Nid

English

Français

English

Français

Appearance

Detailed Configuration

All Nid environment variables, defined in the .env file at the project root.

Application

VariableDefaultDescription
FRONTEND_URLhttp://localhost:3000Public URL of the application. Used for OAuth2 redirections and callback URI generation
APP_PORT3000Exposed application port (unified production)
ARCHIVE_PATH/archivesInternal Docker path for EML archive storage
NODE_ENVdevelopmentRuntime environment (development / production)
LOG_LEVELinfoLog level (debug, info, warn, error)

JWT (Authentication)

VariableDefaultDescription
JWT_SECRETRequired. Signing secret for access tokens. Generate with openssl rand -hex 64
JWT_REFRESH_SECRETRequired. Signing secret for refresh tokens
JWT_EXPIRY15mAccess token validity duration
JWT_REFRESH_EXPIRY30dRefresh token validity duration

Security

Use long random secrets (at least 64 hexadecimal characters). Never reuse the same secret for access and refresh tokens.

Google OAuth2

VariableDefaultDescription
GOOGLE_CLIENT_IDRequired. Client ID from your Google Cloud project
GOOGLE_CLIENT_SECRETRequired. Client Secret from your Google Cloud project
GOOGLE_REDIRECT_URI(derived from FRONTEND_URL)Callback URI for connecting Gmail accounts
GOOGLE_SSO_REDIRECT_URI(derived from FRONTEND_URL)Callback URI for Google SSO login

Automatic derivation in Docker prod

In production, docker-compose.yml automatically derives callback URIs from FRONTEND_URL (e.g. ${FRONTEND_URL}/api/auth/gmail/callback). You only need to set FRONTEND_URL.

In local development (outside Docker), explicitly set GOOGLE_REDIRECT_URI and GOOGLE_SSO_REDIRECT_URI pointing to the backend port (4000).

Social Login (SSO)

In addition to Google SSO, you can enable other authentication providers. Each provider is automatically enabled as soon as its CLIENT_ID and CLIENT_SECRET variables are defined.

Microsoft

VariableDescription
MICROSOFT_CLIENT_IDClient ID from your Microsoft Entra app. Create on portal.azure.com
MICROSOFT_CLIENT_SECRETClient Secret from your Microsoft Entra app

Discord

VariableDescription
DISCORD_CLIENT_IDClient ID from your Discord app. Create on discord.com/developers
DISCORD_CLIENT_SECRETClient Secret from your Discord app

Facebook

VariableDescription
FACEBOOK_CLIENT_IDMeta App ID. Create on developers.facebook.com
FACEBOOK_CLIENT_SECRETMeta App Secret

LinkedIn

VariableDescription
LINKEDIN_CLIENT_IDLinkedIn Client ID. Create on linkedin.com/developers
LINKEDIN_CLIENT_SECRETLinkedIn Client Secret

Keycloak

VariableDescription
KEYCLOAK_REALM_URLKeycloak realm URL (e.g. https://auth.example.com/realms/myrealm)
KEYCLOAK_CLIENT_IDKeycloak client Client ID
KEYCLOAK_CLIENT_SECRETKeycloak client Client Secret

Callback URI

For each provider, the callback URI to register in the provider's console is:

{FRONTEND_URL}/api/auth/social/{provider}/callback

Example: http://localhost:3000/api/auth/social/microsoft/callback

Multi-user

VariableDefaultDescription
ADMIN_EMAIL(empty)The user who signs up with this email automatically gets the admin role
ALLOW_REGISTRATIONtruefalse to close registrations (form and SSO). Attempts will return a 403 error

PostgreSQL

VariableDescription
POSTGRES_USERDatabase user
POSTGRES_PASSWORDDatabase password
POSTGRES_DBDatabase name
DATABASE_URL(automatically derived in Docker) Full connection URL

Redis

VariableDefaultDescription
REDIS_URLredis://redis:6379Redis connection URL
REDIS_PASSWORD(empty)Redis password (recommended in production)

Gmail API Throttling

Gmail API enforces quotas (250 units/user/second). These variables control the throughput:

VariableDefaultDescription
GMAIL_BATCH_SIZE25Number of parallel requests per batch
GMAIL_THROTTLE_MS1000Pause in milliseconds between each batch
GMAIL_CONCURRENCY10Maximum number of concurrent requests to Gmail API

Tuning

With multiple users active simultaneously, increase GMAIL_THROTTLE_MS or decrease GMAIL_BATCH_SIZE to avoid 429 errors (rate limit).

Remote Storage (S3/MinIO)

In addition to local storage, Nid can archive to an S3-compatible bucket. These variables define the global configuration (all users). Each user can also configure their own S3 storage via the interface.

VariableDefaultDescription
S3_ENDPOINT(empty)S3 server URL (e.g. https://s3.amazonaws.com or https://minio.local:9000). If empty, global S3 storage is disabled
S3_REGIONus-east-1S3 bucket region
S3_BUCKETnid-archivesStorage bucket name
S3_ACCESS_KEY_ID(empty)Access Key ID for S3 authentication
S3_SECRET_ACCESS_KEY(empty)Secret Access Key for S3 authentication
S3_FORCE_PATH_STYLEtrueUse path-style for S3 requests. Required for MinIO, disable for AWS S3

MinIO in Docker

To use self-hosted MinIO, add a minio service to your docker-compose.yml:

yaml
minio:
  image: minio/minio
  command: server /data --console-address ":9001"
  environment:
    MINIO_ROOT_USER: minioadmin
    MINIO_ROOT_PASSWORD: minioadmin
  volumes:
    - minio_data:/data
  ports:
    - "9000:9000"
    - "9001:9001"

Then configure:

bash
S3_ENDPOINT=http://minio:9000
S3_ACCESS_KEY_ID=minioadmin
S3_SECRET_ACCESS_KEY=minioadmin
S3_BUCKET=nid-archives
S3_FORCE_PATH_STYLE=true

Docker Volumes

Default configuration

yaml
volumes:
  - ./volumes/archives:/archives    # EML archives
  - postgres_data:/var/lib/postgresql/data
  - redis_data:/data

Pointing to a NAS

yaml
volumes:
  - /volume1/gmail-archives:/archives
yaml
volumes:
  - /mnt/pool/gmail-archives:/archives
yaml
volumes:
  - /path/to/your/archives:/archives

API Documentation (Swagger)

The Swagger documentation is available in development at:

http://localhost:4000/docs

In production (unified image):

http://localhost:3000/api/docs

It is automatically generated by @fastify/swagger and lists all endpoints with their schemas.