> ## Documentation Index
> Fetch the complete documentation index at: https://docs.manthan.systems/llms.txt
> Use this file to discover all available pages before exploring further.

# Environment Variables

> Complete table of all Parmana server environment variables

## All variables

| Variable                           | Required    | Default                                | Description                                                                                              |
| ---------------------------------- | ----------- | -------------------------------------- | -------------------------------------------------------------------------------------------------------- |
| `REDIS_URL`                        | **Yes**     | —                                      | Redis connection string. Example: `redis://localhost:6379`. Required — server will not start without it. |
| `PARMANA_API_KEY`                  | Recommended | `""`                                   | Bearer token for API authentication. If empty, all requests are accepted without authentication.         |
| `AUDIT_DATABASE_URL`               | Recommended | `""`                                   | PostgreSQL connection string. If empty, audit records are not stored.                                    |
| `PARMANA_SIGNING_PROVIDER`         | **Yes**     | —                                      | Signing key source: `"env"` or `"disk"`.                                                                 |
| `PARMANA_SIGNING_PRIVATE_KEY`      | Conditional | —                                      | PEM-encoded Ed25519 private key. Required when `PARMANA_SIGNING_PROVIDER=env`.                           |
| `PARMANA_SIGNING_PUBLIC_KEY`       | Conditional | —                                      | PEM-encoded Ed25519 public key. Required when `PARMANA_SIGNING_PROVIDER=env`.                            |
| `PARMANA_SIGNING_PRIVATE_KEY_PATH` | Conditional | —                                      | Path to PEM private key file. Required when `PARMANA_SIGNING_PROVIDER=disk`.                             |
| `PARMANA_SIGNING_PUBLIC_KEY_PATH`  | Conditional | —                                      | Path to PEM public key file. Required when `PARMANA_SIGNING_PROVIDER=disk`.                              |
| `PORT`                             | No          | `3000`                                 | Server listen port.                                                                                      |
| `HOST`                             | No          | `0.0.0.0`                              | Server bind address. Use `127.0.0.1` in production when behind Nginx.                                    |
| `CORS_ORIGIN`                      | No          | `http://localhost:8081`                | Allowed CORS origin for browser requests.                                                                |
| `PARMANA_POLICIES_ROOT`            | No          | `/app/policies`                        | Directory path for compiled policy bundles.                                                              |
| `PARMANA_TRUST_ROOT`               | No          | `/app/trust/trust-root.json`           | Path to trust root metadata JSON.                                                                        |
| `PARMANA_TRUST_PUBLIC_KEY`         | No          | `/app/trust/root.pub`                  | Path to trust root PEM public key.                                                                       |
| `PARMANA_RELEASE_MANIFEST`         | No          | `/app/artifacts/release-manifest.json` | Path to release manifest JSON.                                                                           |
| `PARMANA_RELEASE_SIGNATURE`        | No          | `/app/artifacts/release-manifest.sig`  | Path to release manifest Ed25519 signature.                                                              |

***

## Signing key — Option A (env)

Set key material directly in the environment. Suitable for Docker environments where secrets are injected via secrets managers.

```bash theme={null}
PARMANA_SIGNING_PROVIDER=env
PARMANA_SIGNING_PRIVATE_KEY="-----BEGIN PRIVATE KEY-----
MC4CAQAwBQYDK2VwBCIEIMqFRG...
-----END PRIVATE KEY-----"
PARMANA_SIGNING_PUBLIC_KEY="-----BEGIN PUBLIC KEY-----
MCowBQYDK2VwAyEA...
-----END PUBLIC KEY-----"
```

<Warning>
  Never write private key material to `.env` files in version control. Use a secrets manager (AWS Secrets Manager, HashiCorp Vault, Docker secrets) and inject at deploy time.
</Warning>

***

## Signing key — Option B (disk)

Load key files from the filesystem. Suitable when keys are managed via filesystem permissions or HSM-backed volumes.

```bash theme={null}
PARMANA_SIGNING_PROVIDER=disk
PARMANA_SIGNING_PRIVATE_KEY_PATH=/secure/parmana/private.pem
PARMANA_SIGNING_PUBLIC_KEY_PATH=/secure/parmana/public.pem
```

Mount the key directory as read-only in Docker:

```yaml theme={null}
volumes:
  - /path/to/keys:/secure/parmana:ro
```

***

## Minimal working configuration

The minimum set required to start the server with full functionality:

```bash theme={null}
REDIS_URL=redis://redis:6379
PARMANA_API_KEY=your-secret-key
AUDIT_DATABASE_URL=postgresql://Parmana:password@postgres:5432/Parmana_audit
PARMANA_SIGNING_PROVIDER=env
PARMANA_SIGNING_PRIVATE_KEY=<PEM private key>
PARMANA_SIGNING_PUBLIC_KEY=<PEM public key>
```

The remaining variables use defaults that work in the standard Docker setup.

***

## Generating Ed25519 keys

```bash theme={null}
# Generate a key pair (OpenSSL)
openssl genpkey -algorithm ed25519 -out private.pem
openssl pkey -in private.pem -pubout -out public.pem
```

Or using Node.js:

```typescript theme={null}
import crypto from "crypto";
import fs from "node:fs";

const { privateKey, publicKey } = crypto.generateKeyPairSync("ed25519", {
  privateKeyEncoding: { type: "pkcs8", format: "pem" },
  publicKeyEncoding:  { type: "spki",  format: "pem" },
});

fs.writeFileSync("private.pem", privateKey);
fs.writeFileSync("public.pem", publicKey);
```

Distribute `public.pem` to auditors and verifiers. Keep `private.pem` in a secrets manager.