Translato is configured primarily through environment variables. This document provides a comprehensive list of all available settings for the API Server and Web Application.
1. API Server (apps/api/.env)
Required for Production
| Variable | Default | Description |
|---|
NODE_ENV | development | Environment mode (production, development, test) |
DATABASE_URL | — | PostgreSQL connection string |
REDIS_URL | redis://localhost:6379 | Redis connection string |
JWT_ACCESS_TOKEN_SECRET | — | Signing secret (≥64 chars) |
JWT_REFRESH_TOKEN_SECRET | — | Signing secret (≥64 chars) |
CSRF_TOKEN_SECRET | — | CSRF token HMAC secret (≥32 chars) |
VCS_ENCRYPTION_KEY | — | AES-256-GCM encryption key (≥32 chars) |
ALLOWED_ORIGINS | — | CORS allowed origins (comma-separated) |
Server Configuration
| Variable | Default | Description |
|---|
PORT | 3003 | API server port |
HOST | 0.0.0.0 | Listen address |
MAX_UPLOAD_SIZE | 10485760 | Max file upload (bytes, default 10MB) |
BACKUP_STORAGE_DIR | ./data/backups | Path for project backups |
Authentication & Cookies
| Variable | Default | Description |
|---|
COOKIE_SECURE | false | Require HTTPS for cookies (must be true in prod) |
COOKIE_SAME_SITE | lax | Cookie SameSite policy |
BCRYPT_ROUNDS | 12 | Password hashing rounds |
MAX_LOGIN_ATTEMPTS | 5 | Before lockout (15 min) |
EMAIL_VERIFICATION_REQUIRED | false | Block access for unverified users |
External Integrations
VCS (OAuth)
GITHUB_CLIENT_ID / GITHUB_CLIENT_SECRETGITLAB_CLIENT_ID / GITLAB_CLIENT_SECRET
Machine Translation
DEEPL_API_KEYGOOGLE_TRANSLATE_API_KEYOPENAI_API_KEYANTHROPIC_API_KEYGEMINI_API_KEY
Email Delivery
RESEND_API_KEYSUPPORT_EMAIL (default: support@translato.dev)
2. Web App (apps/web/.env.local)
| Variable | Required | Default | Description |
|---|
NEXT_PUBLIC_API_URL | Yes | http://localhost:3003 | Fastify API URL |
NEXT_PUBLIC_APP_URL | No | http://localhost:3002 | Public URL for this app |
NEXT_PUBLIC_APP_NAME | No | Translato | Display name in UI |
API_PROXY_URL | No | — | Backend URL for Next.js rewrites (Docker) |
3. Security Notes
- Secrets: Never commit
.env files to version control.
- Validation: The server will refuse to start in production mode if critical secrets (JWT, VCS, CSRF) are weak or missing.
- Key Rotation: You can rotate secrets by updating the environment variable. Existing sessions will be invalidated.