Skip to main content
Complete reference for all environment variables used by the KaireonAI platform.

1. Quick Reference

VariableRequiredDefaultCategory
DATABASE_URLYesDatabase
REDIS_URLNo— (cache disabled)Cache
NEXTAUTH_URLYesAuthentication
NEXTAUTH_SECRETYesAuthentication
JWT_SIGNING_SECRETYesAuthentication
CONNECTOR_ENCRYPTION_KEYYesSecurity
LOG_LEVELNoinfoObservability
NODE_ENVNodevelopmentRuntime
WORKER_CONCURRENCYNo4Workers
EVENT_PUBLISHERNomemoryIntegration
CACHE_STORENomemoryIntegration
INTERACTION_STORENopostgresIntegration
SEARCH_INDEXNopostgresIntegration
OTEL_EXPORTER_OTLP_ENDPOINTNoObservability

2. Database

DATABASE_URL

PostgreSQL connection string used by Prisma via the @prisma/adapter-pg driver adapter.
PropertyValue
RequiredYes
Default
Formatpostgresql://USER:PASSWORD@HOST:PORT/DATABASE?sslmode=require
Examplepostgresql://kaireon:s3cret@db.example.com:5432/kaireon_prod?sslmode=require
Notes:
  • In Prisma 7, this value is read from prisma.config.ts, not from the schema.prisma datasource block.
  • For RDS deployments, append ?sslmode=require and optionally &sslrootcert=/app/certs/rds-ca.pem.
  • Use IAM database authentication in production where possible.
  • Connection pooling is handled by the pg adapter; set connection_limit in the connection string if needed.

REDIS_URL

Redis connection string for caching. Optional — the platform runs without Redis. Cache can also be configured from Settings > Integrations UI.
PropertyValue
RequiredNo
Default— (cache disabled when not set)
Formatredis://[:PASSWORD@]HOST:PORT[/DB] or rediss:// for TLS
Examplerediss://:authtoken@cache.example.com:6379/0
Notes:
  • Use rediss:// (double s) for TLS connections to ElastiCache.
  • Alternatively, configure cache from Settings > Integrations UI with full TLS, Sentinel, and Cluster support.
  • For ElastiCache cluster mode, use the configuration endpoint.

3. Authentication

NEXTAUTH_URL

The canonical URL of the KaireonAI application. Used by NextAuth.js for callback URLs and CSRF protection.
PropertyValue
RequiredYes
Default
FormatFull URL with protocol
Examplehttps://app.kaireon.example.com
Notes:
  • Must match the domain configured in your OAuth provider.
  • Do not include a trailing slash.
  • In development, use http://localhost:3000.

NEXTAUTH_SECRET

Secret used to encrypt NextAuth.js session tokens and CSRF tokens.
PropertyValue
RequiredYes
Default
FormatRandom string, minimum 32 characters
Examplea1b2c3d4e5f6... (use openssl rand -base64 32 to generate)
Notes:
  • Must be identical across all application replicas.
  • Rotate every 180 days. See the security hardening guide for rotation procedures.
  • Store in AWS Secrets Manager, never in source control.

JWT_SIGNING_SECRET

Secret used to sign and verify JWT tokens for API authentication.
PropertyValue
RequiredYes
Default
FormatRandom string, minimum 32 characters
Examplex9y8z7w6v5u4... (use openssl rand -base64 32 to generate)
Notes:
  • Used for service-to-service authentication and API key validation.
  • Must differ from NEXTAUTH_SECRET.
  • Support dual-key validation during rotation: the application accepts tokens signed with either the current or previous key.

4. Security

CONNECTOR_ENCRYPTION_KEY

AES-256 encryption key used to encrypt connector credentials (database passwords, API keys, OAuth tokens) at rest.
PropertyValue
RequiredYes
Default
Format32-byte hex string (64 hex characters) or base64-encoded 32 bytes
Example0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef
Notes:
  • Used by the connector registry to encrypt sensitive configuration fields before storing in PostgreSQL.
  • Rotation requires re-encrypting all existing connector credentials. See the security hardening guide.
  • Generate with: openssl rand -hex 32.

5. Runtime

NODE_ENV

Node.js environment identifier. Controls Next.js build behavior, logging verbosity, and debug features.
PropertyValue
RequiredNo
Defaultdevelopment
Alloweddevelopment, production, test
Exampleproduction
Notes:
  • Set to production in all deployed environments (staging, production).
  • In development mode, Next.js enables hot module replacement and verbose error pages.
  • In production mode, error details are hidden from responses for security.

LOG_LEVEL

Controls the minimum severity level for application log output.
PropertyValue
RequiredNo
Defaultinfo
Allowederror, warn, info, debug, trace
Exampleinfo
Notes:
  • Use debug or trace only for troubleshooting. These levels generate high log volume.
  • In production, info is recommended. Use warn if log costs are a concern.
  • Log output is structured JSON when NODE_ENV=production.

WORKER_CONCURRENCY

Maximum number of concurrent pipeline tasks a single worker pod processes.
PropertyValue
RequiredNo
Default4
FormatPositive integer
Example8
Notes:
  • Increase for CPU-heavy transform workloads on larger instances.
  • Each concurrent task consumes approximately 256 MiB of memory. Ensure the pod memory limit accommodates WORKER_CONCURRENCY * 256 MiB plus overhead.
  • Set to 1 for debugging pipeline issues in isolation.

6. Integration Backends

These variables control which backing services KaireonAI uses for event publishing, caching, interaction storage, and search. All default to PostgreSQL or in-process implementations — no external infrastructure is required. Infrastructure can also be configured from Settings > Integrations UI, which overrides these env vars.
UI-first configuration: All infrastructure backends can be configured from Settings > Integrations with full support for TLS, authentication (including AWS IAM roles), and advanced options. Environment variables serve as fallbacks.

EVENT_PUBLISHER

The event publishing backend for domain events (offer served, decision made, pipeline completed).
PropertyValue
RequiredNo
Defaultnone (in-process)
Allowednone, kafka, redpanda
Examplekafka
Related variables by backend:
BackendAdditional Variables
noneNone. Events are processed in-process.
kafkaKAFKA_BROKERS, KAFKA_TOPIC_PREFIX, KAFKA_SASL_USERNAME, KAFKA_SASL_PASSWORD
redpandaSame as Kafka (Kafka-compatible protocol)
For AWS MSK with IAM authentication, configure from Settings > Integrations UI (supports IRSA role-based auth).

CACHE_STORE

The caching backend for decision results, feature vectors, and session data.
PropertyValue
RequiredNo
Defaultnone (no caching)
Allowednone, redis, dragonfly
Exampleredis
Notes:
  • none means no caching — all reads hit PostgreSQL directly. Suitable for low-traffic deployments.
  • redis/dragonfly requires REDIS_URL or UI configuration. Recommended for multi-replica deployments or >1000 req/s.
  • Full TLS, Sentinel, and Cluster mode can be configured from Settings > Integrations UI.

INTERACTION_STORE

The storage backend for customer interaction history used by scoring engines.
PropertyValue
RequiredNo
Defaultpg (PostgreSQL)
Allowedpg, scylla, cassandra
Examplescylla
Related variables by backend:
BackendAdditional Variables
pgDATABASE_URL (shared)
scyllaConfigure from Settings > Integrations UI (contact points, TLS, etc.)
cassandraSame as ScyllaDB (compatible protocol)

SEARCH_INDEX

The backend for full-text search across offers, blueprints, and connectors.
PropertyValue
RequiredNo
Defaultpg (PostgreSQL tsvector)
Allowedpg, opensearch
Exampleopensearch
Related variables by backend:
BackendAdditional Variables
pgDATABASE_URL (shared, uses tsvector columns)
opensearchOPENSEARCH_URL, OPENSEARCH_INDEX_PREFIX, or configure from UI with AWS IAM auth
Note on Sections 7-11: The default Helm configmap.yaml only passes through OTEL_EXPORTER_OTLP_ENDPOINT, CLOUDWATCH_LOG_GROUP, and CLOUDWATCH_REGION. All other variables in sections 7-11 require manual addition to your Helm values override or direct environment variable injection. They are documented here for teams integrating with these services.

7. Observability

OTEL_EXPORTER_OTLP_ENDPOINT

The OpenTelemetry Collector endpoint for exporting traces, metrics, and logs.
PropertyValue
RequiredNo
Default— (telemetry disabled when not set)
FormatURL with protocol and port
Examplehttp://otel-collector.observability:4318
Notes:
  • Uses the OTLP/HTTP protocol by default (port 4318). For gRPC, use port 4317 and set OTEL_EXPORTER_OTLP_PROTOCOL=grpc.
  • When set, the application emits traces for all API requests, database queries, and pipeline executions.
  • Pair with the OTEL_SERVICE_NAME variable to set the service name in trace data.
OTEL_EXPORTER_OTLP_ENDPOINT is the only OTEL variable included in the default Helm configmap. The following OTEL variables require manual configuration:

OTEL_SERVICE_NAME

Service name reported in telemetry data.
PropertyValue
RequiredNo
Defaultkaireon-app
FormatString
Examplekaireon-app-production

OTEL_EXPORTER_OTLP_PROTOCOL

Protocol used to export telemetry data.
PropertyValue
RequiredNo
Defaulthttp/protobuf
Allowedhttp/protobuf, grpc
Examplegrpc

OTEL_TRACES_SAMPLER

Controls trace sampling strategy to manage telemetry volume.
PropertyValue
RequiredNo
Defaultparentbased_traceidratio
Allowedalways_on, always_off, traceidratio, parentbased_traceidratio
Exampleparentbased_traceidratio

OTEL_TRACES_SAMPLER_ARG

Sampling ratio argument when using a ratio-based sampler.
PropertyValue
RequiredNo
Default0.1 (10% of traces)
FormatFloat between 0.0 and 1.0
Example0.05
Notes:
  • In production, sample 5-10% of traces to control costs.
  • Set to 1.0 in staging or when debugging specific issues.

8. Kafka Integration (Manual Config)

These variables are required only when EVENT_PUBLISHER=kafka.

KAFKA_BROKERS

Comma-separated list of Kafka broker addresses.
PropertyValue
RequiredWhen EVENT_PUBLISHER=kafka
Default
Formathost1:port,host2:port
Examplekafka-1.example.com:9092,kafka-2.example.com:9092

KAFKA_TOPIC_PREFIX

Prefix applied to all Kafka topic names to support multi-tenant or multi-environment deployments.
PropertyValue
RequiredNo
Defaultkaireon
FormatString (alphanumeric and hyphens)
Examplekaireon-prod
Resulting topics: {prefix}.decisions, {prefix}.events, {prefix}.pipeline-runs.

KAFKA_SASL_USERNAME / KAFKA_SASL_PASSWORD

SASL/PLAIN credentials for authenticating with the Kafka cluster.
PropertyValue
RequiredWhen Kafka requires authentication
Default
FormatString
Examplekaireon-producer / s3cret

9. AWS Integration (Manual Config)

AWS_REGION

AWS region for SDK calls (SNS, DynamoDB, Secrets Manager, S3).
PropertyValue
RequiredWhen using AWS-backed integrations
Defaultus-east-1
FormatAWS region code
Exampleus-west-2

SNS_TOPIC_ARN

ARN of the SNS topic for event publishing when EVENT_PUBLISHER=sns.
PropertyValue
RequiredWhen EVENT_PUBLISHER=sns
Default
FormatARN
Examplearn:aws:sns:us-east-1:123456789012:kaireon-events

DYNAMODB_TABLE_NAME

DynamoDB table name for interaction storage when INTERACTION_STORE=dynamodb.
PropertyValue
RequiredWhen INTERACTION_STORE=dynamodb
Defaultkaireon-interactions
FormatString
Examplekaireon-interactions-prod

10. Search Integration (Manual Config)

OPENSEARCH_URL

OpenSearch cluster endpoint when SEARCH_INDEX=opensearch.
PropertyValue
RequiredWhen SEARCH_INDEX=opensearch
Default
FormatURL with protocol
Examplehttps://search.example.com:9200

OPENSEARCH_INDEX_PREFIX

Prefix for OpenSearch index names.
PropertyValue
RequiredNo
Defaultkaireon
FormatString
Examplekaireon-prod

11. Analytics Integration (Manual Config)

CLICKHOUSE_URL

ClickHouse connection URL when INTERACTION_STORE=clickhouse.
PropertyValue
RequiredWhen INTERACTION_STORE=clickhouse
Default
Formathttp://HOST:PORT or https://HOST:PORT
Examplehttps://clickhouse.example.com:8443

CLICKHOUSE_DATABASE

ClickHouse database name.
PropertyValue
RequiredWhen INTERACTION_STORE=clickhouse
Defaultkaireon
FormatString
Examplekaireon_prod

12. Example .env Files

Development

# Database
DATABASE_URL=postgresql://postgres:postgres@localhost:5432/kaireon_dev

# Auth
NEXTAUTH_URL=http://localhost:3000
NEXTAUTH_SECRET=<generate with: openssl rand -base64 32>
JWT_SIGNING_SECRET=<generate with: openssl rand -base64 64>

# Security
CONNECTOR_ENCRYPTION_KEY=<generate with: openssl rand -hex 32>

# Runtime
NODE_ENV=development
LOG_LEVEL=debug

# Backends (all in-process/local)
EVENT_PUBLISHER=memory
CACHE_STORE=memory
INTERACTION_STORE=postgres
SEARCH_INDEX=postgres

Production (Minimal — PostgreSQL Only)

# Database (from Secrets Manager via ESO)
DATABASE_URL=postgresql://kaireon:ROTATED_PASSWORD@kaireon-db.abc123.us-east-1.rds.amazonaws.com:5432/kaireon?sslmode=require

# Auth (from Secrets Manager via ESO)
NEXTAUTH_URL=https://app.kaireon.example.com
NEXTAUTH_SECRET=ROTATED_SECRET_FROM_SECRETS_MANAGER
JWT_SIGNING_SECRET=ROTATED_SECRET_FROM_SECRETS_MANAGER

# Security (from Secrets Manager via ESO)
CONNECTOR_ENCRYPTION_KEY=ROTATED_KEY_FROM_SECRETS_MANAGER

# Runtime
NODE_ENV=production
LOG_LEVEL=info
WORKER_CONCURRENCY=8

# Observability
OTEL_EXPORTER_OTLP_ENDPOINT=http://otel-collector.observability:4318
OTEL_SERVICE_NAME=kaireon-app-production
OTEL_TRACES_SAMPLER=parentbased_traceidratio
OTEL_TRACES_SAMPLER_ARG=0.05
Note: Infrastructure backends (Cache, Event Bus, Search, Interaction Store) are configured from Settings > Integrations UI. No env vars needed — the UI supports full TLS, AWS IAM roles, and advanced configuration. AWS services use IAM roles (IRSA) by default when running on EKS.

Production (Full Infrastructure via Env Vars)

If you prefer env vars over UI configuration: 
# Database (from Secrets Manager via ESO)
DATABASE_URL=postgresql://kaireon:ROTATED_PASSWORD@kaireon-db.abc123.us-east-1.rds.amazonaws.com:5432/kaireon?sslmode=require

# Cache (optional — configure via UI or env var)
REDIS_URL=rediss://:AUTH_TOKEN@kaireon-cache.abc123.use1.cache.amazonaws.com:6379/0

# Auth (from Secrets Manager via ESO)
NEXTAUTH_URL=https://app.kaireon.example.com
NEXTAUTH_SECRET=ROTATED_SECRET_FROM_SECRETS_MANAGER
JWT_SIGNING_SECRET=ROTATED_SECRET_FROM_SECRETS_MANAGER

# Security (from Secrets Manager via ESO)
CONNECTOR_ENCRYPTION_KEY=ROTATED_KEY_FROM_SECRETS_MANAGER

# Runtime
NODE_ENV=production
LOG_LEVEL=info
WORKER_CONCURRENCY=8

# Backends (all optional — can be configured from Settings > Integrations UI instead)
EVENT_PUBLISHER=kafka
CACHE_STORE=redis
INTERACTION_STORE=pg
SEARCH_INDEX=opensearch

# Kafka / AWS MSK (IAM auth recommended — configure via UI for IRSA support)
KAFKA_BROKERS=kafka-1.example.com:9092,kafka-2.example.com:9092,kafka-3.example.com:9092
KAFKA_TOPIC_PREFIX=kaireon-prod
KAFKA_SASL_USERNAME=kaireon-producer
KAFKA_SASL_PASSWORD=FROM_SECRETS_MANAGER

# AWS
AWS_REGION=us-east-1

# Search (AWS OpenSearch with IAM auth recommended — configure via UI for IRSA support)
OPENSEARCH_URL=https://search.example.com:9200
OPENSEARCH_INDEX_PREFIX=kaireon-prod

# Observability
OTEL_EXPORTER_OTLP_ENDPOINT=http://otel-collector.observability:4318
OTEL_SERVICE_NAME=kaireon-app-production
OTEL_TRACES_SAMPLER=parentbased_traceidratio
OTEL_TRACES_SAMPLER_ARG=0.05