Skip to main content
Zygo is configured entirely through environment variables. This page documents every available setting, organized by category.

Core Application

VariableDefaultDescription
APP_NAMEZygoApplication name displayed in the UI and emails
APP_SUBTITLE(empty)Optional subtitle shown alongside the app name
VERSION1.0.0Application version string
CR_YEAR2026Copyright year displayed in the footer
HOST_NAMElocalhostThe public URL of your Zygo instance (e.g., https://app.zygo.com). Used for generating links in emails and form URLs.
SECRET_KEYchange_secret_keySecret key for signing sessions and tokens. Must be changed in production.
DOC_LINK(empty)URL to your documentation, shown in the UI
Always set a strong, unique SECRET_KEY in production. The default value is insecure and will allow session forgery.

Database

Zygo uses PostgreSQL as its primary database.
VariableDefaultDescription
SQLALCHEMY_DATABASE_URIpostgresql://db1:db1@postgres/db1Full PostgreSQL connection string
The connection string follows the standard format: 
postgresql://username:password@host:port/database
The host, username, password, and database name are automatically parsed from the connection string. You only need to set SQLALCHEMY_DATABASE_URI.

Redis

Redis is used for background job queues and rate limiting.
VariableDefaultDescription
REDIS_URLredis://localhost:6379/0Redis connection string. Also used as the rate limit storage backend.

Authentication

Sessions

VariableDefaultDescription
PERMANENT_SESSION_LIFETIME10Browser session lifetime in hours. After this period, the user must log in again.

Default Admin Account

VariableDefaultDescription
DEFAULT_EMAILadmin@example.comEmail for the default admin account created on first run
DEFAULT_PASSWORDadmin1234567Password for the default admin account
HELP_EMAIL(same as DEFAULT_EMAIL)Contact email shown in help/support contexts
Change DEFAULT_EMAIL and DEFAULT_PASSWORD before your deployment. By default, you will need to update the password when you first login.

Self-Registration

VariableDefaultDescription
ENABLE_SELF_REGISTRATIONfalseAllow new users to create accounts without an invitation. Requires email to be configured.

OAuth / Social Login

VariableDefaultDescription
ENABLE_GOOGLE_AUTHfalseEnable “Sign in with Google”
GOOGLE_CLIENT_ID(none)OAuth 2.0 Client ID from Google Cloud Console
GOOGLE_CLIENT_SECRET(none)OAuth 2.0 Client Secret
To set up Google authentication:
  1. Create a project in the Google Cloud Console
  2. Configure the OAuth consent screen
  3. Create OAuth 2.0 credentials
  4. Add your Zygo callback URL as an authorized redirect URI

Encryption

VariableDefaultDescription
FERNET_KEY(built-in default)Fernet symmetric encryption key used to encrypt credentials and sensitive data at rest. Must be a valid URL-safe base64-encoded 32-byte key.
Generate a new key: 
python -c "from cryptography.fernet import Fernet; print(Fernet.generate_key().decode())"
If you change the FERNET_KEY after storing credentials, all previously encrypted data becomes unreadable. Back up and re-encrypt before rotating.

Email

Zygo sends transactional emails for account confirmation, password resets, notifications, and tenant invitations. Two providers are supported.
VariableDefaultDescription
EMAIL_PROVIDERsmtpEmail provider: smtp or mailjet
VariableDefaultDescription
MAIL_SERVERsmtp.googlemail.comSMTP server hostname
MAIL_PORT587SMTP server port
MAIL_USE_TLStrueEnable TLS encryption
MAIL_USERNAME(none)SMTP username
MAIL_PASSWORD(none)SMTP password
MAIL_DEFAULT_SENDER(same as DEFAULT_EMAIL)“From” address on outgoing emails
MAIL_DEBUGfalseLog SMTP protocol details for debugging

Internal API

VariableDefaultDescription
INTERNAL_API_SECRETinternal-secret-change-meShared secret for authenticating requests from internal workers (e.g., background job callbacks). Passed via X-Internal-Secret header.
Change INTERNAL_API_SECRET in production. The default value is publicly known.

Logging

VariableDefaultDescription
LOG_TYPEstreamLog output type
LOG_LEVELINFOMinimum log level: DEBUG, INFO, WARNING, ERROR, CRITICAL
ENABLE_GCP_LOGGINGfalseEnable Google Cloud Platform structured logging

Debugging

VariableDefaultDescription
DEBUG_ENV_VARSSTORAGE_METHODComma-separated list of environment variable names to expose in the frontend for debugging. Do not include sensitive values.

Environments

Zygo ships with three configuration profiles. The active profile is set at startup.
  • Debug mode: off
  • Use for all live deployments
  • Set via: FLASK_CONFIG=default or omit (default)
  • Debug mode: on
  • Hot reloading and verbose error pages
  • Set via: FLASK_CONFIG=development
  • Debug mode: on
  • CSRF protection: disabled
  • Use for automated test suites
  • Set via: FLASK_CONFIG=testing
All three profiles share the same configuration variables — the only differences are DEBUG, TESTING, and WTF_CSRF_ENABLED.

Minimal Production Setup

The minimum environment variables you need to set for a production deployment: 
# Required — security
SECRET_KEY=your-strong-random-secret-key
FERNET_KEY=your-generated-fernet-key
INTERNAL_API_SECRET=your-internal-secret

# Required — infrastructure
SQLALCHEMY_DATABASE_URI=postgresql://user:pass@dbhost:5432/zygo
REDIS_URL=redis://redis-host:6379/0
HOST_NAME=https://app.yourcompany.com

# Required — admin account
DEFAULT_EMAIL=admin@yourcompany.com
DEFAULT_PASSWORD=a-strong-initial-password

# Required — email (pick one provider)
EMAIL_PROVIDER=smtp
MAIL_SERVER=smtp.yourprovider.com
MAIL_USERNAME=your-smtp-user
MAIL_PASSWORD=your-smtp-password
MAIL_DEFAULT_SENDER=noreply@yourcompany.com
After first deployment, log in with the default admin credentials, change the password immediately, and then configure tenants and invite your team.