Jump to content

Connect Leeroopedia MCP: Equip your AI agents to search best practices, build plans, verify code, diagnose failures, and look up hyperparameter defaults.

Environment:Langgenius Dify Credentials And Env Vars

From Leeroopedia
Knowledge Sources
Domains Infrastructure, Security
Last Updated 2026-02-12 08:00 GMT

Overview

Comprehensive environment variable and credential configuration covering 1,500+ variables across backend API, frontend web, and Docker deployment contexts.

Description

Dify uses a layered environment variable system. The backend reads variables via Pydantic settings classes in `api/configs/`. The frontend validates variables at build time using `@t3-oss/env-nextjs` with Zod schemas in `web/env.ts`. Docker maps simplified variable names (e.g., `CONSOLE_API_URL`) to framework-specific names (e.g., `NEXT_PUBLIC_API_PREFIX`) via the web entrypoint script.

The `.env.example` file in the `docker/` directory serves as the single source of truth for all deployment variables, containing 1,500+ lines of configuration organized into sections: core, database, Redis, storage, vector DB, mail, and feature flags.

Usage

Use this environment reference when configuring any Dify deployment. All secrets must be injected at runtime via environment variables or `.env` files. Never hard-code credentials in source code or Docker images.

System Requirements

Category Requirement Notes
Configuration `.env` file in `docker/` directory Copy from `.env.example` and customize
Secret Generation `openssl` command-line tool For generating `SECRET_KEY`
Remote Config (optional) Apollo or Nacos server For centralized configuration management

Dependencies

Backend Config System

  • `pydantic-settings` (Pydantic v2 settings management)
  • `python-dotenv` (`.env` file loading)

Frontend Config System

  • `@t3-oss/env-nextjs` = 0.13.10 (env validation)
  • `zod` = 4.3.6 (schema definition)

Credentials

Required Secrets

  • `SECRET_KEY`: REQUIRED. Application signing key. Generate: `openssl rand -base64 42`. Max 60 chars recommended.
  • `DB_PASSWORD`: Database password. Default: `difyai123456`. Change in production.
  • `REDIS_PASSWORD`: Redis password. Default: `difyai123456`. Change in production.

Service Integration Secrets

  • `CODE_EXECUTION_API_KEY`: Sandbox service key (default: `dify-sandbox`).
  • `PLUGIN_DAEMON_KEY`: Plugin daemon authentication key.
  • `CELERY_BROKER_URL`: Full Redis URL with password for Celery (default: `redis://:difyai123456@redis:6379/1`).

Optional Provider Secrets

  • `MAIL_USERNAME` / `MAIL_PASSWORD`: SMTP credentials for email notifications.
  • `S3_ACCESS_KEY` / `S3_SECRET_KEY`: AWS S3 or compatible storage credentials.
  • `AZURE_BLOB_ACCOUNT_KEY`: Azure Blob Storage key.
  • `GOOGLE_STORAGE_SERVICE_ACCOUNT_JSON_BASE64`: GCS service account (base64 encoded).
  • `SENTRY_DSN` / `NEXT_PUBLIC_SENTRY_DSN`: Sentry error tracking.

Remote Config Secrets (Nacos)

  • `DIFY_ENV_NACOS_USERNAME`: Nacos username.
  • `DIFY_ENV_NACOS_PASSWORD`: Nacos password.
  • `DIFY_ENV_NACOS_ACCESS_KEY`: Nacos AK.
  • `DIFY_ENV_NACOS_SECRET_KEY`: Nacos SK.
  • `DIFY_ENV_NACOS_SERVER_ADDR`: Nacos server address (default: `localhost:8848`).

Quick Install

# Generate a secure SECRET_KEY
openssl rand -base64 42

# Copy and customize .env
cd docker
cp .env.example .env

# At minimum, set these values:
# SECRET_KEY=<generated-key>
# DB_PASSWORD=<strong-password>
# REDIS_PASSWORD=<strong-password>

Code Evidence

Frontend env validation with Zod from `web/env.ts:17-21`: 

const clientSchema = {
  /**
   * Default is not allow to embed into iframe to prevent Clickjacking
   */
  NEXT_PUBLIC_ALLOW_EMBED: coercedBoolean.default(false),

Docker entrypoint env mapping from `web/docker/entrypoint.sh:18-24`: 

export NEXT_PUBLIC_DEPLOY_ENV=${DEPLOY_ENV}
export NEXT_PUBLIC_EDITION=${EDITION}
export NEXT_PUBLIC_API_PREFIX=${CONSOLE_API_URL}/console/api
export NEXT_PUBLIC_PUBLIC_API_PREFIX=${APP_API_URL}/api
export NEXT_PUBLIC_MARKETPLACE_API_PREFIX=${MARKETPLACE_API_URL}/api/v1

Nacos remote config credentials from `api/configs/remote_settings_sources/nacos/http_request.py:15-19`: 

self.username = os.getenv("DIFY_ENV_NACOS_USERNAME")
self.password = os.getenv("DIFY_ENV_NACOS_PASSWORD")
self.ak = os.getenv("DIFY_ENV_NACOS_ACCESS_KEY")
self.sk = os.getenv("DIFY_ENV_NACOS_SECRET_KEY")
self.server = os.getenv("DIFY_ENV_NACOS_SERVER_ADDR", "localhost:8848")

Common Errors

Error Message Cause Solution
`SECRET_KEY must be set` Missing required secret key Generate with `openssl rand -base64 42` and set in `.env`
`NEXT_PUBLIC_API_PREFIX` returning 404 Frontend cannot reach backend API Verify backend is running on the correct port and URL
Authentication cookies not working across subdomains Cookie domain mismatch Set `COOKIE_DOMAIN` to shared top-level domain (e.g., `example.com`)
`INIT_PASSWORD` rejected Password exceeds 30 character limit Use a shorter initial admin password

Compatibility Notes

  • Self-Hosted vs Cloud: `EDITION=SELF_HOSTED` (default) vs `EDITION=CLOUD`. Cloud edition enables billing, marketplace, and additional queue separation.
  • Remote Config: Supports Apollo and Nacos as remote settings sources via `REMOTE_SETTINGS_SOURCE_NAME` variable.
  • Storage Backends: 12+ storage options: opendal (default), S3, Azure Blob, GCS, Aliyun OSS, Tencent COS, Huawei OBS, and more.
  • Feature Flags: 51+ feature toggles control web crawling providers, telemetry, embedding cache, and more.

Related Pages

Page Connections

Double-click a node to navigate. Hold to expand connections.
Principle
Implementation
Heuristic
Environment
Retrieved from "https://leeroopedia.com/index.php?title=Environment:Langgenius_Dify_Credentials_And_Env_Vars&oldid=27254"