# Configuration

Weavestream is configured entirely through environment variables in `.env`. There are no config files to edit in the source tree.

## Configuration Areas

- [Environment Variables](/configuration/environment/) — complete reference for all variables in `.env`
- [Workspace Settings](/configuration/workspace-settings/) — UI-level settings managed by SUPER_ADMIN
- [Security Configuration](/configuration/security/) — hardening options, rate limits, and auth tuning
- [Key Rotation](/configuration/key-rotation/) — rotating JWT and encryption keys without downtime

## Quick Reference

The most important variables to set before going to production:

| Variable | Why it matters |
|---|---|
| `WEAVESTREAM_VERSION` | Pin to a specific release — never use `latest` in production |
| `APP_URL` | Public URL — must be correct for cookies and presigned URLs |
| `API_URL` | Public API URL — must be reachable from browsers |
| `JWT_SIGNING_KEY` | Session signing — generated by `keygen.sh` |
| `MFA_ENCRYPTION_KEY` | TOTP secret encryption — generated by `keygen.sh` |
| `PASSWORD_ENCRYPTION_KEY` | Credential encryption — generated by `keygen.sh` |
| `POSTGRES_PASSWORD` | Must match the password in `DATABASE_URL` |
| `REDIS_PASSWORD` | Must match the password in `REDIS_URL` |

Generate all secrets in one step:

```bash
./scripts/keygen.sh >> .env
```

Then update `DATABASE_URL` and `REDIS_URL` to include the newly generated passwords.