Skip to content

Env-var reference

Every framework module reads its config from a namespaced env prefix and from a pinned struct — the framework-wide dual-path rule (Configuration). The variable name is NESTRS_<NAMESPACE>__<KEY> (double underscore between namespace and key). This page lists the variables; each maps one-to-one to a field on the module’s config struct, so anything here is also settable in code.

KeyMeaning
HOSTlisten address (default 0.0.0.0)
PORTlisten port
GLOBAL_PREFIXpath prefix for every route (unset ⇒ none)
MAX_BODY_BYTESrequest body cap
REQUEST_TIMEOUT_SECSper-request timeout
FAIL_SECURE_STRICTfail boot (vs warn) on an unguarded self-mount under global guards — default true
SECURITY_HEADERSmaster switch for the secure-by-default response headers
HSTS · FRAME_OPTIONS · CONTENT_TYPE_OPTIONS · SERVER_HEADERindividual security-header controls
TLS_CERT / TLS_KEYPEM cert + key for HTTPS (inline); TLS_CERT_FILE / TLS_KEY_FILE read from a path instead. Unset ⇒ plain HTTP
CORS_ORIGINScomma-separated allowed origins; unset ⇒ no CORS layer
CORS_METHODScomma-separated allowed request methods
CORS_HEADERScomma-separated allowed request headers
CORS_EXPOSEDcomma-separated response headers exposed to the browser
CORS_CREDENTIALSallow credentialed requests — default false
CORS_MAX_AGEpreflight cache lifetime in seconds
ACCESS_LOGemit one access-log event per request — default true (read by nest-rs-opentelemetry)
KeyMeaning
URLPostgres connection string
MAX_CONNECTIONSpool maximum connections (unset ⇒ SeaORM default)
MIN_CONNECTIONSpool minimum connections (unset ⇒ SeaORM default)
CONNECT_TIMEOUT_SECSconnection-acquire timeout in seconds
SQLX_LOGGINGlog SQL statements
RETRY_SERIALIZATION_CONFLICTSretry on serialization failures
KeyMeaning
URLRedis connection string
KeyMeaning
ENDPOINTS3 endpoint (empty ⇒ real AWS S3)
REGIONregion
ACCESS_KEY / SECRET_KEYstatic credentials
BUCKETtarget bucket
FORCE_PATH_STYLEpath-style vs virtual-hosted addressing
KeyMeaning
SERVICE_NAMEservice name; overrides the name passed to OpenTelemetry::init
LOG_LEVELtracing filter (e.g. info, debug)
LOG_FORMATjson (production) or text (dev)
LOG_SOURCE_LOCATIONinclude file:line on each event
OTLP_ENDPOINTcollector endpoint (unset ⇒ no export)
SAMPLE_RATIOtrace sampling ratio, 0.01.0 (default 1.0)
SERVICE_VERSION · SERVICE_ENVIRONMENT · SERVICE_INSTANCE_IDresource attributes

JWT key material and validation for nest-rs-authn. A resource server sets only the verification side (SECRET or PUBLIC_KEY); the issuer app also sets the signing side.

KeyMeaning
SECRETHS256 shared secret (≥ 32 bytes) — signs and verifies
PRIVATE_KEYEdDSA private key (PEM) — issuer only, to sign
PUBLIC_KEYEdDSA public key (PEM) — to verify
ISSUERexpected iss claim (unset ⇒ no issuer check)
AUDIENCEexpected aud claim (unset ⇒ no audience check)
LEEWAY_SECSclock-skew leeway in seconds (default 30)
EXPIRES_IN_SECSminted-token lifetime in seconds (default 3600)

graphql, openapi, ws, throttler, and the auth app’s issuer each read their own NESTRS_<NAMESPACE>__* keys — see the matching module page for the fields. The rule is uniform: the struct’s field name uppercased is the key.

Values resolve highest-first: real env > .env.<NESTRS_ENV>.local > .env.local

.env.<NESTRS_ENV> > .env. See the env cascade.