Environment Variables for Your Self-Hosted Volta Instance

All configuration for a self-hosted Volta instance is managed through environment variables. When you first set up Volta, you copy .env.example to .env and fill in the values relevant to your deployment. You only need to configure the variables for features you’re actually using — Volta will work with just the required core variables, and you can add optional ones as you enable more features.

This page is for people running their own Volta instance. If you’re using a hosted version of Volta, your instance is already configured — you don’t need to manage environment variables yourself.

Required Variables

These variables must be set for Volta to start. The backend will refuse to launch if JWT_SECRET is missing.

Variable	Description
`DATABASE_URL`	PostgreSQL connection string (e.g. `postgresql://user:password@localhost:5432/voltadb`)
`REDIS_URL`	Redis connection string (e.g. `redis://localhost:6379`)
`JWT_SECRET`	A long, random string used to sign session tokens. Generate with `openssl rand -base64 32`
`BACKEND_URL`	The public URL of the Volta backend API (e.g. `https://api.yourdomain.com`). Used as the base URL for OAuth redirect URIs and media serving.
`FRONTEND_URL`	The public URL where your Volta dashboard is accessible (e.g. `https://app.yourdomain.com`)
`NEXT_PUBLIC_BACKEND_URL`	The backend API URL exposed to the browser (typically the same value as `BACKEND_URL`)

DATABASE_URL="postgresql://volta-user:yourpassword@localhost:5432/volta-db"
REDIS_URL="redis://localhost:6379"
JWT_SECRET="your-long-random-string-here"
BACKEND_URL="https://api.yourdomain.com"
FRONTEND_URL="https://app.yourdomain.com"
NEXT_PUBLIC_BACKEND_URL="https://api.yourdomain.com"

Optional but Recommended

Encryption Key

Setting ENCRYPTION_KEY is strongly recommended for production. It encrypts stored provider credentials and OAuth tokens using AES-256-GCM, which is more secure than the fallback encryption method. Generate one with openssl rand -base64 32 and keep it backed up — losing this key means losing access to stored credentials.

# Generate with: openssl rand -base64 32
ENCRYPTION_KEY="your-generated-key-here"

When ENCRYPTION_KEY is not set, Volta falls back to a legacy AES-256-CBC encryption scheme derived from JWT_SECRET. Existing encrypted data continues to work if you set ENCRYPTION_KEY later.

Email (Invitations)

Volta is invite-only by default. To send invitation emails to new users, configure a Resend account:

RESEND_API_KEY="re_your_api_key"
EMAIL_FROM_ADDRESS="noreply@yourdomain.com"
EMAIL_FROM_NAME="Volta"

If RESEND_API_KEY is not set, users can still be invited — they’ll need to receive the invite link manually. Volta supports entering OAuth credentials directly from the Add Channel popup in the dashboard — you don’t need to add them to your .env file manually for most platforms. Credentials entered through the UI are stored encrypted in the database and used automatically. You may still choose to set credentials in .env if you prefer to manage them centrally or pre-configure them for your team. The full list of social platform variables is in your .env.example file. See the Social Media and Messaging channel guides for per-platform details.

Security Settings

Registration Control

# Disable public registration (invite-only). This is the default.
DISABLE_REGISTRATION=true

With DISABLE_REGISTRATION=true, no one can create an account without an invitation. Run pnpm bootstrap once after installation to create the first admin account, then use Settings → Users → Invite to add additional members.

NOT_SECURED Mode

Never set NOT_SECURED=true in a production environment. This mode disables secure cookie flags and exposes session tokens in response headers — it is intended only for local development where HTTPS is not available.

# For local development only. Comment out or remove for production.
# NOT_SECURED=true

When NOT_SECURED is off (the default), Volta uses httpOnly, secure, and SameSite cookies for session management, and enforces CSRF protection on all state-changing requests.

Public API Rate Limiting

# Requests per hour per organization on the public API (default: 30)
API_LIMIT=30

Full Example

Here’s a minimal production-ready .env configuration:

# Core
DATABASE_URL="postgresql://volta-user:strongpassword@localhost:5432/voltadb"
REDIS_URL="redis://localhost:6379"
JWT_SECRET="generated-with-openssl-rand-base64-32"
ENCRYPTION_KEY="another-generated-key"

# URLs
FRONTEND_URL="https://app.yourdomain.com"
NEXT_PUBLIC_BACKEND_URL="https://api.yourdomain.com"
BACKEND_URL="https://api.yourdomain.com"

# Email invitations
RESEND_API_KEY="re_your_key"
EMAIL_FROM_ADDRESS="noreply@yourdomain.com"
EMAIL_FROM_NAME="Volta"

# Security
DISABLE_REGISTRATION=true

# Storage (see Storage configuration page)
STORAGE_PROVIDER="cloudflare"
CLOUDFLARE_ACCOUNT_ID="..."
CLOUDFLARE_ACCESS_KEY="..."
CLOUDFLARE_SECRET_ACCESS_KEY="..."
CLOUDFLARE_BUCKETNAME="volta-media"
CLOUDFLARE_BUCKET_URL="https://your-bucket.r2.cloudflarestorage.com/"
CLOUDFLARE_REGION="auto"

​Required Variables

​Optional but Recommended

​Encryption Key

​Email (Invitations)

​Social Platform Credentials

​Security Settings

​Registration Control

​NOT_SECURED Mode

​Public API Rate Limiting

​Full Example

Required Variables

Optional but Recommended

Encryption Key

Email (Invitations)

Social Platform Credentials

Security Settings

Registration Control

NOT_SECURED Mode

Public API Rate Limiting

Full Example