Advanced config
Databasus runs with sensible defaults out of the box — a standard single-container install needs no configuration at all. Every variable on this page is optional and not needed in 99% of production setups
OAuth
By default Databasus uses email and password sign-in. You can additionally let people sign in with their Google or GitHub account. A provider's button appears as soon as its client ID is set, but sign-in only completes when both the client ID and the client secret are present.
When you register the OAuth application, set its redirect (callback) URL to https://<your-domain>/auth/callback. Because of that redirect, OAuth sign-in needs your instance served over HTTPS on a public domain — see the note below.
HTTPS is required for sign-in and email. OAuth sign-in and email both need your instance reachable over HTTPS on a public domain — OAuth providers redirect the browser back to https://<your-domain>/auth/callback, and links inside emails must open for whoever receives them. A localhost-only or plain-HTTP instance cannot use these features. The simplest way to get HTTPS is the Caddy reverse proxy setup.
Create an OAuth client in the Google Cloud Console (APIs & Services → Credentials → Create credentials → OAuth client ID, application type Web application) and add https://<your-domain>/auth/callback as an authorized redirect URI.
| Variable | Description |
|---|---|
GOOGLE_CLIENT_ID | Client ID of your Google OAuth client. Setting it shows the "Sign in with Google" button. |
GOOGLE_CLIENT_SECRET | Client secret of your Google OAuth client. Required together with the ID for sign-in to work. |
GitHub
Create an OAuth app under GitHub Developer settings (Settings → Developer settings → OAuth Apps → New OAuth App) and set the authorization callback URL to https://<your-domain>/auth/callback.
| Variable | Description |
|---|---|
GITHUB_CLIENT_ID | Client ID of your GitHub OAuth app. Setting it shows the "Sign in with GitHub" button. |
GITHUB_CLIENT_SECRET | Client secret of your GitHub OAuth app. Required together with the ID for sign-in to work. |
Email (SMTP)
Connect an SMTP server so Databasus can send transactional email such as password-reset links and workspace invitations. Email is treated as configured only when both SMTP_HOST and DATABASUS_URL are set — until then, email features stay hidden in the UI.
| Variable | Description |
|---|---|
SMTP_HOST | SMTP server hostname (e.g. smtp.gmail.com). Enables email together with DATABASUS_URL. |
SMTP_PORT | SMTP server port (e.g. 587). Must be a positive integer when SMTP_HOST is set. |
SMTP_USER | Username for SMTP authentication. |
SMTP_PASSWORD | Password for SMTP authentication. For Gmail, use an App Password — not your account password. |
SMTP_FROM | The "From" address on outgoing email. |
DATABASUS_URL | Public base URL of your instance (e.g. https://backup.example.com). Used to build links inside emails. Required together with SMTP_HOST. |
Sign up captcha (Cloudflare Turnstile)
If your instance is reachable from the public internet, you can put a Cloudflare Turnstile challenge on the sign-up and sign-in forms to keep bots out. Both keys come from the Turnstile dashboard, and the challenge activates only when both are set.
To stop external sign-ups entirely rather than just challenging them, you do not need a captcha at all — open Databasus settings → Allow sign up in the UI and turn it off. That closes the sign-up form completely.
| Variable | Description |
|---|---|
CLOUDFLARE_TURNSTILE_SITE_KEY | Public Turnstile site key, used to render the widget in the browser. |
CLOUDFLARE_TURNSTILE_SECRET_KEY | Secret Turnstile key, used by the backend to validate challenge responses. |
Telemetry
Databasus sends anonymous, non-identifying usage telemetry by default. It carries no personal data and helps us understand how the project is used. You can read exactly what is collected in the privacy policy, and you can turn it off completely.
| Variable | Default | Description |
|---|---|---|
IS_DISABLE_ANONYMOUS_TELEMETRY | false | Set to true to disable anonymous usage telemetry. |
Log shipping
By default Databasus keeps its application logs inside the container. If you run central log aggregation, you can ship them to an external VictoriaLogs instance instead. Setting VICTORIA_LOGS_URL enables shipping; the username and password are only needed if your endpoint requires basic auth.
| Variable | Default | Description |
|---|---|---|
VICTORIA_LOGS_URL | — | URL of a VictoriaLogs instance to ship application logs to. Leave unset to keep logs in the container. |
VICTORIA_LOGS_USERNAME | — | Username for the VictoriaLogs endpoint, if it requires basic auth. |
VICTORIA_LOGS_PASSWORD | — | Password for the VictoriaLogs endpoint, if it requires basic auth. |
Analytics script
Databasus can inject your own analytics or tracking snippet — Google Analytics, Plausible, Umami and similar into the app. When ANALYTICS_SCRIPT is set, its value is inserted into the page <head> at startup.
Security warning: the value is injected verbatim as raw HTML and JavaScript and runs with full access to the Databasus UI in every visitor's browser. Only ever set it to a snippet you fully control and trust.
| Variable | Description |
|---|---|
ANALYTICS_SCRIPT | Custom <script> markup injected before the closing </head> tag. Leave unset to add no analytics. |