> ## Documentation Index
> Fetch the complete documentation index at: https://mintlify.hoop.dev/docs/llms.txt
> Use this file to discover all available pages before exploring further.
# Environment Variables
> Describe how to configure the Hoop Gateway via environment variables
## Basic configuration
| Environment | Description |
| ----------------- | ---------------------------------------------------------------------------------------------------------------------------------------------- |
| POSTGRES\_DB\_URI | The postgres connection string to connect in the database. |
| API\_URL | API URL address, usually where your DNS will be pointed to. If a prefix is included all endpoints and routes will be available at this prefix. |
Local Authentication manages users and passwords locally and sign JWT access tokens to users.
| Environment | Description |
| ------------ | ------------------------------------------------------------------------------ |
| AUTH\_METHOD | The authentication method to use (`local`, `oidc`, `saml`). Default to `local` |
The Oauth2/OIDC authentication integrates with any identity provider that support these protocols. The users are managed on the identity provider.
| Environment | Description |
| -------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
| IDP\_ISSUER (DEPRECATED) | Identity Provider Issuer URL (Oauth2). Passing `_userinfo=1` as query string, it forces to authenticate using the [userinfo endpoint](https://openid.net/specs/openid-connect-core-1_0.html#UserInfo). |
| IDP\_CLIENT\_ID (DEPRECATED) | Oauth2 Client ID. |
| IDP\_CLIENT\_SECRET (DEPRECATED) | Oauth2 Client Secret. |
| IDP\_CUSTOM\_SCOPES (DEPRECATED) | Additional Oauth2 scopes to append in the request. Default values are `openid`, `profile` and `email`. |
| IDP\_AUDIENCE (DEPRECATED) | Identity Provider Audience (Oauth2) |
| IDP\_GROUPS\_CLAIM (DEPRECATED) | Specifies the claim identifier used to configure group propagation. If not explicitly set, the system defaults to `https://app.hoop.dev/groups` |
The authentication configuration is now handled via Webapp or defined via API directly,
the environment variable with the prefix `IDP_` are deprecated and will be removed in upcoming releases.
## Extra configuration
All fields below are not required but can give you some extra configuration options to attend your needs.
| Environment | Default Value | Description |
| --------------------------------------- | ----------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| ADMIN\_USERNAME | admin | Changes the name of the group to act as the `admin` role |
| AUDITOR\_USERNAME | auditor | Changes the name of the group to act as the `auditor` role |
| API\_KEY | | When this environment is set, it enables authentication with full administrative privileges. The key must follow this format: `{org-id}\|{random-string}` |
| ANALYTICS\_TRACKING | enabled | Disable the analytics tracking by setting it to `disabled` |
| DLP\_PROVIDER | `gcp` | Which DLP provider to use: `mspresidio` or `gcp` |
| DLP\_MODE | `best-effort` | The redact mode policy: `best-effort` or `strict`. The former makes a best effort to redact the content and the later will return an error in case of any redaction issue. |
| DEFAULT\_AGENT\_GRPC\_SCHEME | | Override the gRPC scheme for the default agent. `grpc` or `grpcs`. |
| DEFAULT\_AGENT\_GRPC\_HOST | | Override the default host for the default agent. |
| DEFAULT\_AGENT\_GRPC\_SKIP\_VERIFY | | Override the skip verify configuration when the default agent is connecting with the gateway. |
| DEFAULT\_AGENT\_GRPC\_TLS\_CA | | The Certificate Authority file to use when connecting with default agent, e.g.: `file://` or `base64://` |
| DISABLE\_SESSIONS\_DOWNLOAD | false | Control if the download session is disabled or not |
| GIN\_MODE | release | Turn on (debug) logging of routes |
| GOOGLE\_APPLICATION\_CREDENTIALS\_JSON | | GCP DLP credentials |
| GRPC\_URL | `grpc://127.0.0.1:8010` | The gRPC URL to advertise to clients. |
| LOG\_ENCODING | json | The encoding of output logs (console) |
| LOG\_GRPC | | "1" enables logging gRPC protocol |
| LOG\_LEVEL | info | The verbosity of logs (debug,info,warn,error) |
| SSH\_CLIENT\_HOST\_KEY | | The private key host key to use for the local SSH server client. It should be a key generated in `PKCS#8` format encoded as base64. |
| INTEGRATION\_AWS\_INSTANCE\_ROLE\_ALLOW | | When this option is set to `true`, it allow to use AWS instance role when interacting with AWS Connect integration |
| MSPRESIDIO\_ANALYZER\_URL | | Host and port for MS Presidio Analyzer `` |
| MSPRESIDIO\_ANONYMIZER\_URL | | Host and port for MS Presidio Anonymizer `` |
| ORG\_MULTI\_TENANT | | Enable organization multi-tenancy |
| PLUGIN\_AUDIT\_PATH | `/opt/hoop/sessions` | The path where the temporary sessions are stored |
| STATIC\_UI\_PATH | `/app/ui/public` | The path where the UI assets resides |
| TLS\_CERT | | The path or value to the certificate server (pem) e.g.: `file://` or `base64://` |
| TLS\_KEY | | The path or value to the RSA private key e.g.: `file://` or `base64://` |
| WEBAPP\_USERS\_MANAGEMENT | `on` | Enable the users management in the Webapp. It allows to create, edit and delete users. |
| WEBHOOK\_APPKEY | | The application key to send messages to the Svix Webhook provider. |
| WEBHOOK\_APPURL | | The Svix Server URL for self hosted setups. |