Bootstrap Settings (.env)
Bootstrap settings are loaded once at startup from the .env file (or OS environment variables if no .env is present). Changing any of these requires restarting the server.
Generate a .env with secure defaults:
./autentico init --url https://auth.example.comApplication
Section titled “Application”| Variable | Default | Description |
|---|---|---|
AUTENTICO_APP_URL | http://localhost:9999 | Public base URL of the application. Used as the OIDC issuer (iss) and for constructing redirect URIs. Must match the URL clients use to reach the server. |
AUTENTICO_APP_OAUTH_PATH | /oauth2 | URL path prefix for all OAuth2 endpoints. Change this only if you need to namespace the endpoints. |
AUTENTICO_APP_ENABLE_CORS | true | Whether to add CORS response headers. Disable if your reverse proxy handles CORS. |
AUTENTICO_DB_FILE_PATH | ./db/autentico.db | Path to the SQLite database file. The directory must exist and be writable. Use an absolute path in production. |
Cryptographic secrets
Section titled “Cryptographic secrets”All secrets are generated by autentico init. In production, inject them as environment variables from a secrets manager rather than committing them to .env.
| Variable | Description |
|---|---|
AUTENTICO_PRIVATE_KEY | Base64-encoded RSA 2048 private key PEM. Used to sign ID tokens and access tokens (RS256). If unset, an ephemeral key is generated at startup — tokens issued with an ephemeral key are invalidated on restart. |
AUTENTICO_ACCESS_TOKEN_SECRET | HMAC secret for access token signing. Must be a strong random value (at least 32 bytes). |
AUTENTICO_REFRESH_TOKEN_SECRET | HMAC secret for refresh token signing. Must be a strong random value. |
AUTENTICO_CSRF_SECRET_KEY | 32-byte secret for CSRF token generation (gorilla/csrf). Must be stable across restarts — changing it invalidates all in-flight CSRF tokens. |
Cookies
Section titled “Cookies”| Variable | Default | Description |
|---|---|---|
AUTENTICO_CSRF_SECURE_COOKIE | false | Set to true in production (HTTPS). Adds the Secure flag to the CSRF cookie. |
AUTENTICO_REFRESH_TOKEN_COOKIE_NAME | autentico_refresh_token | Cookie name for the refresh token. Change if you run multiple Autentico instances under the same domain. |
AUTENTICO_REFRESH_TOKEN_SECURE | false | Set to true in production. Adds the Secure flag to the refresh token cookie. |
AUTENTICO_IDP_SESSION_COOKIE_NAME | autentico_idp_session | Cookie name for the IdP SSO session. |
AUTENTICO_IDP_SESSION_SECURE | false | Set to true in production. |
Rate limiting
Section titled “Rate limiting”Per-IP token-bucket rate limiting applied to authentication endpoints (/oauth2/login, /oauth2/mfa, /oauth2/token, /oauth2/passkey/login/finish).
Two-tier limiting: a request must pass both the per-second and per-minute bucket to proceed.
| Variable | Default | Description |
|---|---|---|
AUTENTICO_RATE_LIMIT_RPS | 5 | Sustained request rate per IP (requests/second). Set to 0 to disable both limiters — useful when your reverse proxy already handles rate limiting. |
AUTENTICO_RATE_LIMIT_BURST | 10 | Burst capacity for the per-second limiter. An IP can send this many requests instantly before the per-second rate applies. |
AUTENTICO_RATE_LIMIT_RPM | 20 | Sustained request rate per IP (requests/minute). Caps long-term enumeration even when requests are spaced to avoid the per-second limit. |
AUTENTICO_RATE_LIMIT_RPM_BURST | 20 | Burst capacity for the per-minute limiter. |
Token signing
Section titled “Token signing”| Variable | Default | Description |
|---|---|---|
AUTENTICO_JWK_CERT_KEY_ID | autentico-key-1 | Key ID (kid) embedded in the JWK Set and JWT headers. Relying parties use this to select the correct verification key. Change if you are rotating keys. |
Networking
Section titled “Networking”The AppDomain, AppHost, AppPort, and AppAuthIssuer values are all derived from AUTENTICO_APP_URL — do not set them manually.
| Derived value | Example (from https://auth.example.com) |
|---|---|
| Domain | auth.example.com |
| Host | auth.example.com |
| Port | 443 |
| Auth Issuer | https://auth.example.com/oauth2 |
Example .env
Section titled “Example .env”AUTENTICO_APP_URL=https://auth.example.comAUTENTICO_APP_OAUTH_PATH=/oauth2AUTENTICO_APP_ENABLE_CORS=trueAUTENTICO_DB_FILE_PATH=/data/autentico.db
AUTENTICO_PRIVATE_KEY=LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQo...AUTENTICO_ACCESS_TOKEN_SECRET=change-me-to-a-strong-random-secretAUTENTICO_REFRESH_TOKEN_SECRET=change-me-to-another-strong-random-secretAUTENTICO_CSRF_SECRET_KEY=change-me-to-a-32-byte-random-secret
AUTENTICO_CSRF_SECURE_COOKIE=trueAUTENTICO_REFRESH_TOKEN_SECURE=trueAUTENTICO_IDP_SESSION_SECURE=true
# Rate limiting (set RPS=0 to disable both tiers if reverse proxy handles it)AUTENTICO_RATE_LIMIT_RPS=5AUTENTICO_RATE_LIMIT_BURST=10AUTENTICO_RATE_LIMIT_RPM=20AUTENTICO_RATE_LIMIT_RPM_BURST=20