Configuration Reference

Complete reference for all environment variables, Docker services, and configuration options in the Creatiq platform.

Environment Variables

App

Variable	Description	Default	Required
`NODE_ENV`	Runtime environment (`development`, `production`)	`production`	No
`PORT`	HTTP port the app listens on	`17000`	No
`CORS_ORIGIN`	Comma-separated allowed origins for CORS	--	Yes (production)
`INTERNAL_API_KEY`	Shared secret for service-to-service calls	--	No
`E2E_TEST_CODE`	When set, relaxes rate limits for E2E testing	--	No

URLs (NEXT_PUBLIC_*)

Variable	Description	Default	Required
`NEXT_PUBLIC_APP_URL`	Public-facing URL (OAuth redirects, Stripe callbacks, email links)	`http://localhost:17000`	No
`NEXT_PUBLIC_API_URL`	API base URL (same host in monolithic setup)	--	No
`NEXT_PUBLIC_BASE_PATH`	Base path prefix when running behind a reverse proxy (e.g. `/creatiq`)	`""` (empty)	No
`NEXT_PUBLIC_ASSET_PREFIX`	Asset prefix for CDN or sub-path deployment	`""` (empty)	No
`NEXT_PUBLIC_DASHBOARD_URL`	URL of the EduAgentic dashboard	--	No

Database (PostgreSQL)

Variable	Description	Default	Required
`DATABASE_URL`	PostgreSQL connection string	--	Yes
`POSTGRES_USER`	PostgreSQL user (used by Docker db service)	--	Yes (Docker)
`POSTGRES_PASSWORD`	PostgreSQL password (used by Docker db service)	--	Yes (Docker)
`POSTGRES_DB`	PostgreSQL database name (used by Docker db service)	--	Yes (Docker)

Redis

Variable	Description	Default	Required
`REDIS_HOST`	Redis hostname	--	No
`REDIS_PORT`	Redis port	`6379`	No
`REDIS_PASSWORD`	Redis password (only if Redis requires authentication)	--	No
`REDIS_URL`	Alternative to `REDIS_HOST` + `REDIS_PORT` (full Redis URL)	--	No

Auth / Keycloak

Variable	Description	Default	Required
`JWT_SECRET`	Secret key for signing JWT tokens. Generate with `openssl rand -base64 32`	--	Yes
`KEYCLOAK_BASE_URL`	Keycloak server URL (internal, for backend calls)	`http://eduagentic-pass:8080`	Yes
`KEYCLOAK_REALM`	Keycloak realm name	`eduagentic`	No
`KEYCLOAK_CLIENT_ID`	Keycloak client ID for Creatiq	`creatiq`	No
`KEYCLOAK_CLIENT_SECRET`	Keycloak client secret	--	Yes
`KEYCLOAK_EXTERNAL_URL`	Public-facing Keycloak URL (for browser redirects)	--	No

AI Providers

Variable	Description	Default	Required
`GEMINI_API_KEY`	Google Gemini API key (primary provider)	--	No
`GEMINI_MODEL`	Gemini model name	`gemini-2.0-flash`	No
`AI_DEFAULT_PROVIDER`	Default AI provider (`gemini`, `anthropic`, `openai`)	`gemini`	No
`AI_MAX_TOKENS`	Maximum tokens for AI generation	`4096`	No
`ANTHROPIC_API_KEY`	Anthropic Claude API key (secondary provider)	--	No
`OPENAI_API_KEY`	OpenAI API key (fallback provider)	--	No
`PEXELS_API_KEY`	Pexels API key for stock image search	--	No

Stripe (Payments)

Variable	Description	Default	Required
`STRIPE_SECRET_KEY`	Stripe secret API key	--	No
`STRIPE_WEBHOOK_SECRET`	Stripe webhook endpoint signing secret	--	No
`STRIPE_PRO_PRICE_ID`	Stripe Price ID for the Pro plan	--	No
`STRIPE_PREMIUM_PRICE_ID`	Stripe Price ID for the Premium plan	--	No

H5P

H5P configuration is defined in code (server/config/h5p.ts) rather than environment variables. Key settings:

Setting	Value
H5P base directory	`<project>/h5p/`
Libraries directory	`<project>/h5p/libraries/`
Content directory	`<project>/h5p/content/`
Temp directory	`<project>/h5p/temp/`
Core API version	`1.27`
Max file size	100 MB
Max total size	500 MB
Content Hub	Enabled
Hub registration endpoint	`https://api.h5p.org/v1/sites`
Hub content types endpoint	`https://api.h5p.org/v1/content-types/`

LTI 1.3

Variable	Description	Default	Required
`LTI_ENCRYPTION_KEY`	Encryption key for LTI 1.3 data	--	Yes (if using LTI)
`LTI_PLATFORM_URL`	LTI platform issuer URL	--	No
`LTI_CLIENT_ID`	LTI client ID assigned by the platform	--	No
`LTI_AUTH_ENDPOINT`	LTI authorization endpoint	--	No
`LTI_TOKEN_ENDPOINT`	LTI token endpoint	--	No
`LTI_AUTH_SERVER`	LTI authorization server URL	--	No
`LTI_PLATFORM_NAME`	Human-readable name for the LTI platform	`LMS Platform`	No
`LTI_KEY_ID`	Key ID for LTI JWT signing	--	No
`LTI_PRIVATE_KEY`	Private key (PEM) for LTI JWT signing	--	No
`LTI_PLATFORM_ISSUER`	Platform issuer identifier	--	No
`LTI_PLATFORM_AUTH_URL`	Platform authentication URL	--	No
`LTI_PLATFORM_TOKEN_URL`	Platform token URL	--	No
`LTI_PLATFORM_JWKS_URL`	Platform JWKS URL	--	No

LTI is automatically disabled at startup when LTI_ENCRYPTION_KEY is missing. The LTI provider exposes these routes (relative to NEXT_PUBLIC_APP_URL):

Route	Purpose
`/lti/login`	OIDC login initiation
`/lti/launch`	Resource launch
`/lti/jwks`	JSON Web Key Set
`/lti/deep-link`	Deep Linking response

xAPI / LRS

Variable	Description	Default	Required
`LRS_ENDPOINT`	LRS xAPI endpoint URL	--	No
`LRS_AUTH`	LRS authorization header (e.g. `Basic <token>`)	--	No

When not set, xAPI statements are stored locally.

i18n

Internationalization is configured in code (server/config/i18n.ts). No environment variables are required.

Setting	Value
Supported languages	`en`, `fr`, `es`, `tr`, `ar`
Fallback language	`en`
RTL languages	`ar`
Language detection order	Query string (`lang`) > `Accept-Language` header > Cookie (`lang`)
Debug logging	Enabled when `NODE_ENV=development` and `DEBUG_I18N=true`

Variable	Description	Default	Required
`DEBUG_I18N`	Enable i18n debug logging (development only)	--	No

Security / Helmet

Variable	Description	Default	Required
`ALLOWED_FRAME_ORIGINS`	Comma-separated origins allowed to embed Creatiq in iframes (CSP `frame-ancestors`)	`'self'`, `http://localhost:9100`, `http://localhost:3000`	No
`NGINX_DOMAIN`	Domain name for nginx; when set, enables `upgrade-insecure-requests` CSP directive	--	No

CSP policy highlights (from server/config/security.ts):

script-src: 'self' 'unsafe-eval' 'unsafe-inline' (required by H5P content rendering)
style-src: 'self' 'unsafe-inline'
img-src: 'self' data: blob: https:
object-src: 'none'

Tenant / Whitelabeling

Variable	Description	Default	Required
`BASE_DOMAIN`	Base domain for tenant resolution in multi-tenant mode	--	No

Central Curriculum API

Variable	Description	Default	Required
`CENTRAL_CURRICULUM_API_URL`	URL of the EduAgentic Central Curriculum API	--	No

Docker Compose Services

Default Profile (Local / Development)

Started with docker compose up -d (production) or docker compose -f docker-compose.dev.yml up -d (development).

Service	Image	Container Name	Internal Port	External Port	Purpose
`eduagentic-creatiq-app`	Custom (Dockerfile)	`eduagentic-creatiq-app`	17000	`${APP_PORT:-17000}`	Next.js application + Express API
`eduagentic-creatiq-db`	`postgres:16-alpine`	`eduagentic-creatiq-db`	5432	`${DB_PORT:-17432}`	PostgreSQL database
`eduagentic-creatiq-redis`	`redis:7-alpine`	`eduagentic-creatiq-redis`	6379	`${REDIS_EXTERNAL_PORT:-17379}`	Redis cache

Production Profile

Started with docker compose --profile production up -d. Includes all default services plus:

Service	Image	Container Name	External Ports	Purpose
`eduagentic-creatiq-nginx`	`nginx:1.27-alpine`	`eduagentic-creatiq-nginx`	80, 443	Reverse proxy with SSL termination

Docker Port Override Variables

Variable	Description	Default
`APP_PORT`	Host port mapped to the app container	`17000`
`DB_PORT`	Host port mapped to PostgreSQL	`17432`
`REDIS_EXTERNAL_PORT`	Host port mapped to Redis	`17379`

Docker Volumes

Volume	Mount Point	Purpose
`eduagentic-creatiq-db-data`	`/var/lib/postgresql/data`	PostgreSQL persistent data
`eduagentic-creatiq-redis-data`	`/data`	Redis persistent data
`eduagentic-creatiq-libraries`	`/app/h5p/libraries`	H5P library files
`eduagentic-creatiq-content`	`/app/h5p/content`	H5P content files
`eduagentic-creatiq-temp`	`/app/h5p/temp`	H5P temporary files

Docker Network

All services join the external network eduagentic-network. Create it before starting:

docker network create eduagentic-network

Resource Limits (Production)

Service	Memory	CPUs
App	2 GB	2.0
PostgreSQL	512 MB	--
Redis	256 MB	--

Next.js Configuration

Defined in next.config.mjs:

Setting	Value
`output`	`standalone`
`basePath`	`NEXT_PUBLIC_BASE_PATH` or `""`
`assetPrefix`	`NEXT_PUBLIC_ASSET_PREFIX` or `""`
`reactStrictMode`	`true`
`transpilePackages`	`@creatiq/ui-sdk`
Remote image domains	`**.h5p.org` (HTTPS)

Environment Validation

At startup, server/lib/env.ts validates environment variables:

Required (app will not start without these):

DATABASE_URL
JWT_SECRET
KEYCLOAK_BASE_URL
KEYCLOAK_CLIENT_SECRET

Optional (warning logged if missing, related feature may be disabled):

KEYCLOAK_REALM
KEYCLOAK_CLIENT_ID
GEMINI_API_KEY
PEXELS_API_KEY
STRIPE_SECRET_KEY
STRIPE_WEBHOOK_SECRET
NEXT_PUBLIC_APP_URL
LTI_PLATFORM_URL
LTI_CLIENT_ID

Configuration & Environment