Optio is configured through environment variables that are injected at deploy time. When deploying with Helm, most of these are set automatically from values.yaml; the table below notes which Helm value corresponds to each variable where applicable.
Application
| Variable | Required | Default | Description |
|---|
DATABASE_URL | Yes | — | PostgreSQL connection string. Example: postgres://user:pass@host:5432/optio. Set automatically when using the bundled PostgreSQL chart; for managed databases, provide via externalDatabase.url in Helm values. |
REDIS_URL | Yes | — | Redis connection string. Example: redis://host:6379. Set automatically when using the bundled Redis chart; for managed Redis, provide via externalRedis.url in Helm values. |
OPTIO_ENCRYPTION_KEY | Yes | — | 32-byte hex key used to encrypt secrets at rest with AES-256-GCM. Generate with openssl rand -hex 32. Set via encryption.key in Helm values. Rotating this key invalidates all stored secrets. |
API_PUBLIC_URL | Yes | — | Publicly reachable base URL of the API server (e.g., https://optio.example.com). Required for OAuth callback URLs to be constructed correctly. |
WEB_PUBLIC_URL | Yes | — | Publicly reachable base URL of the web UI (e.g., https://optio.example.com). Used for OAuth redirects after login. |
OPTIO_RUNTIME | No | kubernetes | Container runtime to use. kubernetes (default) uses the Kubernetes pod API. docker uses the local Docker socket and is not recommended for production. |
Agent concurrency
These variables control how Optio schedules and limits concurrent agent tasks across the cluster.
| Variable | Required | Default | Description |
|---|
OPTIO_MAX_CONCURRENT | No | 5 | Global cap on the total number of tasks in the running or provisioning state at any moment, across all repositories. Increase this for clusters with more available resources. |
OPTIO_REPO_POD_IDLE_MS | No | 600000 (10 min) | How long a repository pod remains alive after its last task finishes, in milliseconds. Increase this value to reduce cold-start latency for repositories with sporadic traffic. |
OPTIO_PR_WATCH_INTERVAL | No | 30000 (30 s) | Interval in milliseconds at which the PR watcher polls GitHub for status updates on open pull requests. Increase to reduce GitHub API usage. |
OPTIO_HEALTH_CHECK_INTERVAL | No | 60000 (60 s) | Interval in milliseconds at which the cleanup worker checks pod health, detects crashes, and removes idle pods. |
Authentication
OPTIO_AUTH_DISABLED=true disables all access control for the web UI and API. It must never be set in a production environment. Any user with network access to the deployment will have full access without authenticating.
OPTIO_AUTH_DISABLED is true, which is only acceptable for local development).
| Variable | Required | Default | Description |
|---|
OPTIO_AUTH_DISABLED | No | false | Set to true to bypass all authentication. Local development only. Helm value: auth.disabled. |
GITHUB_OAUTH_CLIENT_ID | No | — | Client ID for the GitHub OAuth App. Helm value: auth.github.clientId. |
GITHUB_OAUTH_CLIENT_SECRET | No | — | Client secret for the GitHub OAuth App. Helm value: auth.github.clientSecret. |
GOOGLE_OAUTH_CLIENT_ID | No | — | Client ID for the Google OAuth 2.0 App. Helm value: auth.google.clientId. |
GOOGLE_OAUTH_CLIENT_SECRET | No | — | Client secret for the Google OAuth 2.0 App. Helm value: auth.google.clientSecret. |
GITLAB_OAUTH_CLIENT_ID | No | — | Client ID for the GitLab OAuth App. Helm value: auth.gitlab.clientId. |
GITLAB_OAUTH_CLIENT_SECRET | No | — | Client secret for the GitLab OAuth App. Helm value: auth.gitlab.clientSecret. |
GITLAB_OAUTH_BASE_URL | No | https://gitlab.com | Base URL of a self-hosted GitLab instance. Only needed when using GitLab OAuth with a self-hosted GitLab server. Helm value: auth.gitlab.baseUrl. |
Agent runtime
| Variable | Required | Default | Description |
|---|
OPTIO_IMAGE_PULL_POLICY | No | Never | Kubernetes image pull policy for agent pods. Use Never when images are built locally (local development). Use IfNotPresent or Always when images are pulled from a registry. Helm value: agent.imagePullPolicy. |
GitHub
| Variable | Required | Default | Description |
|---|
GITHUB_TOKEN | Yes (for most features) | — | Personal access token or GitHub App token used for PR watching, issue sync, and repository detection. Store this as a secret via the Optio Secrets page rather than as a plain environment variable. |
GITHUB_WEBHOOK_SECRET | No | — | Shared secret used to validate the signature of incoming GitHub webhook payloads. Must match the secret configured in GitHub’s webhook settings. Generate with openssl rand -hex 32. Helm value: webhook.githubSecret. |
