Environment Variables Reference¶

Complete list of authentication-related environment variables.

JWT Configuration¶

Variable	Type	Default	Description
`JWT_SECRET_KEY`	string	`dev-secret-key-change-me-32chars!!!!`	REQUIRED. HS256 signing key. Min 32 characters. Change in production!
`JWT_ALGORITHM`	string	`HS256`	JWT signing algorithm. Do not change unless you have a specific reason.
`ACCESS_TOKEN_EXPIRE_MINUTES`	integer	`360`	Access token TTL in minutes (6 hours).
`REFRESH_TOKEN_EXPIRE_MINUTES`	integer	`10080`	Refresh token TTL for "remember me" in minutes (7 days).
`REFRESH_TOKEN_EXPIRE_MINUTES_SHORT`	integer	`1440`	Refresh token TTL for normal sessions in minutes (1 day).

Password Security¶

Variable	Type	Default	Description
`BCRYPT_ROUNDS`	integer	`12`	Bcrypt cost factor (4-31). Higher = more secure but slower. 12 is recommended for production.

Token Cookies¶

Variable	Type	Default	Description
`ACCESS_COOKIE_NAME`	string	`mbpanel_access`	Name of the access token cookie.
`REFRESH_COOKIE_NAME`	string	`mbpanel_refresh`	Name of the refresh token cookie.

CSRF Protection¶

Variable	Type	Default	Description
`CSRF_COOKIE_NAME`	string	`mbpanel_csrf`	Name of the CSRF token cookie.
`CSRF_HEADER_NAME`	string	`X-CSRF-Token`	Header name for CSRF token in requests.

Variable	Type	Default	Description
`AUTH_COOKIE_SECURE`	boolean	`false` (dev) / `true` (prod)	Set Secure flag on cookies. HTTPS required when true.
`AUTH_COOKIE_SAMESITE`	string	`lax`	SameSite attribute: `strict`, `lax`, or `none`.
`AUTH_COOKIE_DOMAIN`	string	`None`	Domain for cookies. Omit for current domain only.

Redis Configuration¶

Variable	Type	Default	Description
`REDIS_URL`	string	`redis://redis:6379/0`	REQUIRED. Redis connection URL for session state, rate limiting, blacklists.

Encryption¶

Variable	Type	Default	Description
`ENCRYPTION_KEY`	string	(auto-generated)	REQUIRED. Base64 urlsafe 32-byte key for Fernet encryption. Used for Virtuozzo credentials and TOTP secrets.

Pre-Auth Tokens¶

Variable	Type	Default	Description
`PREAUTH_TOKEN_TTL_SECONDS`	integer	`300`	Pre-auth token TTL in seconds (5 minutes).

Session Timeout¶

Variable	Type	Default	Description
`REFRESH_IDLE_TIMEOUT_MINUTES`	integer	`60`	Idle timeout for refresh tokens in minutes. Users must refresh within this window.

Variable	Type	Default	Description
`LOGIN_RATE_LIMIT_MAX_ATTEMPTS`	integer	`5`	Max login attempts per window.
`LOGIN_RATE_LIMIT_WINDOW_SECONDS`	integer	`300`	Rate limit window in seconds (5 minutes).

Device Approval OTP¶

Variable	Type	Default	Description
`DEVICE_APPROVAL_OTP_TTL_SECONDS`	integer	`300`	OTP validity in seconds (5 minutes).
`DEVICE_OTP_MAX_ATTEMPTS`	integer	`5`	Max OTP verification attempts.

Email (Postmark)¶

Variable	Type	Default	Description
`POSTMARK_SERVER_TOKEN`	string	(required)	Postmark API token for sending emails.
`POSTMARK_FROM_EMAIL`	string	(required)	From email address for auth emails.
`POSTMARK_DEVICE_APPROVAL_TEMPLATE_ID`	integer	(required)	Postmark template ID for device approval OTP.
`POSTMARK_SUSPICIOUS_LOGIN_TEMPLATE_ID`	integer	(required)	Postmark template ID for suspicious login alerts.
`POSTMARK_EMAIL_VERIFICATION_TEMPLATE_ID`	integer	(optional)	Postmark template ID for email verification.
`POSTMARK_PASSWORD_RESET_TEMPLATE_ID`	integer	(optional)	Postmark template ID for password reset.
`POSTMARK_INVITE_TEMPLATE_ID`	integer	(optional)	Postmark template ID for team invitations.
`POSTMARK_OWNERSHIP_TRANSFER_TEMPLATE_ID`	integer	(optional)	Postmark template ID for ownership transfer.

Email Token TTLs¶

Variable	Type	Default	Description
`EMAIL_VERIFICATION_TOKEN_TTL_HOURS`	integer	`24`	Email verification token TTL in hours.
`PASSWORD_RESET_TOKEN_TTL_HOURS`	integer	`1`	Password reset token TTL in hours.

Team Invitation¶

Variable	Type	Default	Description
`INVITE_TOKEN_TTL_HOURS`	integer	`168`	Invite token TTL in hours (7 days).

Ownership Transfer¶

Variable	Type	Default	Description
`OWNERSHIP_TRANSFER_TOKEN_TTL_SECONDS`	integer	`86400`	Ownership transfer token TTL in seconds (24 hours).

Virtuozzo Integration¶

Variable	Type	Default	Description
`VZ_VIRTUOZZO_BASE_URL`	string	(required)	Virtuozzo API base URL.
`VZ_VIRTUOZZO_SIGNIN_URL`	string	(required)	Virtuozzo sign-in endpoint URL.
`VZ_VIRTUOZZO_TIMEOUT_SECONDS`	integer	`30`	Virtuozzo API timeout in seconds.
`VZ_CACHE_PREFIX`	string	`vz:session:`	Redis key prefix for Virtuozzo session cache.
`VZ_REFRESH_SAFETY_SECONDS`	integer	`300`	Safety window for Virtuozzo session refresh (5 minutes).
`VZ_LOCK_PREFIX`	string	`vz:lock:`	Redis key prefix for Virtuozzo refresh locks.

Variable	Type	Default	Description
`BASE_URL`	string	(required)	Base URL for constructing approve/deny links in emails.
`LOGIN_ALERT_TOKEN_TTL_SECONDS`	integer	`3600`	Login alert token TTL in seconds (1 hour).

Geo-IP Lookup¶

Variable	Type	Default	Description
`GEO_IP_API_URL`	string	`http://ip-api.com/json/`	Geo-IP API endpoint for suspicious login detection.

Example Configuration¶

# JWT
JWT_SECRET_KEY=prod-secret-key-change-me-to-32-chars
JWT_ALGORITHM=HS256
ACCESS_TOKEN_EXPIRE_MINUTES=360
REFRESH_TOKEN_EXPIRE_MINUTES=10080
REFRESH_TOKEN_EXPIRE_MINUTES_SHORT=1440

# Password Security
BCRYPT_ROUNDS=12

# Cookies
ACCESS_COOKIE_NAME=mbpanel_access
REFRESH_COOKIE_NAME=mbpanel_refresh
CSRF_COOKIE_NAME=mbpanel_csrf
CSRF_HEADER_NAME=X-CSRF-Token
AUTH_COOKIE_SECURE=true
AUTH_COOKIE_SAMESITE=lax

# Redis
REDIS_URL=redis://redis:6379/0

# Encryption
ENCRYPTION_KEY=your-base64-urlsafe-32-byte-fernet-key

# Session
PREAUTH_TOKEN_TTL_SECONDS=300
REFRESH_IDLE_TIMEOUT_MINUTES=60

# Rate Limiting
LOGIN_RATE_LIMIT_MAX_ATTEMPTS=5
LOGIN_RATE_LIMIT_WINDOW_SECONDS=300

# Email (Postmark)
POSTMARK_SERVER_TOKEN=your-postmark-token
POSTMARK_FROM_EMAIL=noreply@yourdomain.com
POSTMARK_DEVICE_APPROVAL_TEMPLATE_ID=123456
POSTMARK_SUSPICIOUS_LOGIN_TEMPLATE_ID=234567
POSTMARK_EMAIL_VERIFICATION_TEMPLATE_ID=345678
POSTMARK_PASSWORD_RESET_TEMPLATE_ID=456789
POSTMARK_INVITE_TEMPLATE_ID=567890
POSTMARK_OWNERSHIP_TRANSFER_TEMPLATE_ID=678901

# Virtuozzo
VZ_VIRTUOZZO_BASE_URL=https://app.mymightybox.io
VZ_VIRTUOZZO_SIGNIN_URL=https://app.mymightybox.io/1.0/users/authentication/rest/signin
VZ_VIRTUOZZO_TIMEOUT_SECONDS=30

# URLs
BASE_URL=https://your-app-domain.com

Security Checklist¶

Before deploying to production:

JWT_SECRET_KEY is changed from default (min 32 chars)
ENCRYPTION_KEY is set to a secure Fernet key
BCRYPT_ROUNDS is >= 12
AUTH_COOKIE_SECURE is true
REDIS_URL points to production Redis
Postmark templates are configured
Virtuozzo URLs are correct
BASE_URL matches your production domain

Quick Start - Setup instructions
Security Architecture - Security details

Environment Variables Reference¶

JWT Configuration¶

Password Security¶

Token Cookies¶

CSRF Protection¶

Cookie Security¶

Redis Configuration¶

Encryption¶

Pre-Auth Tokens¶

Session Timeout¶

Rate Limiting (Login)¶

Device Approval OTP¶

Email (Postmark)¶

Email Token TTLs¶

Team Invitation¶

Ownership Transfer¶

Virtuozzo Integration¶

Login Alerts (Suspicious Login)¶

Geo-IP Lookup¶

Example Configuration¶

Security Checklist¶

Related Documentation¶