Skip to content

Config Parameter Reference

This page lists all available configuration parameters in Katalogue.

Explanation of the columns in the table:

ColumnDescription
ParameterThe parameter name. Used as-is for environment variables and as setting_code in the DB table.
PathNesting path under config in appsettings.json. Empty means the parameter sits directly under config. Not used for env vars or the DB table.
SourcesWhere the parameter can be set: file = appsettings.json, env = environment variable, db = database table (editable via the GUI Settings page).
DefaultDefault value when the parameter is not explicitly set.
DatatypeExpected type of the value.
DescriptionWhat the parameter does.

See Configuration Overview for examples of setting parameters via each source type, priority rules, and guidance on secrets.

ParameterPathSourcesDefaultDatatypeDescription
API_ENDPOINT_BASE_URLfile · envstringHostname of the Katalogue Backend API. Used to set the “issuer” property of the authentication tokens issued by Katalogue.
API_ENDPOINT_PATHfile · env/apistringPath, relative to API_ENDPOINT_BASE_URL, where the api endpoints are hosted.
file · envkataloguestringName prefix of all cookies issued by Katalogue.
CORS_ORIGINfile · envarray/stringCORS Origin whitelist. An array with URLs (or single string) that are allowed to connect to the Katalogue backend API. Normally, this should only contain the URL to the Katalogue frontend app.
DATA_FILES_DIRECTORYfile · env\<install_directory\>/datastringFull path to folder on the server where datasource files from e.g. manually uploaded dbt manifests will be stored.
ENCRYPTION_KEYfile · envstringEncryption key used by Katalogue to hash user passwords (local users only) and encrypt config secrets like repository password and connection passwords. This should be a long, random string. Keep it safe, it is not possible to decrypt secrets or authenticate local users if it is lost.
ENVIRONMENTfile · dbNULLstringEnvironment label for this Katalogue instance (e.g. dev, test, staging). Shown in the navigation header when set to anything other than prod, to help visually distinguish between environments. Also included in some system email subjects.
FRONTEND_URLfile · dbNULLstringFull URL to this Katalogue instance. Used to generate links in e.g. system emails. Example: https://katalogue.your-company.com
PORTfile · env8080stringPort that the Nodejs Express API (i.e. the Katalogue backend application) listens on.
TRUST_PROXYfile · envFALSEboolean/stringControls whether Katalogue trusts forwarded headers from a reverse proxy. Set to TRUE to trust all proxies (not recommended in production — clients can spoof their IP). For production, set to the specific upstream proxy IP or CIDR range (e.g. 10.0.0.1 or 10.0.0.0/24). Set to FALSE (default) if Katalogue is not behind a reverse proxy. See Network Proxy Configuration.
API_REQUEST_ARRAY_MAX_SIZEapifile · env100000integerMaximum number of items allowed in a request array for standard endpoints. Requests exceeding this limit are rejected with a 400 error. Reduce this value if you want to limit server load from large batch operations.
API_REQUEST_SENSITIVE_ARRAY_MAX_SIZEapifile · env100integerMaximum number of items allowed in a request array for sensitive endpoints — i.e. endpoints where each item triggers expensive side-effects such as sending emails. Requests exceeding this limit are rejected with a 400 error.
ACCESS_TOKEN_EXPIRATION_TIMEauthenticationfile60mstringTime that an access token is valid
LOCAL_IS_ENABLEDauthenticationfile · env · dbTRUEbooleanFlag to tell if Local authentication is enabled
OIDC_IS_ENABLEDauthenticationfile · env · dbFALSEbooleanFlag to tell if Azure OpenID Connect authentication is enabled
REFRESH_TOKEN_EXPIRATION_TIMEauthenticationfile30dstringTime that a refresh token is valid
OIDC_APPLICATION_IDauthentication.oidcfile · env · dbNULLstringMicrosoft Azure Application (client) ID, i.e. ID of the Enterprise Application registered in Microsoft Entra ID
OIDC_AUTHORIZE_ENDPOINTauthentication.oidcfile · db/oauth2/v2.0/authorizestringEndpoint for OAuth2 authorization requests
OIDC_CLIENT_SECRETauthentication.oidcfile · env · dbNULLstringMicrosoft Azure Client Secret
OIDC_DIRECTORY_IDauthentication.oidcfile · env · dbNULLstringMicrosoft Azure Directory (tenant) ID
OIDC_ENDPOINT_BASE_URLauthentication.oidcfile · dbhttps://login.microsoftonline.comstringBase URL of the OAuth2 endpoint
OIDC_JWKS_ENDPOINTauthentication.oidcfile · db/discovery/v2.0/keysstringEndpoint to retrieve public keys
OIDC_LOGOUT_ENDPOINTauthentication.oidcfile · db/oauth2/v2.0/logoutstringEndpoint for OAuth2 logout requests
OIDC_REDIRECT_URIauthentication.oidcfile · env · dbNULLstringURI that Microsoft Azure should redirect to after completed authentication
OIDC_SCOPEauthentication.oidcfile · env · dbprofile user.read offline_access openidstringScope that the configured enterprise application need access to
OIDC_TOKEN_ENDPOINTauthentication.oidcfile · db/oauth2/v2.0/tokenstringEndpoint for OAuth2 token requests
OIDC_USER_SOURCE_IDauthentication.oidcfile · dboidstringName of the user unique Id property in the OpenID Connect Id token
OIDC_USER_USERNAMEauthentication.oidcfile · dbupnstringName of the user Username property in the OpenID Connect Id token
DATABRICKS_BASE_ENDPOINTconnectors.databricksfile · db/api/2.1/unity-catalogstringUnity Catalog API Base URL, excluding hostname
DATABRICKS_CATALOG_ENDPOINTconnectors.databricksfile · db/catalogstringUnity Catalog API catalog endpoint, relative to the base URL
DATABRICKS_SCHEMA_ENDPOINTconnectors.databricksfile · db/schemastringUnity Catalog API schema endpoint, relative to the base URL
DATABRICKS_TABLE_ENDPOINTconnectors.databricksfile · db/tablestringUnity Catalog API table endpoint, relative to the base URL
DATABRICKS_IS_ENABLEDconnectors.databricksfile · envTRUEbooleanFlag to enable or disable this connector. If a connector is disabled, it cannot be used in the GUI and all connector-specific nodejs dependencies/libraries are excluded on startup. This means that the dependency does not have to be installed if the connector is disabled.
DBT_DEFAULT_MANIFEST_FILENAMEconnectors.dbtfile · dbmanifest.jsonstringFilename for the Dbt manifest json file that is used as the datasource for the Dbt connector. This property will only be used if no filename is specified in the connection URL
DBT_IS_ENABLEDconnectors.dbtfile · envTRUEbooleanFlag to enable or disable this connector. If a connector is disabled, it cannot be used in the GUI and all connector-specific nodejs dependencies/libraries are excluded on startup. This means that the dependency does not have to be installed if the connector is disabled.
FILE_CONNECTOR_IS_ENABLEDconnectors.filefile · envTRUEbooleanFlag to enable or disable this connector. If a connector is disabled, it cannot be used in the GUI and all connector-specific nodejs dependencies/libraries are excluded on startup. This means that the dependency does not have to be installed if the connector is disabled.
IBMDB2_CODEPAGEconnectors.ibmdb2file · dbNULLintegerIBM DB2 database codepage, i.e. database encoding. Specify this if data imported from IBM DB2 databases display incorrectly. Note that this setting affects all IBM DB2 connectors in Katalogue, specifying a codepage per datasource is currently not supported.
IBMDB2_IS_ENABLEDconnectors.ibmdb2file · envTRUEbooleanFlag to enable or disable this connector. If a connector is disabled, it cannot be used in the GUI and all connector-specific nodejs dependencies/libraries are excluded on startup. This means that the dependency does not have to be installed if the connector is disabled.
MSSQL_IS_ENABLEDconnectors.mssqlfile · envTRUEbooleanFlag to enable or disable this connector. If a connector is disabled, it cannot be used in the GUI and all connector-specific nodejs dependencies/libraries are excluded on startup. This means that the dependency does not have to be installed if the connector is disabled.
ODBC_IS_ENABLEDconnectors.odbcfile · envTRUEbooleanFlag to enable or disable this connector. If a connector is disabled, it cannot be used in the GUI and all connector-specific nodejs dependencies/libraries are excluded on startup. This means that the dependency does not have to be installed if the connector is disabled.
ORACLE_IS_ENABLEDconnectors.oraclefile · envTRUEbooleanFlag to enable or disable this connector. If a connector is disabled, it cannot be used in the GUI and all connector-specific nodejs dependencies/libraries are excluded on startup. This means that the dependency does not have to be installed if the connector is disabled.
ORACLE_INSTANT_CLIENT_PATHconnectors.oraclefile · envstringOracle Instant Client path, if not the default path. See the “oracledb” nodejs package docs for more info.
POSTGRES_ENABLEDconnectors.postgresfile · envTRUEbooleanFlag to enable or disable this connector. If a connector is disabled, it cannot be used in the GUI and all connector-specific nodejs dependencies/libraries are excluded on startup. This means that the dependency does not have to be installed if the connector is disabled.
SNOWFLAKE_IS_ENABLEDconnectors.snowflakefile · envTRUEbooleanFlag to enable or disable this connector. If a connector is disabled, it cannot be used in the GUI and all connector-specific nodejs dependencies/libraries are excluded on startup. This means that the dependency does not have to be installed if the connector is disabled.
cookieHeadersfile · envTRUEbooleanValue of the cookie HTTPOnly attribute. Set to true in production.
cookieHeadersfile · env/apistringValue of the cookie Path attribute. Set to the base api endpoint path of the Katalogue backend API.
cookieHeadersfile · envTRUEboolean/stringValue of the cookie SameSite attribute. Set to “None” in production.
cookieHeadersfile · envFALSEbooleanValue of the cookie Secure attribute. Set to false in production.
HTTP_LOGGING_IS_ENABLEDloggingfile · env · dbFALSEbooleanFlag to tell if all HTTP requests and their execution time to the backend API should be logged or not. WARNING! Enabling this will reduce performance and quickly fill the http_request log table.
LOG_LEVELloggingfile · env · dbinfostringDetermines the granularity of logging for the backend API service. Available levels are “critical”, “error”, “warning”, “info” and “debug”. The latter two can be set through the GUI, the others must be set in the repository database.
AUDIT_FILENAMEloggingfile · envlogs/audit.jsonstringAudit filename path. See the “winston” nodejs package docs for more info.
LOG_DIRNAMEloggingfile · envlogsstringLog file directory path. See the “winston” nodejs package docs for more info.
LOG_FILENAMEloggingfile · envapplication_%DATE%.logstringFilename pattern for log files. See the “winston” nodejs package docs for more info.
LOG_FILENAME_DATEPATTERNloggingfile · envYYYY-MM-DDstringDate format for the date part of the logfile name
LOG_MAXFILESloggingfile · env14dstringDetermines how many days old logfiles should be retained before getting deleted by the log rotation functionality.
LOG_TO_CONSOLE_IN_PRODloggingfile · envTRUEbooleanFlag to tell if logging should be done to console or not. Note that logging to file is always enabled and not affected by this setting. Set this to true when using managed servers, Docker etc with external monitoring tools to let them pick up the logs.
LOG_USE_UTCloggingfile · envFALSEbooleanFlag to tell if the log file dates should be in UTC format or the server´s timezone.
MAIL_FROMmailfile · env · dbNULLstringEmail address that all emails will be sent from. If Email Server Type is Azure, this must be the email address of a real user account with a license that provides the account with a mailbox
MAIL_HOSTmailfile · env · dbNULLstringHostname of the SMTP mail server
MAIL_IS_ENABLEDmailfile · env · dbFALSEbooleanFlag to tell if the application should send emails or not
MAIL_IS_SECUREmailfile · env · dbFALSEbooleanFlag to tell if a secure connection should be used to the SMTP mail server or not. If true the connection will use TLS when connecting to server. If false (the default) then TLS is used if server supports the STARTTLS extension.
MAIL_PASSWORDmailfile · env · dbNULLstringPassword to authenticate against the SMTP mail server
MAIL_PORTmailfile · env · dbNULLstringPort of the SMTP mail server
MAIL_SEND_WELCOME_EMAILSmailfile · dbTRUEbooleanSend a welcome email with login instructions to new users when they are added to Katalogue for the first time
MAIL_SERVER_TYPEmailfile · env · dbmsgraphstringUse Azure Microsoft Graph API or custom SMTP configuration for sending emails. Allowed values are “smtp” or “msgraph”.
MAIL_SYSTEM_EMAILS_TOmailfile · dbNULLstringList of email addresses, separated by a comma, that will receive system emails such as task failure notifications. These emails are typically sent to Katalogue administrators or other IT admins.
MAIL_USERNAMEmailfile · env · dbNULLstringUsername to authenticate against the SMTP mail server
ORGANIZATION_NAMEorganizationfile · dbNULLstringName of the organization this Katalogue instance is installed in. Used in system emails and the about menu to personalize the content. Configurable via Settings → General → Customization.
ORGANIZATION_RESOURCE_NAMEorganizationfile · dbNULLstringDisplay name for an organization-internal learning resource or portal. Shown in email footers and the about menu. If omitted, the URL is used as the label. Configurable via Settings → General → Customization.
ORGANIZATION_RESOURCE_URLorganizationfile · dbNULLstringURL for an organization-internal learning resource or portal. When set, a link is shown in email footers and the about menu. If omitted, no link is shown. https:// is automatically prepended if no protocol is provided. Configurable via Settings → General → Customization.
ORGANIZATION_SUPPORT_NAMEorganizationfile · dbNULLstringDisplay name for the organization’s support contact. Shown in email footers and the about menu. Configurable via Settings → General → Customization.
ORGANIZATION_SUPPORT_URLorganizationfile · dbNULLstringContact URL or email address for the organization’s support team. Accepts a full URL (e.g. a Teams channel or web form) or a plain email address. Shown in email footers and the about menu. Configurable via Settings → General → Customization.
AZURE_KEY_VAULT_IS_ENABLEDpasswordManagers.azureKeyVaultfile · dbFALSEbooleanFlag to tell if Microsoft Azure Key Vault is enabled
AZURE_KEY_VAULT_NAMEpasswordManagers.azureKeyVaultfile · dbNULLstringMicrosoft Azure Key vault name. Can be extracted from the Vault URI like so: “https://<KEY-VAULT-NAME>.vault.azure.net”
HTTPS_PROXYproxyfile · envstringURL of the corporate egress proxy for outbound HTTPS connections (e.g. http://proxy.corp.com:8080). Covers MS Graph API, Azure token/JWKS endpoints, Azure Key Vault, and remote file fetches. See Network Proxy Configuration.
HTTP_PROXYproxyfile · envstringURL of the corporate egress proxy for outbound HTTP connections. See Network Proxy Configuration.
NO_PROXYproxyfile · envstringComma-separated list of hostnames or IP ranges that should bypass the egress proxy. The app’s own hostname (from API_ENDPOINT_BASE_URL) is always added automatically at startup. See Network Proxy Configuration.
RATE_LIMIT_ENABLEDrateLimitingfile · envTRUEbooleanEnable or disable request rate limiting. When disabled, no limits are enforced on any endpoint.
RATE_LIMIT_HEADERS_ENABLEDrateLimitingfile · envTRUEbooleanWhen true, X-RateLimit-Limit, X-RateLimit-Remaining, and X-RateLimit-Reset headers are included on every response. Set to false to hide rate-limit ceilings from clients. The Retry-After header on HTTP 429 responses is always included regardless of this setting.
RATE_LIMIT_READ_POINTSrateLimitingfile · env300integerTier 1 (IP floor) — maximum GET requests per IP per window for GUI/unauthenticated requests. Set generously; this is a DoS flood barrier, not per-user enforcement. The SPA fires 20–30 parallel GETs on page load so the effective per-user demand is high.
RATE_LIMIT_READ_DURATION_IN_SECONDSrateLimitingfile · env10integerWindow in seconds for the Tier 1 GUI read limiter. Points are replenished after this many seconds.
RATE_LIMIT_READ_API_POINTSrateLimitingfile · env600integerTier 1 (IP floor) — maximum GET requests per IP per window for REST API (Bearer token) requests. Higher than RATE_LIMIT_READ_POINTS because integrations issue more requests than GUI users.
RATE_LIMIT_READ_API_DURATION_IN_SECONDSrateLimitingfile · env10integerWindow in seconds for the Tier 1 REST API read limiter. Points are replenished after this many seconds.
RATE_LIMIT_WRITE_POINTSrateLimitingfile · env100integerTier 1 (IP floor) — maximum write requests (POST/PUT/DELETE) per IP per window.
RATE_LIMIT_WRITE_DURATION_IN_SECONDSrateLimitingfile · env10integerWindow in seconds for the Tier 1 write limiter. Points are replenished after this many seconds.
RATE_LIMIT_LOGIN_POINTSrateLimitingfile · env5integerMaximum login attempts per IP per window. Protects against brute-force attacks. Uses exponential backoff on repeated violations (see architecture documentation).
RATE_LIMIT_LOGIN_DURATION_IN_SECONDSrateLimitingfile · env60integerWindow in seconds for the login rate limiter. Also the initial block duration for the first exponential backoff violation.
RATE_LIMIT_PER_USER_READ_POINTSrateLimitingfile · env100integerTier 2 (per-user) — maximum GET requests per authenticated GUI user per window. Applied after authentication; keyed on user identity, not IP.
RATE_LIMIT_PER_USER_READ_DURATION_IN_SECONDSrateLimitingfile · env10integerWindow in seconds for the Tier 2 GUI read limiter.
RATE_LIMIT_PER_USER_READ_API_POINTSrateLimitingfile · env200integerTier 2 (per-client) — maximum GET requests per authenticated REST API client per window. Applied after authentication; keyed on client_id.
RATE_LIMIT_PER_USER_READ_API_DURATION_IN_SECONDSrateLimitingfile · env10integerWindow in seconds for the Tier 2 REST API read limiter.
RATE_LIMIT_PER_USER_WRITE_POINTSrateLimitingfile · env30integerTier 2 (per-user) — maximum write requests (POST/PUT/DELETE) per authenticated user or client per window. Applied after authentication.
RATE_LIMIT_PER_USER_WRITE_DURATION_IN_SECONDSrateLimitingfile · env10integerWindow in seconds for the Tier 2 write limiter.
REPOSITORY_BATCH_INSERT_CHUNK_SIZErepositoryfile · env1000integerNumber of rows that is inserted in each batch when doing batch inserts. Batch inserts are performed by some endpoints. Change this only if there are performance issues related to batch inserts.
REPOSITORY_BATCH_UPDATE_CHUNK_SIZErepositoryfile · env10000integerNumber of rows that is updated in each batch when doing batch updates. Batch updates are performed by some endpoints. Change this only if there are performance issues related to batch inserts.
REPOSITORY_DATABASErepositoryfile · envkataloguestringDatabase of the Katalogue PostgreSQL repository database
REPOSITORY_HOSTNAMErepositoryfile · envlocalhoststringHostname of the Katalogue PostgreSQL repository database
REPOSITORY_PASSWORDrepositoryfile · envstringPassword of the Katalogue repository database service account.
REPOSITORY_PORTrepositoryfile · env5432stringPort of the Katalogue PostgreSQL repository database
REPOSITORY_USE_SSLrepositoryfile · envFALSEbooleanFlag to enable SSL for the Katalogue PostgreSQL repository database connection.
REPOSITORY_USERNAMErepositoryfile · envkatalogue_superuserstringUsername of the Katalogue repository database service account.
REPOSITORY_POOL_MAXrepository.repositoryPoolfile · env300integerMaximum number of connections in the connection pool for the Katalogue PostgreSQL repository database connection.
REPOSITORY_POOL_MINrepository.repositoryPoolfile · env2integerMinimum number of connections in the connection pool for the Katalogue PostgreSQL repository database connection.
REST_API_IS_ENABLEDrestApifile · env · dbFALSEbooleanFlag to enable the REST API service
REST_API_OIDC_PATHrestApifile · env · db/oidcstringPath, relative to API_ENDPOINT_BASE_URL, where the REST API authentication endpoints /token, /jwks etc should be hosted.
REST_API_DOCS_PATHrestApifile · env · db/docsstringPath, relative to API_ENDPOINT_BASE_URL, where the REST API documentation (Redoc / OpenAPI Specification) should be hosted.
REST_API_ACCESS_TOKEN_TTL_IN_MINUTESrestApifile · env · db5integerDuration in minutes that an access token is valid. This resolves to the “exp” attribute of the access token.
REST_API_OIDC_SIGNING_KEYrestApifile · env · dbNULLstringPrivate key used to sign access tokens for the REST API authentication endpoint. This is automatically generated if no external key (through environment variable or config file) is provided.
The easiest way to generate externally provided keys is with the services/api/utils/initialize.js utility tool. The value of this parameter must be a key that is a stringified JSON object.
REST_API_CLIENT_SECRET_TTL_IN_DAYSrestApifile · env · db365integerDuration in days that a client secret is valid. Expired client secrets cannot be used to retrieve access tokens from the token endpoint. Set this to null to never expire client secrets.
SCHEDULER_IS_ENABLEDschedulerfile · envTRUEbooleanEnable or disable the scheduler loop. When disabled, Schedules are not evaluated and no Tasks are enqueued automatically.
WORKER_IS_ENABLEDschedulerfile · envTRUEbooleanEnable or disable the worker loop. When disabled, the job queue is not drained and no Tasks are executed automatically.
SCHEDULER_POLL_INTERVAL_SECONDSschedulerfile · env60integerHow often (in seconds) the scheduler checks for Schedules whose cron expression is due.
WORKER_POLL_INTERVAL_SECONDSschedulerfile · env3integerHow often (in seconds) the worker polls the job queue for the next Task to execute.
SCHEDULER_AUTO_DISABLE_TASK_FAILURE_COUNTschedulerfile · env5integerNumber of consecutive scheduled failures after which a Task is automatically disabled. Set to 0 or a negative value to disable this feature (allow unlimited consecutive failures).
SYNC_NESTED_USER_GROUPSuserProvisioningfile · dbTRUEbooleanFlag to tell if the Microsoft Entra ID user group sync includes users in nested user groups or only direct members
GROUP_DESCRIPTIONuserProvisioning.groupAttributeMappingfile · dbdescriptionstringName of the user group Description property in the user provisioning system
GROUP_EMAILuserProvisioning.groupAttributeMappingfile · dbmailstringName of the user group Email name property in the user provisioning system
GROUP_NAMEuserProvisioning.groupAttributeMappingfile · dbdisplayNamestringName of the user group Name property in the user provisioning system
GROUP_SOURCE_IDuserProvisioning.groupAttributeMappingfile · dbidstringName of the user group unique Id property in the user provisioning system
MSGRAPH_ENDPOINT_BASE_URLuserProvisioning.msgraphfile · dbhttps://graph.microsoft.com/v1.0stringBase URL of the Microsoft Graph API
MSGRAPH_GROUP_BASE_FILTERuserProvisioning.msgraphfile · dbNULLstringFilter expression used in the Microsoft Graph GET request to get user groups
MSGRAPH_SCOPEuserProvisioning.msgraphfile · dbhttps://graph.microsoft.com/.defaultstringScope that the configured enterprise application need access to
MSGRAPH_USER_BASE_FILTERuserProvisioning.msgraphfile · dbuserType eq ''Member'' and surName ge '' '' and accountEnabled eq truestringFilter expression used in the Microsoft Graph GET request to get users
USER_DEPARTMENTuserProvisioning.userAttributeMappingfile · dbdepartmentstringName of the user Department property in the user provisioning system
USER_EMAILuserProvisioning.userAttributeMappingfile · dbmailstringName of the user Email property in the user provisioning system
USER_FULLNAMEuserProvisioning.userAttributeMappingfile · dbdisplayNamestringName of the user Full name property in the user provisioning system
USER_SOURCE_IDuserProvisioning.userAttributeMappingfile · dbidstringName of the user unique Id property in the user provisioning system
USER_TITLEuserProvisioning.userAttributeMappingfile · dbjobTitlestringName of the user Title property in the user provisioning system
USER_USERNAMEuserProvisioning.userAttributeMappingfile · dbuserPrincipalNamestringName of the user Username property in the user provisioning system
ParameterPathSourcesDefaultDatatypeDescription
PORTenv8080integernginx listen port inside the container.
API_URLapifile · envhttp://localhost:8888/apistringURL to the Katalogue Backend API. Used to connect the frontend service to the backend.