> ## Documentation Index
> Fetch the complete documentation index at: https://docs.manthan.systems/llms.txt
> Use this file to discover all available pages before exploring further.

# Configuration

> Server configuration reference — all environment variables and their defaults

## Configuration sources

The Parmana server reads configuration exclusively from environment variables. There is no configuration file. Variables are read at startup and are not reloadable without restarting the server.

***

## Required variables

These variables have no defaults. The server will not start without them.

| Variable    | Description                                                                               |
| ----------- | ----------------------------------------------------------------------------------------- |
| `REDIS_URL` | Redis connection string — e.g., `redis://localhost:6379` or `redis://:password@host:6379` |

Additionally, one of the signing key patterns below is required (see [Signing Key Configuration](#signing-key-configuration)).

***

## Strongly recommended variables

These have defaults, but you should set them in any non-ephemeral deployment.

| Variable             | Default         | Description                                                                                                                                    |
| -------------------- | --------------- | ---------------------------------------------------------------------------------------------------------------------------------------------- |
| `PARMANA_API_KEY`    | `""` (no auth)  | Bearer token required on all API requests. If empty, all requests are accepted without authentication. Set this in every deployed environment. |
| `AUDIT_DATABASE_URL` | `""` (no audit) | PostgreSQL connection string. If empty, audit records are not stored and all `/audit/*` routes return 503.                                     |
| `POSTGRES_PASSWORD`  | —               | Used in docker-compose.yml to set the Postgres user password. Not read directly by the server — passed via `AUDIT_DATABASE_URL`.               |

***

## Signing key configuration

### Provider: env (recommended for Docker)

Set the signing key directly in the environment:

```bash theme={null}
PARMANA_SIGNING_PROVIDER=env
PARMANA_SIGNING_PRIVATE_KEY="-----BEGIN PRIVATE KEY-----\nMC4CAQ....\n-----END PRIVATE KEY-----"
PARMANA_SIGNING_PUBLIC_KEY="-----BEGIN PUBLIC KEY-----\nMCowBQ....\n-----END PUBLIC KEY-----"
```

<Warning>
  Never commit private key material to version control. Use Docker secrets, AWS Secrets Manager, or equivalent.
</Warning>

### Provider: disk (alternative)

Load key files from the filesystem:

```bash theme={null}
PARMANA_SIGNING_PROVIDER=disk
PARMANA_SIGNING_PRIVATE_KEY_PATH=/secure/parmana/private.pem
PARMANA_SIGNING_PUBLIC_KEY_PATH=/secure/parmana/public.pem
```

Mount the key directory as a read-only volume in Docker.

***

## Optional variables with defaults

| Variable                    | Default                                | Description                                                              |
| --------------------------- | -------------------------------------- | ------------------------------------------------------------------------ |
| `PORT`                      | `3000`                                 | Server listen port                                                       |
| `HOST`                      | `0.0.0.0`                              | Server bind address. Set to `127.0.0.1` in production when behind Nginx. |
| `CORS_ORIGIN`               | `http://localhost:8081`                | Allowed CORS origin for browser requests. Set to your dashboard URL.     |
| `PARMANA_POLICIES_ROOT`     | `/app/policies`                        | Path to compiled policy bundle directory.                                |
| `PARMANA_TRUST_ROOT`        | `/app/trust/trust-root.json`           | Path to the trust root metadata JSON.                                    |
| `PARMANA_TRUST_PUBLIC_KEY`  | `/app/trust/root.pub`                  | Path to the trust root PEM public key.                                   |
| `PARMANA_RELEASE_MANIFEST`  | `/app/artifacts/release-manifest.json` | Path to the release manifest.                                            |
| `PARMANA_RELEASE_SIGNATURE` | `/app/artifacts/release-manifest.sig`  | Path to the release manifest signature.                                  |

***

## Required file paths

The server verifies these paths exist at startup. If any are missing, the server exits with an error:

```
/app/policies/                     ← directory — must exist, may be empty
/app/trust/root.pub                ← trust root public key (PEM)
/app/trust/trust-root.json         ← trust root metadata
/app/artifacts/release-manifest.json ← release manifest
```

Override these defaults using the `PARMANA_*` variables above.

***

## Replay store configuration

The server uses `RedisReplayStore` when `REDIS_URL` is set. The TTL values are hardcoded in the current release:

| Setting          | Value       |
| ---------------- | ----------- |
| Reservation TTL  | 300 seconds |
| Failed state TTL | 30 seconds  |

To use a custom `ReplayStore` implementation, use `@parmanasystems/core` directly rather than the server package.

***

## Rate limits

Rate limits are applied by `@fastify/rate-limit` and are not configurable via environment variable in the current release:

| Route           | Limit                          |
| --------------- | ------------------------------ |
| `POST /execute` | 100 requests per minute per IP |

Configure additional rate limiting at the Nginx layer.

***

## Health check

No environment variable is needed for health checks. The `/health` endpoint is always available without authentication at `GET /health`.