chore: update docs for self hosters (#2816)

2026-06-22 04:12:06 +10:00 · 2026-05-14 15:07:10 +10:00
parent 194b2134cc
commit 999942014e
8 changed files with 119 additions and 404 deletions
@@ -11,6 +11,8 @@
    ·
    <a href="https://documenso.com">Website</a>
    ·
    <a href="https://docs.documenso.com">Documentation</a>
    ·
    <a href="https://github.com/documenso/documenso/issues">Issues</a>
    ·
    <a href="https://documen.so/live">Upcoming Releases</a>
@@ -146,45 +148,7 @@ npm run d
 ### Manual Setup
-Follow these steps to setup Documenso on your local machine:
+Follow the [manual setup guide](https://docs.documenso.com/docs/developers/local-development/manual) to configure Documenso on your local machine.
 1. [Fork this repository](https://docs.github.com/en/pull-requests/collaborating-with-pull-requests/working-with-forks/about-forks) to your GitHub account.
 After forking the repository, clone it to your local device by using the following command:
 ```sh
 git clone https://github.com/<your-username>/documenso
 ```
 2. Run `npm i` in the root directory
 3. Create your `.env` from the `.env.example`. You can use `cp .env.example .env` to get started with our handpicked defaults.
 4. Set the following environment variables:
   - NEXTAUTH_SECRET
   - NEXT_PUBLIC_WEBAPP_URL
   - NEXT_PRIVATE_DATABASE_URL
   - NEXT_PRIVATE_DIRECT_DATABASE_URL
   - NEXT_PRIVATE_SMTP_FROM_NAME
   - NEXT_PRIVATE_SMTP_FROM_ADDRESS
 5. Create the database schema by running `npm run prisma:migrate-dev`
 6. Run `npm run translate:compile` in the root directory to compile lingui
 7. Run `npm run dev` in the root directory to start
 8. Register a new user at http://localhost:3000/signup
 ---
 - Optional: Seed the database using `npm run prisma:seed -w @documenso/prisma` to create a test user and document.
 - Optional: Create your own signing certificate.
  - To generate your own using these steps and a Linux Terminal or Windows Subsystem for Linux (WSL), see **[Create your own signing certificate](./SIGNING.md)**.
 - Optional: Configure job provider for document reminders.
  - The default local job provider does not support scheduled jobs required for document reminders.
  - To enable reminders, set `NEXT_PRIVATE_JOBS_PROVIDER=inngest` and provide `NEXT_PRIVATE_INNGEST_EVENT_KEY` in your `.env` file.
 ### Run in Gitpod
@@ -204,139 +168,44 @@ If you're a visual learner and prefer to watch a video walkthrough of setting up
 ## Docker
-We provide a Docker container for Documenso, which is published on both DockerHub and GitHub Container Registry.
+We provide official Docker images on [DockerHub](https://hub.docker.com/r/documenso/documenso) and [GitHub Container Registry](https://ghcr.io/documenso/documenso).
- DockerHub: [https://hub.docker.com/r/documenso/documenso](https://hub.docker.com/r/documenso/documenso)
+For setup instructions, see the [Docker Deployment](https://docs.documenso.com/docs/self-hosting/deployment/docker) and [Docker Compose](https://docs.documenso.com/docs/self-hosting/deployment/docker-compose) guides.
 - GitHub Container Registry: [https://ghcr.io/documenso/documenso](https://ghcr.io/documenso/documenso)
 You can pull the Docker image from either of these registries and run it with your preferred container hosting provider.
 Please note that you will need to provide environment variables for connecting to the database, mailserver, and so forth.
 For detailed instructions on how to configure and run the Docker container, please refer to the [Docker README](./docker/README.md) in the `docker` directory.
 ## Self Hosting
-We support a variety of deployment methods, and are actively working on adding more. Stay tuned for updates!
+We support a variety of deployment methods including Docker, Docker Compose, Railway, Kubernetes, and manual deployment.
-### Fetch, configure, and build
+For full instructions, requirements, and configuration details, see the [Self Hosting documentation](https://docs.documenso.com/docs/self-hosting).
-First, clone the code from Github:
+### One-Click Deploys
-```
+#### Railway
 git clone https://github.com/documenso/documenso.git
 ```
 Then, inside the `documenso` folder, copy the example env file:
 ```
 cp .env.example .env
 ```
 The following environment variables must be set:
 - `NEXTAUTH_SECRET`
 - `NEXT_PUBLIC_WEBAPP_URL`
 - `NEXT_PRIVATE_DATABASE_URL`
 - `NEXT_PRIVATE_DIRECT_DATABASE_URL`
 - `NEXT_PRIVATE_SMTP_FROM_NAME`
 - `NEXT_PRIVATE_SMTP_FROM_ADDRESS`
 > If you are using a reverse proxy in front of Documenso, don't forget to provide the public URL for the `NEXT_PUBLIC_WEBAPP_URL` variable!
 Now you can install the dependencies and build it:
 ```
 npm i
 npm run build
 npm run prisma:migrate-deploy
 ```
 Finally, you can start it with:
 ```
 cd apps/remix
 npm run start
 ```
 This will start the server on `localhost:3000`. For now, any reverse proxy can then do the frontend and SSL termination.
 > If you want to run with another port than 3000, you can start the application with `PORT=<PORT> npm run start` from the `apps/remix` folder.
 ### Run as a service
 You can use a systemd service file to run the app. Here is a simple example of the service running on port 3500 (using 3000 by default):
 ```bash
 [Unit]
 Description=documenso
 After=network.target
 [Service]
 Environment=PATH=/path/to/your/node/binaries
 Type=simple
 User=www-data
 WorkingDirectory=/var/www/documenso/apps/remix
 ExecStart=/usr/bin/env PORT=3500 /usr/bin/npm run start
 TimeoutSec=15
 Restart=always
 [Install]
 WantedBy=multi-user.target
 ```
 ### Railway
 [![Deploy on Railway](https://railway.app/button.svg)](https://railway.app/template/bG6D4p)
-### Render
+#### Render
 [![Deploy to Render](https://render.com/images/deploy-to-render-button.svg)](https://render.com/deploy?repo=https://github.com/documenso/documenso)
-### Koyeb
+#### Koyeb
 [![Deploy to Koyeb](https://www.koyeb.com/static/images/deploy/button.svg)](https://app.koyeb.com/deploy?type=git&repository=github.com/documenso/documenso&branch=main&name=documenso-app&builder=dockerfile&dockerfile=/docker/Dockerfile)
-## Elestio
+#### Elestio
 [![Deploy on Elestio](https://elest.io/images/logos/deploy-to-elestio-btn.png)](https://elest.io/open-source/documenso)
 ## Troubleshooting
 For troubleshooting self-hosted deployments, see the [Troubleshooting guide](https://docs.documenso.com/docs/self-hosting/maintenance/troubleshooting) and [Tips & Common Pitfalls](https://docs.documenso.com/docs/self-hosting/getting-started/tips).
 ### I'm not receiving any emails when using the developer quickstart.
 When using the developer quickstart, an [Inbucket](https://inbucket.org/) server will be spun up in a docker container that will store all outgoing emails locally for you to view.
 The Web UI can be found at http://localhost:9000, while the SMTP port will be on localhost:2500.
 ### Support IPv6
 If you are deploying to a cluster that uses only IPv6, You can use a custom command to pass a parameter to the Remix start command
 For local docker run
 ```bash
 docker run -it -e HOST=:: documenso/documenso:latest npm run start
 ```
 For k8s or docker-compose
 ```yaml
 containers:
  - name: documenso
    image: documenso/documenso:latest
    imagePullPolicy: IfNotPresent
    command:
      - npm
    env:
      - name: HOST
      value: "::"
    args:
       - run
       - start
 ```
 ### I can't see environment variables in my package scripts.
 Wrap your package script with the `with:env` script like such:
@@ -83,6 +83,15 @@ npm run prisma:seed -w @documenso/prisma
 </Step>
 <Step>
 ### Optional: configure job provider
 The default local job provider does not support scheduled jobs required for document reminders.
 See the [Background Jobs](/docs/self-hosting/configuration/background-jobs) page for more information.
 </Step>
 <Step>
 ### Start the application
@@ -105,6 +114,20 @@ Access the Documenso application by visiting `http://localhost:3000` in your web
  certificate](/docs/developers/local-development/signing-certificate)**.
 </Callout>
 ## Running Scripts with Environment Variables
 If a package script does not automatically load your `.env` and `.env.local` files, wrap it with the `with:env` script:
 ```bash
 npm run with:env -- npm run myscript
 ```
 The same works for `npx` when running bin scripts:
 ```bash
 npm run with:env -- npx myscript
 ```
 ## See Also
 - [Developer Quickstart](/docs/developers/local-development/quickstart) - Quick Docker-based setup
@@ -26,8 +26,14 @@ docker --version
 ## Pulling the Docker Image
 The Documenso image is available on both DockerHub and GitHub Container Registry:
 ```bash
 # DockerHub
 docker pull documenso/documenso:latest
 # GitHub Container Registry
 docker pull ghcr.io/documenso/documenso:latest
 ```
 ### Available Tags
@@ -196,6 +202,14 @@ Documenso provides health check endpoints for monitoring:
 | `/api/health`             | Checks database connectivity and certificate status            |
 | `/api/certificate-status` | Returns whether a signing certificate is configured and usable |
 Both endpoints return a JSON response with a `status` field:
 | Status      | Meaning                                                              |
 | ----------- | -------------------------------------------------------------------- |
 | `"ok"`      | Everything is working properly                                       |
 | `"warning"` | Application is running but there are certificate issues              |
 | `"error"`   | Critical issues (database unreachable, missing configuration, etc.)  |
 ### Docker Health Check
 Add a health check to your container:
@@ -3,6 +3,8 @@ title: Getting Started
 description: Requirements and quick start guide for self-hosting Documenso.
 ---
 import { Callout } from 'fumadocs-ui/components/callout';
 <Cards>
  <Card
    title="Requirements"
@@ -15,3 +17,11 @@ description: Requirements and quick start guide for self-hosting Documenso.
    href="/docs/self-hosting/getting-started/quick-start"
  />
 </Cards>
 <Callout type="error">
  **You must generate a signing certificate.** Documenso does not ship with one. Without a
  certificate, the application starts normally but document signing will fail on completion with
  errors.
  Please see all the [requirements](/docs/self-hosting/getting-started/requirements) before proceeding.
 </Callout>
@@ -7,14 +7,29 @@ import { Callout } from 'fumadocs-ui/components/callout';
 ## What You Need
-Documenso requires the following external services:
+Documenso requires the following items and external services:
 | Service       | Purpose                      | Minimum Version |
 | ------------- | ---------------------------- | --------------- |
 | Signing certificate | Digital signature for documents | N/A             |
 | PostgreSQL    | Primary database             | 14+             |
 | SMTP server   | Sending emails to recipients | Any             |
 | Reverse proxy | SSL termination, routing     | Any             |
 ### Signing Certificate
 <Callout type="error">
  Documenso does not ship with a signing certificate. Without one, the application starts normally
  but all document signing will fail. You must generate or provide a `.p12` certificate before going
  to production.
 </Callout>
 Every completed document is digitally signed using an X.509 certificate. You can generate a self-signed certificate for free or use one from a Certificate Authority (CA).
 - [Generate a local certificate](/docs/self-hosting/configuration/signing-certificate/local) — step-by-step instructions to create a `.p12` certificate
 - [All certificate options](/docs/self-hosting/configuration/signing-certificate) — self-signed, CA-issued, and Google Cloud HSM
 ### PostgreSQL Database
 Documenso uses PostgreSQL for all data storage including documents, users, and audit logs. You cannot use MySQL, SQLite, or other databases.
@@ -154,6 +154,34 @@ See [Background Jobs Configuration](/docs/self-hosting/configuration/background-
 ---
 ## IPv6-Only Deployments
 If you are deploying to an environment that uses only IPv6, set the `HOST` environment variable to `::` so the application binds to all IPv6 addresses:
 **Docker:**
 ```bash
 docker run -it -e HOST=:: documenso/documenso:latest npm run start
 ```
 **Kubernetes or Docker Compose:**
 ```yaml
 containers:
  - name: documenso
    image: documenso/documenso:latest
    command:
      - npm
    args:
      - run
      - start
    env:
      - name: HOST
        value: '::'
 ```
 ---
 ## Docker File Permissions
 The Documenso container runs as a non-root user (UID 1001). If you mount files into the container (certificates, configuration), ensure they're readable:
@@ -3,6 +3,8 @@ title: Self-Hosting
 description: Deploy and manage your own Documenso instance for complete control over your data, compliance, and customization.
 ---
 import { Callout } from 'fumadocs-ui/components/callout';
 ## Getting Started
 <Cards>
@@ -18,6 +20,13 @@ description: Deploy and manage your own Documenso instance for complete control
  />
 </Cards>
 <Callout type="error">
  **You must generate a signing certificate.** Documenso does not ship with one. Without a
  certificate, the application starts normally but document signing will fail.
  Please see all the [requirements](/docs/self-hosting/getting-started/requirements) before proceeding.
 </Callout>
 ---
 ## Deployment Options
@@ -1,261 +1,8 @@
 # Docker Setup for Documenso
-The following guide will walk you through setting up Documenso using Docker. You can choose between a production setup using Docker Compose or a standalone container.
+For full instructions on running Documenso with Docker, see the official documentation:
-## Prerequisites
+- [Docker Deployment](https://docs.documenso.com/docs/self-hosting/deployment/docker) — Standalone container with an external database
-
+- [Docker Compose Deployment](https://docs.documenso.com/docs/self-hosting/deployment/docker-compose) — Production setup with PostgreSQL included
-Before you begin, ensure that you have the following installed:
+- [Environment Variables](https://docs.documenso.com/docs/self-hosting/configuration/environment) — Full configuration reference
-
+- [Signing Certificate](https://docs.documenso.com/docs/self-hosting/configuration/signing-certificate) — Set up document signing
 - Docker
 - Docker Compose (if using the Docker Compose setup)
 ## Option 1: Production Docker Compose Setup
 This setup includes a PostgreSQL database and the Documenso application. You will need to provide your own SMTP details via environment variables.
 1. Download the Docker Compose file from the Documenso repository: [compose.yml](https://raw.githubusercontent.com/documenso/documenso/release/docker/production/compose.yml)
 2. Navigate to the directory containing the `compose.yml` file.
 3. Create a `.env` file in the same directory and add your SMTP details as well as a few extra environment variables, following the example below:
 ```
 # Generate random secrets (you can use: openssl rand -hex 32)
 NEXTAUTH_SECRET="<your-secret>"
 NEXT_PRIVATE_ENCRYPTION_KEY="<your-key>"
 NEXT_PRIVATE_ENCRYPTION_SECONDARY_KEY="<your-secondary-key>"
 # Your application URL
 NEXT_PUBLIC_WEBAPP_URL="<your-url>"
 # SMTP Configuration
 NEXT_PRIVATE_SMTP_TRANSPORT="smtp-auth"
 NEXT_PRIVATE_SMTP_HOST="<your-host>"
 NEXT_PRIVATE_SMTP_PORT=<your-port>
 NEXT_PRIVATE_SMTP_USERNAME="<your-username>"
 NEXT_PRIVATE_SMTP_PASSWORD="<your-password>"
 NEXT_PRIVATE_SMTP_FROM_NAME="<your-from-name>"
 NEXT_PRIVATE_SMTP_FROM_ADDRESS="<your-from-email>"
 # Certificate passphrase (required)
 NEXT_PRIVATE_SIGNING_PASSPHRASE="<your-certificate-password>"
 ```
 4. Set up your signing certificate. You have three options:
   **Option A: Generate Certificate Inside Container (Recommended)**
   Start your containers first, then generate a self-signed certificate:
   ```bash
   # Start containers
   docker-compose up -d
   # Set certificate password securely (won't appear in command history)
   read -s -p "Enter certificate password: " CERT_PASS
   echo
   # Generate certificate inside container using environment variable
   docker exec -e CERT_PASS="$CERT_PASS" -it documenso-production-documenso-1 bash -c "
     openssl req -x509 -nodes -days 365 -newkey rsa:2048 \
       -keyout /tmp/private.key \
       -out /tmp/certificate.crt \
       -subj '/C=US/ST=State/L=City/O=Organization/CN=localhost' && \
     openssl pkcs12 -export -out /app/certs/cert.p12 \
       -inkey /tmp/private.key -in /tmp/certificate.crt \
       -passout env:CERT_PASS && \
     rm /tmp/private.key /tmp/certificate.crt
   "
   # Restart container
   docker-compose restart documenso
   ```
   **Option B: Use Existing Certificate**
   If you have an existing `.p12` certificate, update the volume binding in `compose.yml`:
   ```yaml
   volumes:
     - /path/to/your/cert.p12:/opt/documenso/cert.p12:ro
   ```
 5. Run the following command to start the containers:
 ```
 docker-compose --env-file ./.env up -d
 ```
 This will start the PostgreSQL database and the Documenso application containers.
 6. Access the Documenso application by visiting `http://localhost:3000` in your web browser.
 ## Option 2: Standalone Docker Container
 If you prefer to host the Documenso application on your container provider of choice, you can use the pre-built Docker image from DockerHub or GitHub's Package Registry. Note that you will need to provide your own database and SMTP host.
 1. Pull the Documenso Docker image:
 ```
 docker pull documenso/documenso
 ```
 Or, if using GitHub's Package Registry:
 ```
 docker pull ghcr.io/documenso/documenso
 ```
 2. Run the Docker container, providing the necessary environment variables for your database and SMTP host:
 ```
 docker run -d \
  -p 3000:3000 \
  -e NEXTAUTH_SECRET="<your-nextauth-secret>" \
  -e NEXT_PRIVATE_ENCRYPTION_KEY="<your-next-private-encryption-key>" \
  -e NEXT_PRIVATE_ENCRYPTION_SECONDARY_KEY="<your-next-private-encryption-secondary-key>" \
  -e NEXT_PUBLIC_WEBAPP_URL="<your-next-public-webapp-url>" \
  -e NEXT_PRIVATE_INTERNAL_WEBAPP_URL="http://localhost:3000" \
  -e NEXT_PRIVATE_DATABASE_URL="<your-next-private-database-url>" \
  -e NEXT_PRIVATE_DIRECT_DATABASE_URL="<your-next-private-database-url>" \
  -e NEXT_PRIVATE_SMTP_TRANSPORT="<your-next-private-smtp-transport>" \
  -e NEXT_PRIVATE_SMTP_FROM_NAME="<your-next-private-smtp-from-name>" \
  -e NEXT_PRIVATE_SMTP_FROM_ADDRESS="<your-next-private-smtp-from-address>" \
  -e NEXT_PRIVATE_SIGNING_PASSPHRASE="<your-certificate-password>" \
  -v /path/to/your/cert.p12:/opt/documenso/cert.p12:ro \
  documenso/documenso
 ```
 Replace the placeholders with your actual database and SMTP details.
 3. Access the Documenso application by visiting the URL you provided in the `NEXT_PUBLIC_WEBAPP_URL` environment variable in your web browser.
 ## Success
 You have now successfully set up Documenso using Docker. You can start organizing and managing your documents efficiently.
 ## Troubleshooting
 ### Certificate Permission Issues
 If you encounter errors related to certificate access, here are common solutions:
 #### Error: "Failed to read signing certificate"
 1. **Check file exists:**
   ```bash
   ls -la /path/to/your/cert.p12
   ```
 2. **Fix permissions:**
   ```bash
   chmod 644 /path/to/your/cert.p12
   chown 1001:1001 /path/to/your/cert.p12
   ```
 3. **Verify Docker mount:**
   ```bash
   docker exec -it <container_name> ls -la /opt/documenso/cert.p12
   ```
 ### Container Logs
 Check application logs for detailed error information:
 ```bash
 # For Docker Compose
 docker-compose logs -f documenso
 # For standalone container
 docker logs -f <container_name>
 ```
 ### Health Checks
 Check the status of your Documenso instance:
 ```bash
 # Basic health check (database + certificate)
 curl http://localhost:3000/api/health
 # Detailed certificate status
 curl http://localhost:3000/api/certificate-status
 ```
 The health endpoint will show:
 - `status: "ok"` - Everything working properly
 - `status: "warning"` - App running but certificate issues
 - `status: "error"` - Critical issues (database down, etc.)
 ### Common Issues
 1. **Port already in use:** Change the port mapping in compose.yml or your docker run command
 2. **Database connection issues:** Ensure your database is running and accessible
 3. **SMTP errors:** Verify your email server settings in the .env file
 If you encounter any issues or have further questions, please refer to the official Documenso documentation or seek assistance from the community.
 ## Advanced Configuration
 The environment variables listed above are a subset of those that are available for configuring Documenso. For a complete list of environment variables and their descriptions, refer to the table below:
 Here's a markdown table documenting all the provided environment variables:
 | Variable                                                       | Description                                                                                         |
 | -------------------------------------------------------------- | --------------------------------------------------------------------------------------------------- |
 | `PORT`                                                         | The port to run the Documenso application on, defaults to `3000`.                                   |
 | `NEXTAUTH_SECRET`                                              | The secret key used by NextAuth.js for encryption and signing.                                      |
 | `NEXT_PRIVATE_ENCRYPTION_KEY`                                  | The primary encryption key for symmetric encryption and decryption (at least 32 characters).        |
 | `NEXT_PRIVATE_ENCRYPTION_SECONDARY_KEY`                        | The secondary encryption key for symmetric encryption and decryption (at least 32 characters).      |
 | `NEXT_PRIVATE_GOOGLE_CLIENT_ID`                                | The Google client ID for Google authentication (optional).                                          |
 | `NEXT_PRIVATE_GOOGLE_CLIENT_SECRET`                            | The Google client secret for Google authentication (optional).                                      |
 | `NEXT_PUBLIC_WEBAPP_URL`                                       | The URL for the web application.                                                                    |
 | `NEXT_PRIVATE_DATABASE_URL`                                    | The URL for the primary database connection (with connection pooling).                              |
 | `NEXT_PRIVATE_DIRECT_DATABASE_URL`                             | The URL for the direct database connection (without connection pooling).                            |
 | `NEXT_PRIVATE_SIGNING_TRANSPORT`                               | The signing transport to use. Available options: local (default), gcloud-hsm                        |
 | `NEXT_PRIVATE_SIGNING_PASSPHRASE`                              | The passphrase for the key file.                                                                    |
 | `NEXT_PRIVATE_SIGNING_LOCAL_FILE_CONTENTS`                     | The base64-encoded contents of the key file, will be used instead of file path.                     |
 | `NEXT_PRIVATE_SIGNING_LOCAL_FILE_PATH`                         | The path to the key file, default `/opt/documenso/cert.p12`.                                        |
 | `NEXT_PRIVATE_SIGNING_GCLOUD_HSM_KEY_PATH`                     | The Google Cloud HSM key path for the gcloud-hsm signing transport.                                 |
 | `NEXT_PRIVATE_SIGNING_GCLOUD_HSM_PUBLIC_CRT_FILE_PATH`         | The path to the Google Cloud HSM public certificate file for the gcloud-hsm transport.              |
 | `NEXT_PRIVATE_SIGNING_GCLOUD_HSM_PUBLIC_CRT_FILE_CONTENTS`     | The base64-encoded Google Cloud HSM public certificate for the gcloud-hsm transport.                |
 | `NEXT_PRIVATE_SIGNING_GCLOUD_APPLICATION_CREDENTIALS_CONTENTS` | The base64-encoded Google Cloud Credentials for the gcloud-hsm transport.                           |
 | `NEXT_PRIVATE_SIGNING_GCLOUD_HSM_CERT_CHAIN_FILE_PATH`         | The path to the certificate chain file for the gcloud-hsm transport.                                |
 | `NEXT_PRIVATE_SIGNING_GCLOUD_HSM_CERT_CHAIN_CONTENTS`          | The base64-encoded certificate chain for the gcloud-hsm transport.                                  |
 | `NEXT_PRIVATE_SIGNING_GCLOUD_HSM_SECRET_MANAGER_CERT_PATH`     | The Google Secret Manager path to retrieve the certificate for the gcloud-hsm transport.            |
 | `NEXT_PRIVATE_SIGNING_TIMESTAMP_AUTHORITY`                     | Comma-separated list of timestamp authority URLs for PDF signing (enables LTV).                     |
 | `NEXT_PUBLIC_SIGNING_CONTACT_INFO`                             | Contact info to embed in PDF signatures. Defaults to the webapp URL.                                |
 | `NEXT_PRIVATE_USE_LEGACY_SIGNING_SUBFILTER`                    | Set to "true" to use legacy adbe.pkcs7.detached subfilter instead of ETSI.CAdES.detached.           |
 | `NEXT_PUBLIC_UPLOAD_TRANSPORT`                                 | The transport to use for file uploads (database or s3).                                             |
 | `NEXT_PRIVATE_UPLOAD_ENDPOINT`                                 | The endpoint for the S3 storage transport (for third-party S3-compatible providers).                |
 | `NEXT_PRIVATE_UPLOAD_FORCE_PATH_STYLE`                         | Whether to force path-style URLs for the S3 storage transport.                                      |
 | `NEXT_PRIVATE_UPLOAD_REGION`                                   | The region for the S3 storage transport (defaults to us-east-1).                                    |
 | `NEXT_PRIVATE_UPLOAD_BUCKET`                                   | The bucket to use for the S3 storage transport.                                                     |
 | `NEXT_PRIVATE_UPLOAD_ACCESS_KEY_ID`                            | The access key ID for the S3 storage transport.                                                     |
 | `NEXT_PRIVATE_UPLOAD_SECRET_ACCESS_KEY`                        | The secret access key for the S3 storage transport.                                                 |
 | `NEXT_PRIVATE_SMTP_TRANSPORT`                                  | The transport to use for sending emails (smtp-auth, smtp-api, resend, or mailchannels).             |
 | `NEXT_PRIVATE_SMTP_HOST`                                       | The host for the SMTP server for SMTP transports.                                                   |
 | `NEXT_PRIVATE_SMTP_PORT`                                       | The port for the SMTP server for SMTP transports.                                                   |
 | `NEXT_PRIVATE_SMTP_USERNAME`                                   | The username for the SMTP server for the `smtp-auth` transport.                                     |
 | `NEXT_PRIVATE_SMTP_PASSWORD`                                   | The password for the SMTP server for the `smtp-auth` transport.                                     |
 | `NEXT_PRIVATE_SMTP_APIKEY_USER`                                | The API key user for the SMTP server for the `smtp-api` transport.                                  |
 | `NEXT_PRIVATE_SMTP_APIKEY`                                     | The API key for the SMTP server for the `smtp-api` transport.                                       |
 | `NEXT_PRIVATE_SMTP_SECURE`                                     | Whether to force the use of TLS for the SMTP server for SMTP transports.                            |
 | `NEXT_PRIVATE_SMTP_UNSAFE_IGNORE_TLS`                          | If true, then no TLS will be used (even if STARTTLS is supported)                                   |
 | `NEXT_PRIVATE_SMTP_FROM_ADDRESS`                               | The email address for the "from" address.                                                           |
 | `NEXT_PRIVATE_SMTP_FROM_NAME`                                  | The sender name for the "from" address.                                                             |
 | `NEXT_PRIVATE_RESEND_API_KEY`                                  | The API key for Resend.com for the `resend` transport.                                              |
 | `NEXT_PRIVATE_MAILCHANNELS_API_KEY`                            | The optional API key for MailChannels (if using a proxy) for the `mailchannels` transport.          |
 | `NEXT_PRIVATE_MAILCHANNELS_ENDPOINT`                           | The optional endpoint for the MailChannels API (if using a proxy) for the `mailchannels` transport. |
 | `NEXT_PRIVATE_MAILCHANNELS_DKIM_DOMAIN`                        | The domain for DKIM signing with MailChannels for the `mailchannels` transport.                     |
 | `NEXT_PRIVATE_MAILCHANNELS_DKIM_SELECTOR`                      | The selector for DKIM signing with MailChannels for the `mailchannels` transport.                   |
 | `NEXT_PRIVATE_MAILCHANNELS_DKIM_PRIVATE_KEY`                   | The private key for DKIM signing with MailChannels for the `mailchannels` transport.                |
 | `NEXT_PUBLIC_DOCUMENT_SIZE_UPLOAD_LIMIT`                       | The maximum document upload limit displayed to the user (in MB).                                    |
 | `NEXT_PUBLIC_POSTHOG_KEY`                                      | The optional PostHog key for analytics and feature flags.                                           |
 | `NEXT_PUBLIC_DISABLE_SIGNUP`                                   | Master switch. Set to `true` to disable all signup methods (incl. organisation OIDC portal).        |
 | `NEXT_PUBLIC_DISABLE_EMAIL_PASSWORD_SIGNUP`                    | Set to `true` to disable email/password signup only. SSO signup is unaffected.                      |
 | `NEXT_PUBLIC_DISABLE_GOOGLE_SIGNUP`                            | Set to `true` to block new accounts via Google. Existing Google-linked users can still sign in.     |
 | `NEXT_PUBLIC_DISABLE_MICROSOFT_SIGNUP`                         | Set to `true` to block new accounts via Microsoft. Existing linked users can still sign in.         |
 | `NEXT_PUBLIC_DISABLE_OIDC_SIGNUP`                              | Set to `true` to block new accounts via OIDC (incl. organisation portal). Existing users unaffected.|
 | `NEXT_PRIVATE_ALLOWED_SIGNUP_DOMAINS`                          | Comma-separated list of email domains allowed to sign up (e.g., `example.com,acme.org`).            |