Skip to content

Configuration

All configuration is done via environment variables.

VariableRequiredDefaultDescription
BASE_URLPublic URL of the Taco instance (e.g. https://taco.example.com)
BETTER_AUTH_SECRET32-byte random secret for session signing. Generate with npm run auth:secret
PLAN_TIERlitelite, team, or business. Baked into the Docker image at build time
VariableRequiredDefaultDescription
DATABASE_URLPostgreSQL connection string (e.g. pgsql://user:pass@host:5432/taco)
DATABASE_DIALECTpostgresqlDatabase dialect. Only postgresql is supported
DATABASE_CLIENTpostgresqlDatabase client. Only postgresql is supported
VariableRequiredDefaultDescription
EMAIL_FROMSender address (e.g. Taco <noreply@example.com>)
EMAIL_SERVERSMTP connection string (e.g. smtps://user:pass@smtp.example.com)

Protect the Taco dashboard itself behind an upstream OIDC provider.

VariableRequiredDefaultDescription
AUTH_CLIENT_OPENID_CONFIGURATION_URLDiscovery URL of the upstream OIDC issuer
AUTH_CLIENT_IDOIDC client ID for Taco’s own login
AUTH_CLIENT_SECRETOIDC client secret
AUTH_CLIENT_SCOPEopenid profile emailRequested scopes
VariableRequiredDefaultDescription
OPENID_PROVIDERProvisioning backend: ory, auth0, entra, or rfc7592

Generic credentials Taco uses to call the selected provider’s management API. Not needed for Auth0 or Entra ID, which use their own provider-specific variables (see below).

VariableRequiredDefaultDescription
OPENID_PROVIDER_AUTH_TYPEnone or client_credentials
OPENID_PROVIDER_AUTH_ISSUERwhen client_credentialsToken endpoint issuer used to fetch admin access tokens
OPENID_PROVIDER_AUTH_CLIENT_IDwhen client_credentialsAdmin client ID
OPENID_PROVIDER_AUTH_CLIENT_SECRETwhen client_credentialsAdmin client secret
OPENID_PROVIDER_AUTH_TOKEN_METHODclient_secret_postclient_secret_post or client_secret_basic
OPENID_PROVIDER_AUTH_SCOPEScope requested for the admin access token
OPENID_PROVIDER_AUTH_AUDIENCEAudience requested for the admin access token
VariableRequiredDefaultDescription
ORY_BASE_URLBase URL of the Hydra Admin API (e.g. http://localhost:4445)
VariableRequiredDefaultDescription
AUTH0_DOMAINYour Auth0 tenant domain (e.g. your-tenant.auth0.com)

Uses OPENID_PROVIDER_AUTH_CLIENT_ID / OPENID_PROVIDER_AUTH_CLIENT_SECRET above as the Management API M2M application credentials.

VariableRequiredDefaultDescription
ENTRA_TENANT_IDDirectory (tenant) ID
ENTRA_CLIENT_IDApplication (client) ID of the app registration Taco uses to call Microsoft Graph
ENTRA_CLIENT_SECRETClient secret for that app registration
ENTRA_SIGN_IN_AUDIENCEAzureADMyOrgAzureADMyOrg, AzureADMultipleOrgs, or AzureADandPersonalMicrosoftAccount
VariableRequiredDefaultDescription
RFC7592_BASE_URLBase URL of the authorization server. Taco uses {RFC7592_BASE_URL}/register as the registration endpoint

Statistics aggregation (Team / Business tiers)

Section titled “Statistics aggregation (Team / Business tiers)”
VariableRequiredDefaultDescription
STATS_CRON_SECRETBearer token required by POST /api/cron/aggregation
STATS_AGGREGATION_INTERVAL_MINUTES1440Business tier only — aggregation interval in minutes
STATS_WEBHOOK_SECRETOptional — validates incoming webhook payloads to /api/events/ingest