Skip to main content

Documentation Index

Fetch the complete documentation index at: https://kaneo.app/docs/llms.txt

Use this file to discover all available pages before exploring further.

Set up the file

The environment variables are used to configure the application. We will use a .env file to store the variables. For the sample environment file, see the example .env file. The variables are split up into the following sections:

Required variables

General URLs

This section will cover all the variables related to the general URLs.
NameDescription
KANEO_CLIENT_URLThe URL of the web application.
KANEO_API_URLThe URL of the API.

Database

This section will cover all the variables related to the database.
NameDescription
DATABASE_URLThe URL of the PostgreSQL database.
POSTGRES_DBThe name of the PostgreSQL database.
POSTGRES_USERThe username for the PostgreSQL database.
POSTGRES_PASSWORDThe password for the PostgreSQL database.

Authentication

This section will cover all the variables related to the authentication.
NameDescription
AUTH_SECRETThe secret key for the JWT token. Must be at least 32 characters long, use a long, random value in production. Example: use openssl rand -base64 32 to generate a secure key in Linux/macOS.
DEVICE_AUTH_CLIENT_IDSOptional. Comma-separated list of allowed device authorization client IDs. When unset, Kaneo implicitly allows kaneo-cli and kaneo-mcp by default, so no extra configuration is required for the CLI or MCP. Override only when you need additional trusted clients, for example kaneo-cli,kaneo-mcp,my-desktop-app.

Optional variables

Object Storage

Kaneo uses S3-compatible object storage for private uploads in task descriptions and task comments. MinIO is the easiest local option and the primary tested target. You can also use other S3-compatible storage backends such as AWS S3, Cloudflare R2, or fs.
NameDescriptionDefault
S3_ENDPOINTThe S3-compatible API endpoint used by the Kaneo API for presigned uploads. Example: http://minio:9000.
S3_BUCKETThe bucket Kaneo will use for uploaded files.
S3_ACCESS_KEY_IDAccess key used by the Kaneo API to create presigned upload URLs.
S3_SECRET_ACCESS_KEYSecret key used by the Kaneo API to create presigned upload URLs.
S3_REGIONThe storage region used for request signing.us-east-1
S3_PUBLIC_BASE_URLOptional public base URL for uploaded assets. Kaneo does not require this for the current private asset flow.
S3_FORCE_PATH_STYLEUse path-style S3 URLs. This should usually be true for MinIO and fs.true
S3_MAX_IMAGE_UPLOAD_BYTESMaximum allowed upload size in bytes for images and other uploaded files.10485760
S3_PRESIGN_TTL_SECONDSHow long presigned upload URLs remain valid.300

Access Control

NameDescriptionDefault
DISABLE_GUEST_ACCESSDisable anonymous/guest sign-in. When set to true, the guest access button will not be shown on sign-in and sign-up pages.false
DISABLE_REGISTRATIONDisable public user registration. When set to true, the sign-up option will not be shown on the sign-in page and new user creation is blocked (including via SSO). Note: Users with valid workspace invitations can still register even when this is enabled.false
DISABLE_PASSWORD_REGISTRATIONDisable password-based account creation. When set to true, email/password sign-up is blocked, but social/OIDC registration remains available unless DISABLE_REGISTRATION=true.false

GitHub SSO

Sign in with GitHub uses a GitHub OAuth App. Set GITHUB_OAUTH_CLIENT_ID and GITHUB_OAUTH_CLIENT_SECRET (or rely on the legacy variables below).
NameDescription
GITHUB_OAUTH_CLIENT_IDOAuth client ID for GitHub sign-in.
GITHUB_OAUTH_CLIENT_SECRETOAuth client secret for GitHub sign-in.
GITHUB_CLIENT_IDLegacy fallback for OAuth client ID when GITHUB_OAUTH_* is not set.
GITHUB_CLIENT_SECRETLegacy fallback for OAuth client secret when GITHUB_OAUTH_* is not set.

GitHub integration

Repository sync and webhooks use a GitHub App. These variables do not enable GitHub sign-in; configure GitHub SSO separately if you want both.
NameDescription
GITHUB_APP_IDThe GitHub App ID.
GITHUB_WEBHOOK_SECRETSecret used to verify GitHub webhook payloads.
GITHUB_PRIVATE_KEYPEM private key for the GitHub App (JWT authentication).
GITHUB_APP_NAME(Optional) GitHub App slug, used for installation links in the UI.

Google SSO

NameDescription
GOOGLE_CLIENT_IDThe Google client ID.
GOOGLE_CLIENT_SECRETThe Google client secret.

Discord SSO

NameDescription
DISCORD_CLIENT_IDThe Discord client ID.
DISCORD_CLIENT_SECRETThe Discord client secret.

Custom OAuth/OIDC

NameDescription
CUSTOM_OAUTH_CLIENT_IDOAuth client ID from your provider.
CUSTOM_OAUTH_CLIENT_SECRETOAuth client secret from your provider.
CUSTOM_OAUTH_AUTHORIZATION_URLAuthorization endpoint URL.
CUSTOM_OAUTH_TOKEN_URLToken exchange endpoint URL.
CUSTOM_OAUTH_USER_INFO_URLUser info endpoint URL.
CUSTOM_OAUTH_DISCOVERY_URL(Optional) OpenID Connect discovery document URL.
CUSTOM_OAUTH_SCOPES(Optional) Comma-separated list of OAuth scopes. Default: profile,email.
CUSTOM_OAUTH_RESPONSE_TYPE(Optional) OAuth response type. Default: code.
CUSTOM_AUTH_PKCE(Optional) Enable/disable PKCE. Default: true.

Redis

Kaneo supports Redis for horizontal scaling of WebSocket broadcasts. When any Redis mode is configured, multiple API instances can relay real-time updates via Redis Pub/Sub. When none are set, an in-memory adapter is used (single-instance only). Three deployment modes are supported: Standalone, Sentinel, and Cluster. Only one mode should be configured at a time. If multiple are set, the priority is: Cluster > Sentinel > Standalone.

Standalone (single server)

NameDescription
REDIS_URLRedis connection string (e.g., redis://localhost:6379).

Sentinel (high-availability with automatic failover)

NameDescriptionDefault
REDIS_SENTINELSComma-separated list of Sentinel nodes (e.g., sentinel-1:26379,sentinel-2:26379,sentinel-3:26379).
REDIS_SENTINEL_MASTER_NAMEName of the Sentinel master group.mymaster
REDIS_SENTINEL_PASSWORDPassword for Sentinel instances, if different from the Redis password.
REDIS_SENTINEL_TLSSet to true to enable TLS for Sentinel connections.false

Cluster (horizontal sharding)

NameDescription
REDIS_CLUSTER_NODESComma-separated list of cluster seed nodes (e.g., node-1:6379,node-2:6379,node-3:6379).

Shared (used by Sentinel and Cluster modes)

NameDescription
REDIS_PASSWORDPassword for the Redis data nodes (used by both Sentinel and Cluster modes, not for Sentinel auth itself — use REDIS_SENTINEL_PASSWORD for that).

SMTP Configuration

NameDescription
SMTP_HOSTThe SMTP host.
SMTP_PORTThe SMTP port.
SMTP_SECUREWhether to use SSL/TLS.
SMTP_USERThe SMTP user.
SMTP_PASSWORDThe SMTP password.
SMTP_FROMThe SMTP from address.
SMTP_REQUIRE_TLSWhether to explicitly force to use TLS. See more on.
SMTP_IGNORE_TLSIgnore TLS certificate errors. Set to true for self-signed or invalid certificates. Default: false.

Key points

  • If you enable GitHub SSO, create a GitHub OAuth App in GitHub Developer Settings and set GITHUB_OAUTH_CLIENT_ID / GITHUB_OAUTH_CLIENT_SECRET (or the legacy GITHUB_CLIENT_* variables). See the GitHub SSO guide.
  • If you use the GitHub repository integration, configure a GitHub App and set the integration variables in GitHub integration. See the GitHub integration configuration guide.
  • If you enable Google SSO, you need to set up the Google app which is used to authenticate users in the Google Cloud Console. See the Google SSO guide.
  • If you enable Discord SSO, you need to set up the Discord application which is used to authenticate users in the Discord Developer Portal. See the Discord SSO guide.
  • If you enable Custom OAuth/OIDC, you need to configure your identity provider with the appropriate redirect URI. See the Custom OAuth/OIDC guide.
  • If you have enabled SMTP, your sign in will be done via email using a magic link.
  • If you need device authorization for clients beyond the defaults (kaneo-cli, kaneo-mcp when DEVICE_AUTH_CLIENT_IDS is unset), set DEVICE_AUTH_CLIENT_IDS to the full comma-separated list of trusted client IDs for your deployment.