Environment Variables
Lyntaris support different environment variables to configure your instance. You can specify the following variables in the .env file inside packages/server folder. Refer to .env.example file.
| Variable | Description | Type | Default |
|---|---|---|---|
| PORT | The HTTP port Flowise runs on | Number | 3000 |
| FLOWISE_FILE_SIZE_LIMIT | Maximum file size when uploading | String | 50mb |
| NUMBER_OF_PROXIES | Rate Limit Proxy | Number | |
| CORS_ORIGINS | The allowed origins for all cross-origin HTTP calls | String | |
| IFRAME_ORIGINS | The allowed origins for iframe src embedding | String | |
| SHOW_COMMUNITY_NODES | Display nodes that are created by community | Boolean: true or false | |
| DISABLED_NODES | Comma separated list of node names to disable | String |
Prompting Storage
Lyntaris can split prompting storage between draft and published content. When set to auto, the host determines where writes go.
| Variable | Description | Type | Default |
|---|---|---|---|
| PROMPTING_STORAGE_MODE | Storage mode for prompting (draft, published, auto) |
Enum String | auto |
| PROMPTING_STORAGE_DIR | Prompting storage directory | String | prompting |
| PROMPTING_STORAGE_DIR_DRAFT | Draft prompting storage directory | String | prompting-draft |
| PROMPTING_STORAGE_DIR_PUBLISHED | Published prompting storage directory | String | prompting-published |
| PROMPTING_DRAFT_HOSTS | Comma-separated hosts treated as draft writers when mode is auto |
String | localhost,127.0.0.1,host.docker.internal |
Notify Hub
Flowise exposes a WebSocket notify hub at /ws that broadcasts asset change events.
| Variable | Description | Type | Default |
|---|---|---|---|
| ASSETS_NOTIFY_SECRET | Secret required to connect to /ws |
String | |
| ASSETS_NOTIFY_ALLOW_INSECURE_DEV | Allow unauthenticated /ws when true (dev only) |
Boolean | false |
| ASSETS_NOTIFY_DEBOUNCE_MS | Debounce window for change events | Number | 10000 |
For Database
| Variable | Description | Type | Default |
|---|---|---|---|
| DATABASE_TYPE | Type of database to store the lyntaris data | Enum String: sqlite, mysql, postgres |
sqlite |
| DATABASE_PATH | Location where database is saved (When DATABASE_TYPE is sqlite) | String | your-home-dir/.lyntaris |
| DATABASE_HOST | Host URL or IP address (When DATABASE_TYPE is not sqlite) | String | |
| DATABASE_PORT | Database port (When DATABASE_TYPE is not sqlite) | String | |
| DATABASE_USER | Database username (When DATABASE_TYPE is not sqlite) | String | |
| DATABASE_PASSWORD | Database password (When DATABASE_TYPE is not sqlite) | String | |
| DATABASE_NAME | Database name (When DATABASE_TYPE is not sqlite) | String | |
| DATABASE_SSL | Database SSL is required (When DATABASE_TYPE is not sqlite) | Boolean: true or false |
false |
For Storage
Lyntaris store the following files under a local path folder by default.
- Files uploaded on Document Loaders/Document Store
- Image/Audio uploads from chat
- Images/Files from flows
- Files from Vector Upsert API
User can specify STORAGE_TYPE to use AWS S3, Google Cloud Storage or local path
| Variable | Description | Type | Default |
|---|---|---|---|
| STORAGE_TYPE | Type of storage for uploaded files. default is local |
Enum String: s3, gcs, local |
local |
| BLOB_STORAGE_PATH | Local folder path where uploaded files are stored when STORAGE_TYPE is local |
String | your-home-dir/.lyntaris/storage |
| S3_STORAGE_BUCKET_NAME | Bucket name to hold the uploaded files when STORAGE_TYPE is s3 |
String | |
| S3_STORAGE_ACCESS_KEY_ID | AWS Access Key | String | |
| S3_STORAGE_SECRET_ACCESS_KEY | AWS Secret Key | String | |
| S3_STORAGE_REGION | Region for S3 bucket | String | |
| S3_ENDPOINT_URL | Custom S3 endpoint (optional) | String | |
| S3_FORCE_PATH_STYLE | Force S3 path style (optional) | Boolean | false |
| GOOGLE_CLOUD_STORAGE_CREDENTIAL | Google Cloud Service Account Key | String | |
| GOOGLE_CLOUD_STORAGE_PROJ_ID | Google Cloud Project ID | String | |
| GOOGLE_CLOUD_STORAGE_BUCKET_NAME | Google Cloud Storage Bucket Name | String | |
| GOOGLE_CLOUD_UNIFORM_BUCKET_ACCESS | Type of Access | Boolean | true |
For Debugging and Logs
| Variable | Description | Type | |
|---|---|---|---|
| DEBUG | Print logs from components | Boolean | |
| LOG_PATH | Location where log files are stored | String | Lyntaris/packages/server/logs |
| LOG_LEVEL | Different levels of logs | Enum String: error, info, verbose, debug |
info |
DEBUG: if set to true, will print logs to terminal/console:
 (3) (1).png)
LOG_LEVEL: Different log levels for loggers to be saved. Can be error, info, verbose, or debug. By default it is set to info, only logger.info will be saved to the log files. If you want to have complete details, set to debug.
 (4).png)
server-requests.log.jsonl - logs every request sent to Lyntaris
 (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png)
server.log - logs general actions on Lyntaris
 (4).png)
server-error.log - logs error with stack trace
Logs Streaming S3
When STORAGE_TYPE env variable is set to s3 , logs will be automatically streamed and stored to S3. New log file will be created hourly, enabling easier debugging.
Logs Streaming GCS
When STORAGE_TYPE env variable is set to gcs , logs will be automatically streamed to Google Cloud Logging.
For Credentials
Lyntaris store your third party API keys as encrypted credentials using an encryption key.
By default, a random encryption key will be generated when starting up the application and stored under a file path. This encryption key is then retrieved everytime to decrypt the credentials used within a flow. For example, your OpenAI API key, Pinecone API key, etc.
You can configure to use AWS Secret Manager to store the encryption key instead.
| Variable | Description | Type | Default |
|---|---|---|---|
| SECRETKEY_STORAGE_TYPE | How to store the encryption key | Enum String: local, aws |
local |
| SECRETKEY_PATH | Local file path where encryption key is saved | String | Lyntaris/packages/server |
| FLOWISE_SECRETKEY_OVERWRITE | Encryption key to be used instead of the existing key | String | |
| SECRETKEY_AWS_ACCESS_KEY | String | ||
| SECRETKEY_AWS_SECRET_KEY | String | ||
| SECRETKEY_AWS_REGION | String |
For some reasons, sometimes encryption key might be re-generated or the stored path was changed, this will cause errors like - Credentials could not be decrypted.
To avoid this, you can set your own encryption key as FLOWISE_SECRETKEY_OVERWRITE, so that the same encryption key will be used everytime. There is no restriction on the format, you can set it as any text that you want, or the same as your FLOWISE_PASSWORD.
 (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png)
Info: Credential API Key returned from the UI is not the same length as your original Api Key that you have set. This is a fake prefix string that prevents network spoofing, that's why we are not returning the Api Key back to UI. However, the correct Api Key will be retrieved and used during your interaction with the flow.
For Models
In some cases, you might want to use custom model on the existing Chat Model and LLM nodes, or restrict access to only certain models.
By default, Lyntaris pulls the model list from here. However user can create their own models.json file and specify the file path:
| Variable | Description | Type | Default |
|---|---|---|---|
| MODEL_LIST_CONFIG_JSON | Link to load list of models from your models.json config file | String | https://raw.githubusercontent.com/FlowiseAI/Flowise/main/packages/components/models.json |
For Built-In and External Dependencies
There are certain nodes/features within Lyntaris that allow user to run Javascript code. For security reasons, by default it only allow certain dependencies. It's possible to lift that restriction for built-in and external modules by setting the following environment variables:
| Variable | Description | |
|---|---|---|
| TOOL_FUNCTION_BUILTIN_DEP | NodeJS built-in modules to be used | String |
| TOOL_FUNCTION_EXTERNAL_DEP | External modules to be used | String |
| ALLOW_BUILTIN_DEP | Allow project dependencies to be used such as cheerio, typeorm | Boolean |
# Allows usage of all builtin modules
TOOL_FUNCTION_BUILTIN_DEP=*
# Allows usage of only fs
TOOL_FUNCTION_BUILTIN_DEP=fs
# Allows usage of only crypto and fs
TOOL_FUNCTION_BUILTIN_DEP=crypto,fs
# Allow usage of external npm modules.
TOOL_FUNCTION_EXTERNAL_DEP=cheerio,typeorm
ALLOW_BUILTIN_DEP=true
Using Built In Dependencies
Warning: Some built-in dependencies, such as Puppeteer, may introduce potential security vulnerabilities. It is recommended to analyze and assess these risks carefully before using them.
NodeVM Execution Error: VMError: Cannot find module
If you are using library that is not allowed by default, you can either:
- Allow all project's libraries/dependencies:
ALLOW_BUILTIN_DEP=true - (Recommended) Specifically allow certain libraries/dependencies:
TOOL_FUNCTION_EXTERNAL_DEP=cheerio,typeorm
Security Configuration
| Variable | Description | Options | Default |
|---|---|---|---|
HTTP_DENY_LIST | Blocks HTTP requests to specified URLs or domains in MCP servers | Comma-separated URLs/domains | (empty) |
CUSTOM_MCP_SECURITY_CHECK | Enables comprehensive security validation for Custom MCP configurations | true | false | true |
CUSTOM_MCP_PROTOCOL | Sets the default protocol for Custom MCP communication | stdio | sse | stdio |
CUSTOM_MCP_SECURITY_CHECK=true
By default, this is enabled. When enabled, applies the following security validations:
- Command Allowlist: Only permits safe commands (
node,npx,python,python3,docker) - Argument Validation: Blocks dangerous file paths, directory traversal, and executable files
- Injection Prevention: Prevents shell metacharacters and command chaining
- Environment Protection: Blocks modification of critical environment variables (PATH, LD_LIBRARY_PATH)
CUSTOM_MCP_PROTOCOL
stdio: Direct process communication (default, requires command execution)sse: Server-Sent Events over HTTP (recommended for production, more secure)
Recommended Production Settings
# Enable security validation (default)
CUSTOM_MCP_SECURITY_CHECK=true
# Use SSE protocol for better security
CUSTOM_MCP_PROTOCOL=sse
# Block dangerous domains (example)
HTTP_DENY_LIST=localhost,127.0.0.1,internal.company.com
Warning: Disabling
CUSTOM_MCP_SECURITY_CHECKallows arbitrary command execution and poses significant security risks in production environments.
Examples of how to set environment variables
NPM
You can set all these variables when running Lyntaris using npx. For example:
npx flowise start --PORT=3000 --DEBUG=true
Docker
docker run -d -p 5678:5678 flowise \
-e DATABASE_TYPE=postgresdb \
-e DATABASE_PORT=<POSTGRES_PORT> \
-e DATABASE_HOST=<POSTGRES_HOST> \
-e DATABASE_NAME=<POSTGRES_DATABASE_NAME> \
-e DATABASE_USER=<POSTGRES_USER> \
-e DATABASE_PASSWORD=<POSTGRES_PASSWORD> \
Docker Compose
You can set all these variables in the .env file inside docker folder. Refer to .env.example file.