Environment Variables
The env vars are only applicable to the Jackson service. If you are using the npm library then look for the options below when initializing the library.
General configuration
HOSTNAME
If you need to bind to a specific hostname, you can define HOSTNAME environment variable.
For example, if you are planning to use a Docker health check like wget -q --spider http://localhost:{PORT}/api/health || exit 1 set HOSTNAME=0.0.0.0 to listen to localhost.
HOST_URL
The URL to bind to.
Default: localhost
PORT
The port to bind to.
Default: 5225
EXTERNAL_URL
The public URL to reach this service. This is used internally to construct the callback url at which the SAML/OIDC IdP sends back the authorization response.
Default: http://{HOST_URL}:{PORT}
NPM library option: externalUrl
JACKSON_API_KEYS
A comma separated list of API keys that will be validated when serving the API requests for SSO connection (/api/v1/connections) and Directory Sync (/api/v1/directory-sync).
For example JACKSON_API_KEYS=key1,key2,key3
The API requests will then need to specify an Authorization header which contains one of the API keys above in this format: Api-Key key1
SAML_AUDIENCE
The value of this setting (same as SP EntityID of Jackson) allows the Jackson instance to verify that it is the intended recipient of a SAML response. The same value is also set in the SAML App created on the IdP end by your customers. Once set do not change this value unless you get your customers to reconfigure their SAML App again. It is case-sensitive. This does not have to be a real URL.
Default: https://saml.boxyhq.com
NPM library option: samlAudience
samlPath
NOTE: This is only applicable to our npm library.
The ACS path at which the saml response is sent back from the SAML IdP. Set this when using the npm package.
NPM library option: samlPath
For example: /api/oauth/saml
oidcPath
NOTE: This is only applicable to our npm library.
The redirect_uri at which the Authorization response is sent back from the OpenID Connect IdP. Set this when using the npm package.
NPM library option: oidcPath
For example: /api/oauth/oidc
IDP_DISCOVERY_PATH
This is the path for showing the IdP Selection screen in case there are multiple SSO Connections for the same tenant and product.
This path is also used to show the App Selection screen in the case of IdP-initiated SAML login (Different apps using the same SAML IdP).
Set this when using the npm package.
NPM library option: idpDiscoveryPath
For example: /idp/select - You can find an implementation of IdP/App Selection here.
CLIENT_SECRET_VERIFIER
When tenant and product are used for the SAML flow (and PKCE is not being used) then we use dummy as placeholders for client_id and client_secret. This is not a security issue because SAML is tenanted and hence your Identity Provider will block access to anyone trying to log into your SAML tenant. However for additional security you should set CLIENT_SECRET_VERIFIER to a random secret and use that value as the client_secret during the OAuth 2.0 flow.
Default: dummy
NPM library option: clientSecretVerifier
IDP_ENABLED
Set to true to enable IdP initiated login for SAML. SP initiated login is the only recommended flow but you might have to support IdP login at times.
Default: false
NPM library option: idpEnabled
PUBLIC_KEY
This is the public key of the private key used to sign the SAML requests. Jackson expects the public key to be base64 encoded.
NPM library option: certs.publicKey
PRIVATE_KEY
This is the private key used to sign the SAML requests. Jackson expects the private key to be base64 encoded.
NPM library option: certs.privateKey
To generate a private key and public key pair you can use the following command:
openssl req -x509 -newkey rsa:2048 -keyout key.pem -out public.crt -sha256 -days 365 -nodes
# Convert the public key to base64
cat public.crt | base64
# Convert the private key to base64
cat key.pem | base64
OpenID configuration
For supporting OpenID flow, we need to set the algorithm and keys used to sign the ID token JWT.
OPENID_JWS_ALG
The algorithm used to sign the id_token. Jackson uses jose to create the ID token. Supported algorithms can be found here.
Default: RS256
NPM library option: openid.jwsAlg
OPENID_RSA_PRIVATE_KEY
Base64 value of private key. To generate one:
openssl genrsa -out private-key.pem 3072
openssl pkcs8 -topk8 -inform PEM -outform PEM -nocrypt -in private-key.pem -out private_key.pem
cat private_key.pem | base64
NPM library option: openid.jwtSigningKeys.private
OPENID_RSA_PUBLIC_KEY
Base64 value of public key. You can generate the public key from the private key as shown below:
openssl rsa -in private_key.pem -pubout -out public_key.pem
cat public_key.pem | base64
NPM library option: openid.jwtSigningKeys.public
OPENID_REQUEST_PROFILE_SCOPE
By setting this to false, the profile scope will no longer be automatically included in the Authorization request to the OIDC provider. This will enable apps to request the minimum required authorization permissions from the signed in user. Apps can explicitly send the profile scope in the request to Jackson which will then be forwarded to the OIDC provider.
Default: true
NPM library option: openid.requestProfileScope
Database configuration
DB_ENGINE
Supported values are redis, sql, mongo, mem, planetscale, dynamodb
Default: sql
NPM library option: db.engine
NOTE: If you are using DynamoDB then you also need to set
AWS_ACCESS_KEY_IDandAWS_SECRET_ACCESS_KEY. For additional options like region and capacity units check this section
NOTE:
memDB (In memory database) is useful to test the Jackson setup locally and is not intended for production. In a serverless deployment like Vercel, the mem DB won't persist across API calls since each call is a fresh lambda invocation with an entirely new context.
DB_TYPE
Only needed when DB_ENGINE is sql. Supported values are postgres, mysql, mariadb, mssql
Default: postgres
NPM library option: db.type
DB_URL
The database URL to connect to. If you are using self-signed certificates then pass sslmode=no-verify instead of sslmode=require in the DB_URL. This is because self-signed certs will be rejected as unauthorized in strict mode. Also, set DB_SSL=true and DB_SSL_REJECT_UNAUTHORIZED=false (see env vars below for more details).
Example: postgres://postgres:postgres@localhost:5432/postgres or postgres://postgres:postgres@localhost:5432/postgres?sslmode=no-verify
For mssql the URL takes the form of sqlserver://localhost:1433;database=<db name>;username=<username>;password=<password>;encrypt=true
NOTE: If you are using DynamoDB then you also need to set
AWS_ACCESS_KEY_IDandAWS_SECRET_ACCESS_KEY. For additional options like region and capacity units check this section
NPM library option: db.url
DB_SSL
This needs to be set to true if you are using SSL with your database (You should definitely be using SSL if the database needs to be access via a public url).
Default: false
DB_SSL_REJECT_UNAUTHORIZED
If you are using a self-signed certificate then set this to false, otherwise it will be rejected due to Certificate Authority checks.
Default: true
DB_MANUAL_MIGRATION
Set this to true to trigger execution of migration scripts when you use our Jackson docker image.
Optionally you can run the npm scripts present in ./npm/package.json to run db specific migrations.
Make sure you have set the correct value for DB_ENGINE environment variable as the migration script checks that to run correct command and migration file.
NPM library option: db.manualMigration
Default: false
DB_TTL
TTL for the code, session and token stores (in seconds)
Default: 300
NPM library option: db.ttl
DB_CLEANUP_LIMIT
Limit cleanup of TTL entries to this number
Default: 1000
NPM library option: db.cleanupLimit
DB_ENCRYPTION_KEY
To encrypt data at rest specify a 32 byte key (encoded in base64)
You can use openssl to generate a random 32 byte key:
openssl rand -base64 32
NPM library option: db.encryptionKey
PGSSLMODE
If you use Heroku to deploy Postgres (or use self-signed certs for Postgres) then set this to no-verify. See Heroku docs for more details
DB_DYNAMODB_REGION
If you are using DynamoDB then you can specify the region.
Default: us-east-1
NPM library option: db.dynamodb.region
DB_DYNAMODB_RCUS
If you are using DynamoDB then you can specify the read capacity units. Check AWS docs for more details
Default: 5
NPM library option: db.dynamodb.readCapacityUnits
DB_DYNAMODB_WCUS
If you are using DynamoDB then you can specify the write capacity units.
Default: 5
NPM library option: db.dynamodb.writeCapacityUnits
Webhook configuration
WEBHOOK_URL
Specify a webhook URL to receive events about sso and directory connections.
NPM library option: webhook.endpoint
WEBHOOK_SECRET
Specify a secret to be used to sign the webhook payload. This is used to verify the authenticity of the webhook payload.
NPM library option: webhook.secret
Both the WEBHOOK_URL and WEBHOOK_SECRET are required to enable webhook events.
Pre-loaded Connections
PRE_LOADED_CONNECTION
If you only need a single tenant or a handful of pre-configured tenants then this config will help you read and load IdP (both OpenID and SAML)connections. It works well with the mem DB engine so you don't have to configure any external databases for this to work (though it works with those as well). This is a path (absolute or relative) to a directory that contains files organized in the format described in the next section. Check this section for more details
NPM library option: preLoadedConnection
Opentelemetry configuration
Jackson supports observability via OpenTelemetry. The following env vars are available for configuration (along with the rest of the supported ones)
OTEL_EXPORTER_OTLP_ENDPOINT or OTEL_EXPORTER_OTLP_METRICS_ENDPOINT
Target URL to which the exporter is going to send metrics.
Example: https://ingest.lightstep.com:443/metrics/otlp/v0.6
OTEL_EXPORTER_OTLP_HEADERS or OTEL_EXPORTER_OTLP_METRICS_HEADERS
Headers relevant for the endpoint, useful for specifying authentication details for providers.
Example: lightstep-access-token=<token>,...
OTEL_EXPORTER_OTLP_PROTOCOL or OTEL_EXPORTER_OTLP_METRICS_PROTOCOL
The transport protocol. Options MUST be one of: grpc, http/protobuf or http/json.
OTEL_EXPORTER_DEBUG
Set this to true to enable debug logs for Opentelemetry. This is only meant for purposes of debugging otel locally.
Admin Portal configuration
Below variables are used to enable Magic link based authentication for Admin Portal. The SMTP_ variables are used for sending email which contain the magic link (one-time use) for sign in.
SMTP_HOST
The SMTP host like smtp.example.com.
SMTP_PORT
The SMTP server port like 587.
SMTP_USER
Username for the SMTP server.
SMTP_PASSWORD
Password for the SMTP server.
SMTP_FROM
From address used to send mail like: [email protected].
NEXTAUTH_URL
When running locally this will point to the local server: http://localhost:5225. When deploying to production, set this to the canonical URL of the site. More details here.
NEXTAUTH_SECRET
Set this to a random string. You can use openssl rand -base64 32 to get one. This secret is used to encrypt JWT and hash the email verification token. More details here.
NEXTAUTH_ACL
Set this to a comma separated string of email addresses or glob patterns like: [email protected],*@marvel.com. Access will be denied to email addresses which don't match. If you don't specify any value access is denied to all.
NEXTAUTH_ADMIN_CREDENTIALS
Set this to a comma separated string of the pattern email:password to enable login to the Admin Portal, for example [email protected]:Password123. If you don't specify any value access is denied to all.
ADMIN_PORTAL_SSO_TENANT
This will be used as the tenant for the SSO connections (added from Settings tab) used to login into the Admin portal itself. Set this to a value that is less likely to conflict with the main Enterprise SSO connections.
Default: _jackson_boxyhq
ADMIN_PORTAL_SSO_PRODUCT
This will be used as the product for the SSO connections (added from Settings tab) used to login into the Admin portal itself. Set this to a value that is less likely to conflict with the main Enterprise SSO connections.
Default: _jackson_admin_portal
RETRACED_HOST_URL
If you'd like to use the Admin Portal to manage our Audit Logs service (Retraced) then set this env var to the URL of the service.
RETRACED_EXTERNAL_URL
If you'd like to use the Admin Portal to manage our Audit Logs service (Retraced) then set this env var to the Public URL of the service. If this is the same as RETRACED_HOST_URL above then you can skip this and it will default to the value of RETRACED_HOST_URL.
Default: It is set to RETRACED_HOST_URL if RETRACED_EXTERNAL_URL is not defined.
RETRACED_ADMIN_ROOT_TOKEN
you need to set the admin root token for Retraced so that we can connect to Retraced and fetch projects and audit logs.
Anonymous Analytics
BOXYHQ_NO_TELEMETRY or DO_NOT_TRACK
Set one of these to 1 or true to turn off our anonymous analytics. We only track usage events once per day and it does not contain any information that can identify you in any form.
Directory Sync
The following env vars are used to configure the directory sync feature.
DSYNC_GOOGLE_ env vars are only applicable if you are using Google Workspace as a directory sync provider.
DSYNC_WEBHOOK_BATCH_SIZE
Enable batch processing of directory sync events. The value represents the number of events to batch together instead of sending each event individually. This requires you to configure a cron job to process the queued events. Alternatively you can set DSYNC_WEBHOOK_BATCH_CRON_INTERVAL below if you are not deploying the service in an Edge environment.
DSYNC_WEBHOOK_BATCH_CRON_INTERVAL
The cron interval at which to process the queued events. Provide a number in seconds. By default, the cron job is disabled.
NPM library option: dsync.webhookBatchCronInterval
DSYNC_GOOGLE_CRON_INTERVAL
The cron interval at which to sync the Google Workspace. Provide a number in seconds. By default, the cron job is disabled.
NPM library option: dsync.providers.google.cronInterval
DSYNC_GOOGLE_CLIENT_ID
The Google authentication client ID.
NPM library option: dsync.providers.google.clientId
DSYNC_GOOGLE_CLIENT_SECRET
The Google authentication client secret.
NPM library option: dsync.providers.google.clientSecret
dsync.providers.google.authorizePath
The authorization endpoint for Google SCIM.
NPM library option: dsync.providers.google.authorizePath
For example: /api/scim/oauth/authorize
dsync.providers.google.callbackPath
The path to redirect to after completing the authorization request for Google SCIM.
NPM library option: dsync.providers.google.callbackPath
For example: /api/scim/oauth/callback
Enterprise Features
BOXYHQ_LICENSE_KEY
Contact us to obtain a license for our Enterprise Features - Portal Branding, Identity Federation and Ory Integration.
Enterprise Features - Ory Integration
ENTERPRISE_ORY_SDK_TOKEN
Your Ory Network Session Token. To obtain this use the Ory CLI and copy out your session token.
ENTERPRISE_ORY_PROJECT_ID
Your Ory Network Project ID.