Skip to main content

Environment Variables

The following environment variables can be set to configure the Coral Server. You can expose them in your shell via export NODE_ENV=development or by placing the variables in a .env file under the server/ directory of the project in a simple NODE_ENV=development format delimited by newlines.

Required Configuration Variables#


The port to listen for HTTP and WebSocket requests. (Default 3000)


The MongoDB database URI to connect to. (Default mongodb://


The Redis database URI to connect to. (Default redis://


The shared secret to use to sign JSON Web Tokens (JWT) with the selected signing algorithm. (Default: keyboard cat)

Note: While there is a default for this so development can be simplified, Coral will throw a runtime error in the event it's started with NODE_ENV=production and the SIGNING_SECRET="keyboard cat" to prevent insecure installations. This must be set in production to something long and secure. You can use openssl to help with that:

openssl rand -base64 45

Advanced Configuration Variables#


Can be one of production or development. All production deployments should use production. Defaults to production when ran with pnpm run start, or with Docker deployments. Defaults to development when run with pnpm run start:development.


A JSON string with optional configuration options to be used when connecting to Redis as specified in the ioredis documentation. (Default: {})


The signing algorithm to use for signing tokens. (Default HS256).

Supported algorithms are:

  • HS256
  • HS384
  • HS512
  • RS256
  • RS384
  • RS512
  • ES256
  • ES384
  • ES512


Specify the default locale to use for all requests without a locale specified. (Default en-US)


The logging level that can be set to one of fatal, error, warn, info, debug, or trace. (Default info)


Forces SSL in production by redirecting all HTTP requests to HTTPS, and sending HSTS headers. (Default false)

Coral does not provide or manage HTTPS certificates. If you want to enable HTTPS, you must configure a proxy in front of Coral such as Caddy.

Troubleshooting: If you are seeing redirect loops when trying to access pages like the admin, you may need to configure TRUST_PROXY to tell Coral which upstream proxies to trust.

Warning: When FORCE_SSL=true, Coral will send HSTS headers that will force web browsers to connect via HTTPS for the next 60 days. By forcing SSL use you'll need to provide a secure connection to your Coral instance for at least the next 60 days.


When true, the comment stream will not create a WebSocket connection to get live comment updates. This applies across all tenants on the installation, and cannot be turned back on via the interface. (Default false)


Stories that have not received a comment within this time frame will pause live updates automatically. Once a single comment is received on these stories, live updates will be re-enabled until the story sits idle for the timeout value, parsed by ms. (Default 2 weeks)


When true, all tenants will be loaded from the database when needed rather than keeping a in-memory copy in sync via published events on Redis. (Default false)


When true, it will enable the interactive GraphQL developer environment at the /graphiql route. This will also disable persisted (Default false)

Note: We do not recommend using this in production environments as it disables many safety features used by the application to provide it.


The username for Basic Authentication at the /metrics route. If not provided with METRICS_PASSWORD, no authentication will be added to this route.


The password for Basic Authentication at the /metrics route. If not provided with METRICS_USERNAME, no authentication will be added to this route.


Prometheus metrics are provided at this port under /metrics route. (Default 9000)


The request timeout for scraping operations, parsed by ms. (Default 10 seconds)


The maximum size (in bytes) to allow for scraping responses. (Default 10e6)


The URI that static assets can be accessed from. This URI can be to a proxy that uses this Coral server on PORT as the upstream. Disabled by default.


When provided, it configures the "trust proxy" settings for Express. If you are encountering issues where URLs in the administration are showing with a http instead of https, you may need to set the TRUST_PROXY setting. Refer to for possible values of this configuration variable as it pertains to your setup.


The interval that should be used to send keep alive messages over WebSocket to keep the socket open, parsed by ms. (Default 30s)


The length of time that a given request to test a comment against a given word list, parsed by ms. (Default 100ms)


The length of time that a given request should wait for a response when interacting with the Perspective API, parsed by ms. (Default 800ms)

Development Configuration Variables#

The following configuration variables are only enabled when the server has been started in development mode (where NODE_ENV=development).


The port where the Webpack Development server is running on. (Default 8080)


Used to disable the rate limiters used in Coral. (Default false)