Configuration

Configuring your self hosted Papra allows you to customize the application to better suit your environment and requirements. This guide covers the key environment variables you can set to control various aspects of the application, including port settings, security options, and storage configurations.

Complete .env

Here is the full configuration file that you can use to configure Papra. The variables values are the default values.

# The base URL of the application. Will override the client baseUrl and
# server baseUrl when set. Use this one over the client and server baseUrl
# when the server is serving the client assets (like in docker).
# APP_BASE_URL=

# The URL of the client, when using docker, prefer using the `APP_BASE_URL`
# environment variable instead.
# CLIENT_BASE_URL=http://localhost:1221

# The base URL of the server, when using docker, prefer using the
# `APP_BASE_URL` environment variable instead.
# SERVER_BASE_URL=http://localhost:1221

# A comma separated list of origins that are trusted to make requests to the
# server. The client baseUrl (CLIENT_BASE_URL) is automatically added by
# default, no need to add it to the list.
# TRUSTED_ORIGINS=

# The port to listen on when using node server.
# PORT=1221

# The maximum time in milliseconds for a route to complete before timing out.
# SERVER_API_ROUTES_TIMEOUT_MS=20000

# The CORS origin for the api server.
# SERVER_CORS_ORIGINS=http://localhost:3000

# Whether to serve the public directory (default as true when using docker).
# SERVER_SERVE_PUBLIC_DIR=false

# The URL of the database (default as "file:./app-data/db/db.sqlite" when
# using docker).
# DATABASE_URL=file:./db.sqlite

# The auth token for the database.
# DATABASE_AUTH_TOKEN=

# The encryption key for the database. If not provided, the database will not
# be encrypted. Use with caution as if lost, the data will be unrecoverable.
# DATABASE_ENCRYPTION_KEY=

# The retention period in days for deleted documents.
# DOCUMENTS_DELETED_DOCUMENTS_RETENTION_DAYS=30

# The languages codes to use for OCR, multiple languages can be specified by
# separating them with a comma. See
# https://tesseract-ocr.github.io/tessdoc/Data-Files#data-files-for-version-400-november-29-2016.
# DOCUMENTS_OCR_LANGUAGES=eng

# The maximum size in bytes for an uploaded file. Set to 0 to disable the
# limit and allow uploading documents of any size.
# DOCUMENT_STORAGE_MAX_UPLOAD_SIZE=10485760

# The driver to use for document storage, values can be one of: `filesystem`,
# `s3`, `in-memory`, `b2`, `azure-blob`.
# DOCUMENT_STORAGE_DRIVER=filesystem

# The root directory to store documents in (default as "./app-data/documents"
# when using docker).
# DOCUMENT_STORAGE_FILESYSTEM_ROOT=./local-documents

# The AWS access key ID for S3.
# DOCUMENT_STORAGE_S3_ACCESS_KEY_ID=

# The AWS secret access key for S3.
# DOCUMENT_STORAGE_S3_SECRET_ACCESS_KEY=

# The S3 bucket name.
# DOCUMENT_STORAGE_S3_BUCKET_NAME=

# The AWS region for S3.
# DOCUMENT_STORAGE_S3_REGION=auto

# The S3 endpoint.
# DOCUMENT_STORAGE_S3_ENDPOINT=

# The B2 application key ID.
# DOCUMENT_STORAGE_B2_APPLICATION_KEY_ID=

# The B2 application key.
# DOCUMENT_STORAGE_B2_APPLICATION_KEY=

# The B2 bucket name.
# DOCUMENT_STORAGE_B2_BUCKET_NAME=

# The B2 bucket ID.
# DOCUMENT_STORAGE_B2_BUCKET_ID=

# The Azure Blob Storage account name.
# DOCUMENT_STORAGE_AZURE_BLOB_ACCOUNT_NAME=

# The Azure Blob Storage account key.
# DOCUMENT_STORAGE_AZURE_BLOB_ACCOUNT_KEY=

# The Azure Blob Storage container name.
# DOCUMENT_STORAGE_AZURE_BLOB_CONTAINER_NAME=

# The secret for the auth.
# AUTH_SECRET=change-me-for-god-sake

# Whether registration is enabled.
# AUTH_IS_REGISTRATION_ENABLED=true

# Whether password reset is enabled.
# AUTH_IS_PASSWORD_RESET_ENABLED=true

# Whether email verification is required.
# AUTH_IS_EMAIL_VERIFICATION_REQUIRED=false

# Whether to show Papra legal links on the auth pages (terms of service,
# privacy policy), useless for self-hosted instances.
# AUTH_SHOW_LEGAL_LINKS=false

# Whether email/password authentication is enabled.
# AUTH_PROVIDERS_EMAIL_IS_ENABLED=true

# Whether Github OAuth is enabled.
# AUTH_PROVIDERS_GITHUB_IS_ENABLED=false

# The client id for Github OAuth.
# AUTH_PROVIDERS_GITHUB_CLIENT_ID=set-me

# The client secret for Github OAuth.
# AUTH_PROVIDERS_GITHUB_CLIENT_SECRET=set-me

# Whether Google OAuth is enabled.
# AUTH_PROVIDERS_GOOGLE_IS_ENABLED=false

# The client id for Google OAuth.
# AUTH_PROVIDERS_GOOGLE_CLIENT_ID=set-me

# The client secret for Google OAuth.
# AUTH_PROVIDERS_GOOGLE_CLIENT_SECRET=set-me

# The list of custom OAuth providers, as a JSON string, see
# https://www.better-auth.com/docs/plugins/generic-oauth#configuration for
# more details.
# AUTH_PROVIDERS_CUSTOMS=

# Whether ingestion folders are enabled.
# INGESTION_FOLDER_IS_ENABLED=false

# The root directory in which ingestion folders for each organization are
# stored.
# INGESTION_FOLDER_ROOT_PATH=./ingestion

# Whether to use polling for the ingestion folder watcher.
# INGESTION_FOLDER_WATCHER_USE_POLLING=false

# When polling is used, this is the interval at which the watcher checks for
# changes in the ingestion folder (in milliseconds).
# INGESTION_FOLDER_WATCHER_POLLING_INTERVAL_MS=2000

# The number of files that can be processed concurrently by the server.
# Increasing this can improve processing speed, but it will also increase CPU
# and memory usage.
# INGESTION_FOLDER_PROCESSING_CONCURRENCY=1

# The folder to move the file when the ingestion fails, the path is relative
# to the organization ingestion folder (<ingestion root>/<organization id>).
# INGESTION_FOLDER_ERROR_FOLDER_PATH=./ingestion-error

# The action done on the file after it has been ingested.
# INGESTION_FOLDER_POST_PROCESSING_STRATEGY=delete

# The folder to move the file when the post-processing strategy is "move",
# the path is relative to the organization ingestion folder (<ingestion
# root>/<organization id>).
# INGESTION_FOLDER_POST_PROCESSING_MOVE_FOLDER_PATH=./ingestion-done

# Comma separated list of patterns to ignore when watching the ingestion
# folder. Note that if you update this variable, it'll override the default
# patterns, not merge them. Regarding the format and syntax, please refer to
# the [picomatch
# documentation](https://github.com/micromatch/picomatch/blob/bf6a33bd3db990edfbfd20b3b160eed926cd07dd/README.md#globbing-features).
# INGESTION_FOLDER_IGNORED_PATTERNS=**/.DS_Store,**/.env,**/desktop.ini,**/Thumbs.db,**/.git/**,**/.idea/**,**/.vscode/**,**/node_modules/**

# Whether the task to hard delete expired "soft deleted" documents is
# enabled.
# DOCUMENTS_HARD_DELETE_EXPIRED_DOCUMENTS_ENABLED=true

# The cron schedule for the task to hard delete expired "soft deleted"
# documents.
# DOCUMENTS_HARD_DELETE_EXPIRED_DOCUMENTS_CRON=0 0 * * *

# Whether the task to hard delete expired "soft deleted" documents should run
# on startup.
# DOCUMENTS_HARD_DELETE_EXPIRED_DOCUMENTS_RUN_ON_STARTUP=true

# Whether the task to expire invitations is enabled.
# ORGANIZATIONS_EXPIRE_INVITATIONS_ENABLED=true

# The cron schedule for the task to expire invitations.
# ORGANIZATIONS_EXPIRE_INVITATIONS_CRON=0 0 * * *

# Whether the task to expire invitations should run on startup.
# ORGANIZATIONS_EXPIRE_INVITATIONS_RUN_ON_STARTUP=true

# Whether intake emails are enabled.
# INTAKE_EMAILS_IS_ENABLED=false

# The driver to use when generating email addresses for intake emails, value
# can be one of: `random-username`, `owlrelay`.
# INTAKE_EMAILS_DRIVER=random-username

# The secret to use when verifying webhooks.
# INTAKE_EMAILS_WEBHOOK_SECRET=change-me

# The domain to use when generating email addresses for intake emails when
# using the random username driver.
# INTAKE_EMAILS_EMAIL_GENERATION_DOMAIN=papra.email

# The API key used to interact with OwlRelay for the intake emails.
# OWLRELAY_API_KEY=change-me

# The webhook URL to use when generating email addresses for intake emails
# with OwlRelay, if not provided, the webhook will be inferred from the
# server URL.
# OWLRELAY_WEBHOOK_URL=

# The email address to send emails from.
# EMAILS_FROM_ADDRESS=Papra <[email protected]>

# The driver to use when sending emails, value can be one of: `resend`,
# `logger`, `smtp`. Using `logger` will not send anything but log them
# instead.
# EMAILS_DRIVER=logger

# The API key for the Resend email service.
# RESEND_API_KEY=

# When using the logger email driver, the level to log emails at.
# LOGGER_EMAIL_DRIVER_LOG_LEVEL=info

# The host of the SMTP server.
# SMTP_HOST=

# The port of the SMTP server.
# SMTP_PORT=587

# The user of the SMTP server.
# SMTP_USER=

# The password of the SMTP server.
# SMTP_PASSWORD=

# Whether to use a secure connection to the SMTP server.
# SMTP_SECURE=false

# The raw configuration for the nodemailer SMTP client in JSON format for
# advanced use cases. If set, this will override all other config options.
# See https://nodemailer.com/smtp/ for more details.
# SMTP_JSON_CONFIG=

# The maximum number of organizations a standard user can have.
# MAX_ORGANIZATION_COUNT_PER_USER=10

# The number of days an invitation to an organization will be valid.
# ORGANIZATION_INVITATION_EXPIRATION_DELAY_DAYS=7

# The maximum number of invitations a user can send per day.
# MAX_USER_ORGANIZATIONS_INVITATIONS_PER_DAY=30

# Whether the free plan is unlimited, meaning it has no limits on the number
# of documents, tags, and organizations, basically always true for
# self-hosted instances.
# IS_FREE_PLAN_UNLIMITED=true

# The price id of the plus plan (useless for self-hosting).
# PLANS_PLUS_PLAN_PRICE_ID=change-me

# The price id of the family plan (useless for self-hosting).
# PLANS_FAMILY_PLAN_PRICE_ID=change-me

# The API secret key for the Stripe (useless for self-hosting).
# STRIPE_API_SECRET_KEY=change-me

# The secret for the Stripe webhook (useless for self-hosting).
# STRIPE_WEBHOOK_SECRET=change-me

# Whether to enable PostHog.
# POSTHOG_ENABLED=false

# The API key for PostHog.
# POSTHOG_API_KEY=set-me

# The host for PostHog.
# POSTHOG_HOST=https://eu.i.posthog.com

Configuration variables

Here is the complete list of configuration variables that you can use to configure Papra. You can set these variables in the .env file or pass them as environment variables when running the Docker container.

APP_BASE_URL

The base URL of the application. Will override the client baseUrl and server baseUrl when set. Use this one over the client and server baseUrl when the server is serving the client assets (like in docker).

Path: appBaseUrl
Environment variable: APP_BASE_URL
Default value: undefined

CLIENT_BASE_URL

The URL of the client, when using docker, prefer using the APP_BASE_URL environment variable instead.

Path: client.baseUrl
Environment variable: CLIENT_BASE_URL
Default value: http://localhost:1221

SERVER_BASE_URL

The base URL of the server, when using docker, prefer using the APP_BASE_URL environment variable instead.

Path: server.baseUrl
Environment variable: SERVER_BASE_URL
Default value: http://localhost:1221

TRUSTED_ORIGINS

A comma separated list of origins that are trusted to make requests to the server. The client baseUrl (CLIENT_BASE_URL) is automatically added by default, no need to add it to the list.

Path: server.trustedOrigins
Environment variable: TRUSTED_ORIGINS
Default value: undefined

PORT

The port to listen on when using node server.

Path: server.port
Environment variable: PORT
Default value: 1221

SERVER_API_ROUTES_TIMEOUT_MS

The maximum time in milliseconds for a route to complete before timing out.

Path: server.routeTimeoutMs
Environment variable: SERVER_API_ROUTES_TIMEOUT_MS
Default value: 20000

SERVER_CORS_ORIGINS

The CORS origin for the api server.

Path: server.corsOrigins
Environment variable: SERVER_CORS_ORIGINS
Default value: http://localhost:3000

SERVER_SERVE_PUBLIC_DIR

Whether to serve the public directory (default as true when using docker).

Path: server.servePublicDir
Environment variable: SERVER_SERVE_PUBLIC_DIR
Default value: false

DATABASE_URL

The URL of the database (default as "file:./app-data/db/db.sqlite" when using docker).

Path: database.url
Environment variable: DATABASE_URL
Default value: file:./db.sqlite

DATABASE_AUTH_TOKEN

The auth token for the database.

Path: database.authToken
Environment variable: DATABASE_AUTH_TOKEN
Default value: undefined

DATABASE_ENCRYPTION_KEY

The encryption key for the database. If not provided, the database will not be encrypted. Use with caution as if lost, the data will be unrecoverable.

Path: database.encryptionKey
Environment variable: DATABASE_ENCRYPTION_KEY
Default value: undefined

DOCUMENTS_DELETED_DOCUMENTS_RETENTION_DAYS

The retention period in days for deleted documents.

Path: documents.deletedDocumentsRetentionDays
Environment variable: DOCUMENTS_DELETED_DOCUMENTS_RETENTION_DAYS
Default value: 30

DOCUMENTS_OCR_LANGUAGES

The languages codes to use for OCR, multiple languages can be specified by separating them with a comma. See https://tesseract-ocr.github.io/tessdoc/Data-Files#data-files-for-version-400-november-29-2016.

Path: documents.ocrLanguages
Environment variable: DOCUMENTS_OCR_LANGUAGES
Default value: eng

DOCUMENT_STORAGE_MAX_UPLOAD_SIZE

The maximum size in bytes for an uploaded file. Set to 0 to disable the limit and allow uploading documents of any size.

Path: documentsStorage.maxUploadSize
Environment variable: DOCUMENT_STORAGE_MAX_UPLOAD_SIZE
Default value: 10485760

DOCUMENT_STORAGE_DRIVER

The driver to use for document storage, values can be one of: filesystem, s3, in-memory, b2, azure-blob.

Path: documentsStorage.driver
Environment variable: DOCUMENT_STORAGE_DRIVER
Default value: filesystem

DOCUMENT_STORAGE_FILESYSTEM_ROOT

The root directory to store documents in (default as "./app-data/documents" when using docker).

Path: documentsStorage.drivers.filesystem.root
Environment variable: DOCUMENT_STORAGE_FILESYSTEM_ROOT
Default value: ./local-documents

DOCUMENT_STORAGE_S3_ACCESS_KEY_ID

The AWS access key ID for S3.

Path: documentsStorage.drivers.s3.accessKeyId
Environment variable: DOCUMENT_STORAGE_S3_ACCESS_KEY_ID
Default value: undefined

DOCUMENT_STORAGE_S3_SECRET_ACCESS_KEY

The AWS secret access key for S3.

Path: documentsStorage.drivers.s3.secretAccessKey
Environment variable: DOCUMENT_STORAGE_S3_SECRET_ACCESS_KEY
Default value: undefined

DOCUMENT_STORAGE_S3_BUCKET_NAME

The S3 bucket name.

Path: documentsStorage.drivers.s3.bucketName
Environment variable: DOCUMENT_STORAGE_S3_BUCKET_NAME
Default value: undefined

DOCUMENT_STORAGE_S3_REGION

The AWS region for S3.

Path: documentsStorage.drivers.s3.region
Environment variable: DOCUMENT_STORAGE_S3_REGION
Default value: auto

DOCUMENT_STORAGE_S3_ENDPOINT

The S3 endpoint.

Path: documentsStorage.drivers.s3.endpoint
Environment variable: DOCUMENT_STORAGE_S3_ENDPOINT
Default value: undefined

DOCUMENT_STORAGE_B2_APPLICATION_KEY_ID

The B2 application key ID.

Path: documentsStorage.drivers.b2.applicationKeyId
Environment variable: DOCUMENT_STORAGE_B2_APPLICATION_KEY_ID
Default value: undefined

DOCUMENT_STORAGE_B2_APPLICATION_KEY

The B2 application key.

Path: documentsStorage.drivers.b2.applicationKey
Environment variable: DOCUMENT_STORAGE_B2_APPLICATION_KEY
Default value: undefined

DOCUMENT_STORAGE_B2_BUCKET_NAME

The B2 bucket name.

Path: documentsStorage.drivers.b2.bucketName
Environment variable: DOCUMENT_STORAGE_B2_BUCKET_NAME
Default value: undefined

DOCUMENT_STORAGE_B2_BUCKET_ID

The B2 bucket ID.

Path: documentsStorage.drivers.b2.bucketId
Environment variable: DOCUMENT_STORAGE_B2_BUCKET_ID
Default value: undefined

DOCUMENT_STORAGE_AZURE_BLOB_ACCOUNT_NAME

The Azure Blob Storage account name.

Path: documentsStorage.drivers.azureBlob.accountName
Environment variable: DOCUMENT_STORAGE_AZURE_BLOB_ACCOUNT_NAME
Default value: undefined

DOCUMENT_STORAGE_AZURE_BLOB_ACCOUNT_KEY

The Azure Blob Storage account key.

Path: documentsStorage.drivers.azureBlob.accountKey
Environment variable: DOCUMENT_STORAGE_AZURE_BLOB_ACCOUNT_KEY
Default value: undefined

DOCUMENT_STORAGE_AZURE_BLOB_CONTAINER_NAME

The Azure Blob Storage container name.

Path: documentsStorage.drivers.azureBlob.containerName
Environment variable: DOCUMENT_STORAGE_AZURE_BLOB_CONTAINER_NAME
Default value: undefined

AUTH_SECRET

The secret for the auth.

Path: auth.secret
Environment variable: AUTH_SECRET
Default value: change-me-for-god-sake

AUTH_IS_REGISTRATION_ENABLED

Whether registration is enabled.

Path: auth.isRegistrationEnabled
Environment variable: AUTH_IS_REGISTRATION_ENABLED
Default value: true

AUTH_IS_PASSWORD_RESET_ENABLED

Whether password reset is enabled.

Path: auth.isPasswordResetEnabled
Environment variable: AUTH_IS_PASSWORD_RESET_ENABLED
Default value: true

AUTH_IS_EMAIL_VERIFICATION_REQUIRED

Whether email verification is required.

Path: auth.isEmailVerificationRequired
Environment variable: AUTH_IS_EMAIL_VERIFICATION_REQUIRED
Default value: false

AUTH_SHOW_LEGAL_LINKS

Whether to show Papra legal links on the auth pages (terms of service, privacy policy), useless for self-hosted instances.

Path: auth.showLegalLinksOnAuthPage
Environment variable: AUTH_SHOW_LEGAL_LINKS
Default value: false

AUTH_PROVIDERS_EMAIL_IS_ENABLED

Whether email/password authentication is enabled.

Path: auth.providers.email.isEnabled
Environment variable: AUTH_PROVIDERS_EMAIL_IS_ENABLED
Default value: true

AUTH_PROVIDERS_GITHUB_IS_ENABLED

Whether Github OAuth is enabled.

Path: auth.providers.github.isEnabled
Environment variable: AUTH_PROVIDERS_GITHUB_IS_ENABLED
Default value: false

AUTH_PROVIDERS_GITHUB_CLIENT_ID

The client id for Github OAuth.

Path: auth.providers.github.clientId
Environment variable: AUTH_PROVIDERS_GITHUB_CLIENT_ID
Default value: set-me

AUTH_PROVIDERS_GITHUB_CLIENT_SECRET

The client secret for Github OAuth.

Path: auth.providers.github.clientSecret
Environment variable: AUTH_PROVIDERS_GITHUB_CLIENT_SECRET
Default value: set-me

AUTH_PROVIDERS_GOOGLE_IS_ENABLED

Whether Google OAuth is enabled.

Path: auth.providers.google.isEnabled
Environment variable: AUTH_PROVIDERS_GOOGLE_IS_ENABLED
Default value: false

AUTH_PROVIDERS_GOOGLE_CLIENT_ID

The client id for Google OAuth.

Path: auth.providers.google.clientId
Environment variable: AUTH_PROVIDERS_GOOGLE_CLIENT_ID
Default value: set-me

AUTH_PROVIDERS_GOOGLE_CLIENT_SECRET

The client secret for Google OAuth.

Path: auth.providers.google.clientSecret
Environment variable: AUTH_PROVIDERS_GOOGLE_CLIENT_SECRET
Default value: set-me

AUTH_PROVIDERS_CUSTOMS

The list of custom OAuth providers, as a JSON string, see https://www.better-auth.com/docs/plugins/generic-oauth#configuration for more details.

Path: auth.providers.customs
Environment variable: AUTH_PROVIDERS_CUSTOMS
Default value: undefined

INGESTION_FOLDER_IS_ENABLED

Whether ingestion folders are enabled.

Path: ingestionFolder.isEnabled
Environment variable: INGESTION_FOLDER_IS_ENABLED
Default value: false

INGESTION_FOLDER_ROOT_PATH

The root directory in which ingestion folders for each organization are stored.

Path: ingestionFolder.folderRootPath
Environment variable: INGESTION_FOLDER_ROOT_PATH
Default value: ./ingestion

INGESTION_FOLDER_WATCHER_USE_POLLING

Whether to use polling for the ingestion folder watcher.

Path: ingestionFolder.watcher.usePolling
Environment variable: INGESTION_FOLDER_WATCHER_USE_POLLING
Default value: false

INGESTION_FOLDER_WATCHER_POLLING_INTERVAL_MS

When polling is used, this is the interval at which the watcher checks for changes in the ingestion folder (in milliseconds).

Path: ingestionFolder.watcher.pollingInterval
Environment variable: INGESTION_FOLDER_WATCHER_POLLING_INTERVAL_MS
Default value: 2000

INGESTION_FOLDER_PROCESSING_CONCURRENCY

The number of files that can be processed concurrently by the server. Increasing this can improve processing speed, but it will also increase CPU and memory usage.

Path: ingestionFolder.processingConcurrency
Environment variable: INGESTION_FOLDER_PROCESSING_CONCURRENCY
Default value: 1

INGESTION_FOLDER_ERROR_FOLDER_PATH

The folder to move the file when the ingestion fails, the path is relative to the organization ingestion folder (/).

Path: ingestionFolder.errorFolder
Environment variable: INGESTION_FOLDER_ERROR_FOLDER_PATH
Default value: ./ingestion-error

INGESTION_FOLDER_POST_PROCESSING_STRATEGY

The action done on the file after it has been ingested.

Path: ingestionFolder.postProcessing.strategy
Environment variable: INGESTION_FOLDER_POST_PROCESSING_STRATEGY
Default value: delete

INGESTION_FOLDER_POST_PROCESSING_MOVE_FOLDER_PATH

The folder to move the file when the post-processing strategy is "move", the path is relative to the organization ingestion folder (/).

Path: ingestionFolder.postProcessing.moveToFolderPath
Environment variable: INGESTION_FOLDER_POST_PROCESSING_MOVE_FOLDER_PATH
Default value: ./ingestion-done

INGESTION_FOLDER_IGNORED_PATTERNS

Comma separated list of patterns to ignore when watching the ingestion folder. Note that if you update this variable, it'll override the default patterns, not merge them. Regarding the format and syntax, please refer to the picomatch documentation.

Path: ingestionFolder.ignoredPatterns
Environment variable: INGESTION_FOLDER_IGNORED_PATTERNS
Default value: **/.DS_Store,**/.env,**/desktop.ini,**/Thumbs.db,**/.git/**,**/.idea/**,**/.vscode/**,**/node_modules/**

DOCUMENTS_HARD_DELETE_EXPIRED_DOCUMENTS_ENABLED

Whether the task to hard delete expired "soft deleted" documents is enabled.

Path: tasks.hardDeleteExpiredDocuments.enabled
Environment variable: DOCUMENTS_HARD_DELETE_EXPIRED_DOCUMENTS_ENABLED
Default value: true

DOCUMENTS_HARD_DELETE_EXPIRED_DOCUMENTS_CRON

The cron schedule for the task to hard delete expired "soft deleted" documents.

Path: tasks.hardDeleteExpiredDocuments.cron
Environment variable: DOCUMENTS_HARD_DELETE_EXPIRED_DOCUMENTS_CRON
Default value: 0 0 * * *

DOCUMENTS_HARD_DELETE_EXPIRED_DOCUMENTS_RUN_ON_STARTUP

Whether the task to hard delete expired "soft deleted" documents should run on startup.

Path: tasks.hardDeleteExpiredDocuments.runOnStartup
Environment variable: DOCUMENTS_HARD_DELETE_EXPIRED_DOCUMENTS_RUN_ON_STARTUP
Default value: true

ORGANIZATIONS_EXPIRE_INVITATIONS_ENABLED

Whether the task to expire invitations is enabled.

Path: tasks.expireInvitations.enabled
Environment variable: ORGANIZATIONS_EXPIRE_INVITATIONS_ENABLED
Default value: true

ORGANIZATIONS_EXPIRE_INVITATIONS_CRON

The cron schedule for the task to expire invitations.

Path: tasks.expireInvitations.cron
Environment variable: ORGANIZATIONS_EXPIRE_INVITATIONS_CRON
Default value: 0 0 * * *

ORGANIZATIONS_EXPIRE_INVITATIONS_RUN_ON_STARTUP

Whether the task to expire invitations should run on startup.

Path: tasks.expireInvitations.runOnStartup
Environment variable: ORGANIZATIONS_EXPIRE_INVITATIONS_RUN_ON_STARTUP
Default value: true

INTAKE_EMAILS_IS_ENABLED

Whether intake emails are enabled.

Path: intakeEmails.isEnabled
Environment variable: INTAKE_EMAILS_IS_ENABLED
Default value: false

INTAKE_EMAILS_DRIVER

The driver to use when generating email addresses for intake emails, value can be one of: random-username, owlrelay.

Path: intakeEmails.driver
Environment variable: INTAKE_EMAILS_DRIVER
Default value: random-username

INTAKE_EMAILS_WEBHOOK_SECRET

The secret to use when verifying webhooks.

Path: intakeEmails.webhookSecret
Environment variable: INTAKE_EMAILS_WEBHOOK_SECRET
Default value: change-me

INTAKE_EMAILS_EMAIL_GENERATION_DOMAIN

The domain to use when generating email addresses for intake emails when using the random username driver.

Path: intakeEmails.drivers.randomUsername.domain
Environment variable: INTAKE_EMAILS_EMAIL_GENERATION_DOMAIN
Default value: papra.email

OWLRELAY_API_KEY

The API key used to interact with OwlRelay for the intake emails.

Path: intakeEmails.drivers.owlrelay.owlrelayApiKey
Environment variable: OWLRELAY_API_KEY
Default value: change-me

OWLRELAY_WEBHOOK_URL

The webhook URL to use when generating email addresses for intake emails with OwlRelay, if not provided, the webhook will be inferred from the server URL.

Path: intakeEmails.drivers.owlrelay.webhookUrl
Environment variable: OWLRELAY_WEBHOOK_URL
Default value: undefined

EMAILS_FROM_ADDRESS

The email address to send emails from.

Path: emails.fromEmail
Environment variable: EMAILS_FROM_ADDRESS
Default value: Papra <[email protected]>

EMAILS_DRIVER

The driver to use when sending emails, value can be one of: resend, logger, smtp. Using logger will not send anything but log them instead.

Path: emails.driverName
Environment variable: EMAILS_DRIVER
Default value: logger

RESEND_API_KEY

The API key for the Resend email service.

Path: emails.drivers.resend.resendApiKey
Environment variable: RESEND_API_KEY
Default value: undefined

LOGGER_EMAIL_DRIVER_LOG_LEVEL

When using the logger email driver, the level to log emails at.

Path: emails.drivers.logger.level
Environment variable: LOGGER_EMAIL_DRIVER_LOG_LEVEL
Default value: info

SMTP_HOST

The host of the SMTP server.

Path: emails.drivers.smtp.host
Environment variable: SMTP_HOST
Default value: undefined

SMTP_PORT

The port of the SMTP server.

Path: emails.drivers.smtp.port
Environment variable: SMTP_PORT
Default value: 587

SMTP_USER

The user of the SMTP server.

Path: emails.drivers.smtp.user
Environment variable: SMTP_USER
Default value: undefined

SMTP_PASSWORD

The password of the SMTP server.

Path: emails.drivers.smtp.password
Environment variable: SMTP_PASSWORD
Default value: undefined

SMTP_SECURE

Whether to use a secure connection to the SMTP server.

Path: emails.drivers.smtp.secure
Environment variable: SMTP_SECURE
Default value: false

SMTP_JSON_CONFIG

The raw configuration for the nodemailer SMTP client in JSON format for advanced use cases. If set, this will override all other config options. See https://nodemailer.com/smtp/ for more details.

Path: emails.drivers.smtp.rawConfig
Environment variable: SMTP_JSON_CONFIG
Default value: undefined

MAX_ORGANIZATION_COUNT_PER_USER

The maximum number of organizations a standard user can have.

Path: organizations.maxOrganizationCount
Environment variable: MAX_ORGANIZATION_COUNT_PER_USER
Default value: 10

ORGANIZATION_INVITATION_EXPIRATION_DELAY_DAYS

The number of days an invitation to an organization will be valid.

Path: organizations.invitationExpirationDelayDays
Environment variable: ORGANIZATION_INVITATION_EXPIRATION_DELAY_DAYS
Default value: 7

MAX_USER_ORGANIZATIONS_INVITATIONS_PER_DAY

The maximum number of invitations a user can send per day.

Path: organizations.maxUserInvitationsPerDay
Environment variable: MAX_USER_ORGANIZATIONS_INVITATIONS_PER_DAY
Default value: 30

IS_FREE_PLAN_UNLIMITED

Whether the free plan is unlimited, meaning it has no limits on the number of documents, tags, and organizations, basically always true for self-hosted instances.

Path: organizationPlans.isFreePlanUnlimited
Environment variable: IS_FREE_PLAN_UNLIMITED
Default value: true

PLANS_PLUS_PLAN_PRICE_ID

The price id of the plus plan (useless for self-hosting).

Path: organizationPlans.plusPlanPriceId
Environment variable: PLANS_PLUS_PLAN_PRICE_ID
Default value: change-me

PLANS_FAMILY_PLAN_PRICE_ID

The price id of the family plan (useless for self-hosting).

Path: organizationPlans.familyPlanPriceId
Environment variable: PLANS_FAMILY_PLAN_PRICE_ID
Default value: change-me

STRIPE_API_SECRET_KEY

The API secret key for the Stripe (useless for self-hosting).

Path: subscriptions.stripeApiSecretKey
Environment variable: STRIPE_API_SECRET_KEY
Default value: change-me

STRIPE_WEBHOOK_SECRET

The secret for the Stripe webhook (useless for self-hosting).

Path: subscriptions.stripeWebhookSecret
Environment variable: STRIPE_WEBHOOK_SECRET
Default value: change-me

POSTHOG_ENABLED

Whether to enable PostHog.

Path: tracking.posthog.isEnabled
Environment variable: POSTHOG_ENABLED
Default value: false

POSTHOG_API_KEY

The API key for PostHog.

Path: tracking.posthog.apiKey
Environment variable: POSTHOG_API_KEY
Default value: set-me

POSTHOG_HOST

The host for PostHog.

Path: tracking.posthog.host
Environment variable: POSTHOG_HOST
Default value: https://eu.i.posthog.com

Configuration files

You can configure Papra using standard environment variables or use some configuration files. Papra uses c12 to load configuration files and figue to validate and merge environment variables and configuration files.

The c12 allows you to use the file format you want. The configuration file should be named papra.config.[ext] and should be located in the root of the project or in /app/app-data/ directory in docker container (it can be changed using PAPRA_CONFIG_DIR environment variable).

The supported formats are: json, jsonc, json5, yaml, yml, toml, js, ts, cjs, mjs.

Example of configuration files:

papra.config.yaml
papra.config.json

server:
  baseUrl: https://papra.example.com
  corsOrigins: *

client:
  baseUrl: https://papra.example.com

auth:
  secret: your-secret-key
  isRegistrationEnabled: true
# ...

{
  "$schema": "https://docs.papra.app/papra-config-schema.json",
  "server": {
    "baseUrl": "https://papra.example.com"
  },
  "client": {
    "baseUrl": "https://papra.example.com"
  },
  "auth": {
    "secret": "your-secret-key",
    "isRegistrationEnabled": true
  }
}

When using an IDE, you can use the papra-config-schema.json file to get autocompletion for the configuration file. Just add a $schema property to your configuration file and point it to the schema file.

{
  "$schema": "https://docs.papra.app/papra-config-schema.json",
  // ...
}

You’ll find the complete list of configuration variables with their environment variables equivalents and path for files in the previous section.