Environment Variables
All configuration options for the InlineCMS API.
Required
Section titled “Required”| Variable | Description |
|---|---|
DATABASE_URL | PostgreSQL connection string (e.g., postgresql://user:pass@host:5432/dbname) |
JWT_SECRET | Secret for JWT signing. Minimum 32 characters. Generate with: node -e "console.log(require('crypto').randomBytes(64).toString('hex'))" |
Optional
Section titled “Optional”| Variable | Default | Description |
|---|---|---|
NODE_ENV | development | Set to production for production deployments |
PORT | 3001 | API server port |
JWT_EXPIRES_IN | 7d | JWT token expiration duration |
IS_SELF_HOSTED | false | Set to true for self-hosted instances |
OAuth sign-in (Google, GitHub)
Section titled “OAuth sign-in (Google, GitHub)”Optional. When a provider’s id and secret are both set, a “Continue with …” button appears on the dashboard login page. Sign-in links to an existing account by verified email — it never creates one. See the full walkthrough in OAuth Sign-In.
| Variable | Description |
|---|---|
PUBLIC_URL | Base URL of this install as the browser sees it (e.g. https://cms.example.com). Used to build OAuth redirect URIs and the post-login redirect. Required when any OAuth provider is configured. In local dev, set it to the dashboard origin (http://localhost:3002). Falls back to the request origin if unset. |
GOOGLE_OAUTH_CLIENT_ID | Google OAuth 2.0 client ID |
GOOGLE_OAUTH_CLIENT_SECRET | Google OAuth 2.0 client secret |
GITHUB_OAUTH_CLIENT_ID | GitHub OAuth app client ID |
GITHUB_OAUTH_CLIENT_SECRET | GitHub OAuth app client secret |
SSO (SAML/OIDC single sign-on) is a feature of InlineCMS Cloud and is not part of the self-hosted build.
Login page
Section titled “Login page”Optional links shown in the login page footer. Omit either to hide that link.
| Variable | Description |
|---|---|
LEGAL_PRIVACY_URL | URL for the footer’s “Privacy” link |
LEGAL_TERMS_URL | URL for the footer’s “Terms” link |
CDN cache invalidation
Section titled “CDN cache invalidation”| Variable | Description |
|---|---|
CDN_INVALIDATION_URL | Webhook URL that InlineCMS POSTs to after every publish |
CDN_INVALIDATION_SECRET | Secret sent with purge requests for authentication |
Build-time hydration (bake)
Section titled “Build-time hydration (bake)”| Variable | Default | Description |
|---|---|---|
INLINECMS_BAKE | on | Server-wide bake kill-switch. Set to off (or false/0) and GET /v1/snapshot reports bakeEnabled: false, forcing every build into safe (no-bake) mode — even builds you can’t redeploy. |
DEPLOY_TRIGGER_DEBOUNCE_MS | 4000 | Window (ms) over which a burst of publishes coalesces into a single deploy trigger. |
Deploy hooks themselves are configured per project (not via env) — see
Build-Time Hydration → deploy triggers.
The same INLINECMS_BAKE switch also works locally in a build environment to
disable baking for one build.
Media storage (S3/R2)
Section titled “Media storage (S3/R2)”For production media uploads, configure S3-compatible storage:
| Variable | Description |
|---|---|
S3_BUCKET | Bucket name |
S3_REGION | AWS region or auto for Cloudflare R2 |
S3_ACCESS_KEY_ID | Access key |
S3_SECRET_ACCESS_KEY | Secret key |
S3_ENDPOINT | Custom endpoint URL (for R2 or MinIO) |
When S3 variables are not set, media uploads are stored locally in the uploads/ directory.