUBLIC_CONTACTS_ENABLED | No | Enable contacts feature | false |
NEXT_PUBLIC_EMAIL_SEND_ENABLED | No | Enable email sending | true |
NEXT_PUBLIC_BYPASS_PREMIUM_CHECKS | No | Bypass premium checks (recommended for self-hosting) | true |
NEXT_PUBLIC_DIGEST_ENABLED | No | Enable email digest feature, which sends periodic summaries of emails. Works without QStash (no retries). | false |
NEXT_PUBLIC_MEETING_BRIEFS_ENABLED | No | Enable meeting briefs, which automatically sends pre-meeting briefings to users. Requires the meeting briefs cron job to be running. | false |
NEXT_PUBLIC_FOLLOW_UP_REMINDERS_ENABLED | No | Enable follow-up reminders, which allows users to add labels to emails for automatic follow-up tracking. Requires the follow-up reminders cron job to be running. | false |
NEXT_PUBLIC_INTEGRATIONS_ENABLED | No | Enable the integrations feature, allowing users to connect external services. | false |
NEXT_PUBLIC_SMART_FILING_ENABLED | No | Enable the Smart Filing feature for automatic document organization from email attachments. | false |
NEXT_PUBLIC_AUTO_DRAFT_DISABLED | No | Disable the auto-drafting feature, which automatically drafts replies based on assistant rules. | false |
| White Labeling (Optional) | | | |
NEXT_PUBLIC_BRAND_NAME | No | Brand name used in UI text and metadata | Inbox Zero |
NEXT_PUBLIC_BRAND_LOGO_URL | No | Custom logo URL or public asset path (for example /images/brand-logo.svg) | Built-in Inbox Zero logo |
NEXT_PUBLIC_BRAND_ICON_URL | No | Custom app icon URL or public asset path | /icon.png |
NEXT_PUBLIC_SUPPORT_EMAIL | No | Contact email shown in support links and error messages | elie@getinboxzero.com |
| Debugging | | | |
DISABLE_LOG_ZOD_ERRORS | No | Disable logging Zod validation errors | — |
ENABLE_DEBUG_LOGS | No | Enable debug logging | false |
NEXT_PUBLIC_LOG_SCOPES | No | Comma-separated log scopes | — |
