Configuration
All environment variables for the BuildBase tenant server.
Environment Variables
Required
| Variable | Description |
|---|---|
NODE_ENV | Set to production |
PORT | Server port (default: 3000) |
MONGO_CONNECTION_URL | MongoDB connection string |
REDIS_HOST | Redis hostname |
REDIS_PORT | Redis port (default: 6379) |
CENTRAL_SERVER_URL | Central server URL (provided in setup wizard) |
ORG_IDS | Your organization ID (provided in setup wizard) |
SERVER_URL | Public URL of this server |
APPLICATION_URL | URL of your frontend app |
JWT_PASS | JWT signing secret |
DB_ENCRYPTION_KEY | Database field encryption key |
SECRET_KEY | General application secret |
OAUTH2_SECRET | OAuth2 token secret |
INTERNAL_API_KEY | Service-to-service auth key |
CORS
| Variable | Description |
|---|---|
CORS_WHITELISTED_DOMAINS | Comma-separated list of allowed origins |
The dashboard origins (console.buildbase.app) are always allowed by default.
Redis
| Variable | Description | Default |
|---|---|---|
REDIS_HOST | Hostname | localhost |
REDIS_PORT | Port | 6379 |
REDIS_PASSWORD | Password (if required) | — |
REDIS_DB | Database number | 0 |
Optional Services
| Variable | Description |
|---|---|
GOOGLE_AUTH_CLIENT_ID | Google OAuth client ID (for Google vendor + Gmail sender) |
GOOGLE_AUTH_CLIENT_SECRET | Google OAuth client secret |
GOOGLE_STORAGE_ASSETS_BUCKET_NAME | GCS bucket for file uploads |
MAILGUN_API_KEY | Mailgun API key (for transactional emails) |
Generating Secrets
All secret values should be unique, random strings. Generate them with:
openssl rand -hex 32Or generate all required secrets at once:
for i in JWT_PASS DB_ENCRYPTION_KEY SECRET_KEY OAUTH2_SECRET INTERNAL_API_KEY; do echo "$i=$(openssl rand -hex 32)"; doneDocker Image
| Property | Value |
|---|---|
| Image | buildbaseapp/tenant-server |
| Registry | Docker Hub |
| Platform | linux/amd64 |
| Base | Node.js 20 Alpine |
| Port | 3000 |
| Health check | GET /api/ready |
| Signal handling | Graceful shutdown via dumb-init |
Architecture
Dashboard (console.buildbase.app)
|
| API calls (HTTPS)
v
Your Tenant Server (your infrastructure)
|
|-- MongoDB (your data)
|-- Redis (sessions, queues, cache)
|
| ES256 signed tokens
v
Central Server (central.console.buildbase.app)
|-- Organization management
|-- Authentication
|-- Key management
Your data never leaves your infrastructure. The central server only handles authentication tokens and organization metadata.