🛠 This page is for engineering teams self-hosting their own Lightdash instance. If you want to configure any of these settings, please speak to the Lightdash team or your Lightdash administrators.
Postgres database
These variables configure the Postgres database Lightdash uses to store its own application data (not your warehouse).
Lightdash also accepts all standard postgres environment variables.
Server and networking
Core variables that control how the Lightdash server runs, how it’s reached, and how sessions and cookies behave.Licensing
Query limits and behavior
Control how many rows a query can return, page sizes, exports, and chart-version retention.Scheduler
Variables that control the scheduler worker and background cleanup jobs.Headless browser
Configure the headless browser used for screenshots and PDF exports.The headless-browser container has its own session timeout (for example, browserless v2’s
TIMEOUT, which defaults to 30 seconds). That value must be greater than or equal to HEADLESS_BROWSER_SCREENSHOT_TIMEOUT_MS, otherwise the browser will terminate the session before Lightdash’s readiness wait expires and the screenshot will fail. If you raise HEADLESS_BROWSER_SCREENSHOT_TIMEOUT_MS for dashboards that legitimately take longer than three minutes to render, raise the browser container’s session timeout to match.Personal access tokens
Variables that control PAT availability and lifetime.Timezone and localization
Soft delete
Configure whether deletions are soft (recoverable) and for how long.Custom metrics
UI customization
Replace default URLs and tweak in-product UI surfaces.Feature toggles
Enable or disable individual product features across the instance.Feature flags
Use these to force feature flags on or off across your deployment regardless of cloud-side targeting or per-organization overrides. Both variables accept a comma-separated list of feature-flag IDs (kebab-case strings — the flag IDs themselves, not env-var names). Useful for local dev flows where you want to toggle flags without touching targeting rules.Athena
Snowflake
SMTP
This is a reference to all the SMTP environment variables that can be used to configure a Lightdash email client.
[1]
EMAIL_SMTP_PASSWORD or EMAIL_SMTP_ACCESS_TOKEN needs to be provided
SSO
These variables enable you to control Single Sign On (SSO) functionality.S3
These variables allow you to configure S3 Object Storage, which is required to self-host Lightdash.Persistent download URLs
When enabled, CSV and dashboard ZIP exports return a stable Lightdash-hosted URL (e.g.https://lightdash.example.com/api/v1/file/{id}) instead of a direct S3 signed URL. Each time this URL is accessed, Lightdash generates a short-lived S3 signed URL and redirects to it — so the underlying URL never goes stale and download links survive IAM credential rotation.
The variables below act as instance-wide defaults. Organization admins can override them per organization (and per channel) from Settings → Organization → Exporting. See Configuring download link expiration.
Scheduled-delivery links longer than 7 days automatically switch to a persistent URL, even if
PERSISTENT_DOWNLOAD_URLS_ENABLED is false. AWS presigned S3 URLs cannot live past 7 days, so this prevents links from silently breaking.Cache
Note that you will need an Enterprise License Key for this functionality.
These variables are deprecated; use the
RESULTS_S3_* versions instead.Logging
Prometheus
Security
Analytics & Event Tracking
AI Analyst
These variables enable you to configure the AI Analyst functionality. Note that you will need an Enterprise Licence Key for this functionality.
The AI Analyst supports multiple providers for flexibility. Choose one of the provider configurations below based on your preferred AI service. OpenAI and Anthropic are the recommended providers as they are the most tested and stable.
Minimum Required Setup
To enable AI Analyst, setAI_COPILOT_ENABLED=true and provide an API key for AI_DEFAULT_PROVIDER (e.g., OPENAI_API_KEY for OpenAI, ANTHROPIC_API_KEY for Anthropic).
OpenAI Configuration
Using an LLM gateway or proxy
If your organization uses an OpenAI-compatible proxy like LiteLLM, you can connect it to Lightdash by settingAI_DEFAULT_PROVIDER=openai and pointing OPENAI_BASE_URL to your proxy URL. For example:
AI_DEFAULT_PROVIDER=openaiOPENAI_API_KEY=<your-proxy-api-key>OPENAI_BASE_URL=<your-proxy-url>OPENAI_MODEL_NAME=<model-name-configured-in-your-proxy>
OPENAI_MODEL_NAME=gpt-4o, your proxy needs to have that model routed to whatever underlying provider you’re using. The same applies for the embedding model.
If you want to expose multiple models through the proxy, use OPENAI_AVAILABLE_MODELS with a comma-separated list of model names.
If your proxy or gateway doesn’t support streaming (SSE) completions, also set OPENAI_SUPPORTS_STREAMING=false. Lightdash will then make a single non-streaming request per model call — the AI agent keeps working unchanged, including the chat UI. Note that while a response is generating no bytes flow through the connection, so make sure any reverse proxy in the path has a read/idle timeout above your longest completion time.
If your gateway enforces Zero Data Retention (ZDR), also set OPENAI_ZERO_DATA_RETENTION=true — otherwise multi-step AI agent conversations with reasoning models will fail.
Anthropic Configuration
Azure AI Configuration
OpenRouter Configuration
AWS Bedrock Configuration
Supported Models
OpenAI:gpt-5.1, gpt-5.2 (default)
Anthropic: claude-sonnet-4-5, claude-haiku-4-5, claude-sonnet-4
AWS Bedrock: claude-sonnet-4-5, claude-haiku-4-5, claude-sonnet-4
Exact model snapshots are automatically assigned (e.g.,
gpt-5.1 → gpt-5.1-2025-11-13).For Bedrock, the region prefix is also added based on
BEDROCK_REGION (e.g., claude-sonnet-4-5 → us.anthropic.claude-sonnet-4-5-20250929-v1:0).Slack Integration
These variables enable you to configure the Slack integration.GitHub Integration
These variables enable you to configure Github integrationsGitLab Integration
These variables enable you to configure the GitLab integration for dbt project sync.Microsoft Teams Integration
These variables enable you to configure Microsoft Teams integration.Google Cloud Platform
These variables enable you to configure Google Cloud Platform integration.Embedding
Note that you will need an Enterprise Licence Key for this functionality.Custom roles
Note that you will need an Enterprise Licence Key for this functionality.Service account
Note that you will need an Enterprise Licence Key for this functionality.SCIM
Note that you will need an Enterprise Licence Key for this functionality.Sentry
These variables enable you to configure Sentry for error tracking.Intercom & Pylon
These variables enable you to configure Intercom and Pylon for customer support and feedback.Kubernetes
These variables enable you to configure Kubernetes integration.Organization appearance
These variables allow you to customize the default appearance settings for your Lightdash instance’s organizations. This color palette will be set for all organizations in your instance. You can’t choose another one while these env vars are set.Pre-aggregates
Enterprise-only. Configure DuckDB-based pre-aggregate result storage.Data apps runtime
Configure the sandboxed runtime that powers data apps. Sandboxes execute through E2B.Managed agent
Enterprise-only. Configures the scheduled managed agent that runs skills on a cron.MCP
Metrics SQL API
Postgres wire protocol endpoint for the semantic layer. See Metrics SQL API.NATS worker
Optional NATS-backed scheduler worker. When enabled, Lightdash publishes scheduler jobs to NATS instead of polling Postgres.Initialize instance
When a new Lightdash instance is created, and there are no orgs and projects. You can initialize a new org and project using ENV variables to simplify the deployment process.Initialization is skipped if you already have an organization and project.On subsequent restarts, only the update instance call is made. However, if you have multiple organizations or projects, the update will fail and the instance will not start. To safely restart without issues, remove the variables specified in the Update instance section below.
Initialize instance is only available on Lightdash Enterprise plans.For more information on our plans, visit our pricing page.
Currently we only support Databricks project types and Github dbt configuration.
Update instance
On server start, we will check the following variables, and update some configuration of the organization or project. If multiple organizations or projects exist, you must setLD_SETUP_ORGANIZATION_UUID and/or LD_SETUP_PROJECT_UUID to target a specific one.
Update instance is only available on Lightdash Enterprise plans.For more information on our plans, visit our pricing page.
Initialize multiple projects
SetLD_SETUP_PROJECTS to a JSON array to provision multiple projects at once. This is a drop-in replacement for the single-project LD_SETUP_PROJECT_* variables described in Initialize instance — when LD_SETUP_PROJECTS is set, the legacy LD_SETUP_PROJECT_* and LD_SETUP_GITHUB_* variables are ignored.
On every boot, Lightdash matches each entry to an existing project by its name: new names are created, existing names are updated in place.
Currently we only support Databricks project types and GitHub dbt configuration for multi-project setup.
Project names are the primary key. Renaming an entry creates a new project rather than renaming the existing one — charts and dashboards will stay on the old project.
Required companion variables
The admin, organization, and API key variables from Initialize instance still apply.LD_SETUP_ADMIN_EMAIL is required — without it, LD_SETUP_PROJECTS is ignored.
Schema
LD_SETUP_PROJECTS must be a JSON array. Each entry has the following shape:
Databricks warehouse fields
GitHub dbt connection fields
Example
Quote the whole value in single quotes in your shell so that
$, backticks, and double quotes inside the JSON are not re-interpreted. When injecting via a secret manager or Kubernetes Secret, no escaping is needed — just paste the JSON as-is.Databricks M2M OAuth example
Use a Databricks Service Principal when you want non-interactive, machine-to-machine authentication instead of a PAT. Lightdash exchanges theclient_id + client_secret for an access token automatically on the first compile and refreshes it as needed — no user interaction is required.
warehouseConnection like this:
M2M is non-interactive by design — Lightdash uses the OAuth client-credentials grant. No browser popup, no per-user sign-in. The Service Principal needs
CAN USE on the SQL warehouse and the appropriate SELECT/USE CATALOG/USE SCHEMA grants on your data.Validation
LD_SETUP_PROJECTS is parsed and validated at boot. Lightdash will fail to start with a descriptive error if any of the following are true:
Migrating from LD_SETUP_PROJECT_*
LD_SETUP_PROJECTS replaces the single-project LD_SETUP_PROJECT_NAME, LD_SETUP_PROJECT_HOST, LD_SETUP_PROJECT_HTTP_PATH, LD_SETUP_PROJECT_PAT, LD_SETUP_PROJECT_SCHEMA, LD_SETUP_PROJECT_CATALOG, LD_SETUP_PROJECT_COMPUTE, LD_SETUP_GITHUB_*, and LD_SETUP_DBT_VERSION variables. When both are set, LD_SETUP_PROJECTS takes precedence and the legacy variables are ignored.
To migrate:
- Move your existing project config into a JSON object (use the existing project’s exact
nameso it is updated in place rather than recreated). - Set
LD_SETUP_PROJECTSto a single-element array containing that object. - Remove the legacy
LD_SETUP_PROJECT_*andLD_SETUP_GITHUB_*variables from your deployment.
Declare user attributes
SetLD_SETUP_USER_ATTRIBUTES to a JSON array to declare user attributes and their group-value mappings as instance config. Lightdash reconciles the array on every deploy, so you no longer need a manual post-deploy API or CLI step to (re)apply attributes after a release.
User attribute setup is only available on Lightdash Enterprise plans.For more information on our plans, visit our pricing page.
name: new names are created, existing names are updated in place. Attributes that are not present in the array are left untouched — this reconcile is non-destructive and never deletes attributes you created in the UI.
Schema
Each entry in the array has the following shape:Example
Group resolution
Group bindings are resolved by group name because group UUIDs aren’t known at deploy time — groups provisioned via SCIM are created by your IdP, not by Lightdash. If a group name ingroups doesn’t match any existing group at the time the deploy runs (for example, because SCIM hasn’t synced it yet), Lightdash logs a warning and skips that mapping rather than failing the deploy. The mapping is retried on the next deploy, so once the group exists the binding reconciles automatically.
Per-user mappings
LD_SETUP_USER_ATTRIBUTES only supports group-based mappings. Per-user (by-email) values still need to be assigned through the UI or API.
Declare group → project access
SetLD_SETUP_GROUP_PROJECT_ACCESS to a JSON array to declare group → project role assignments as instance config. Lightdash reconciles the array on every deploy, so you no longer need to re-apply group access through the UI or API after each release. This is the project-access equivalent of LD_SETUP_USER_ATTRIBUTES.
Group project access setup is only available on Lightdash Enterprise plans and uses groups and (optionally) custom roles, which are Enterprise features.For more information on our plans, visit our pricing page.
Schema
Each entry in the array has the following shape:Example
Group, project, and role resolution
- Groups are resolved by
groupNamebecause group UUIDs aren’t known at deploy time when groups are provisioned via SCIM. - Projects are resolved by
projectUuidwhen set, otherwise byprojectName. - Roles are resolved as a system role first; if the value doesn’t match a system role, Lightdash looks up a custom role with that name.
groupName, or neither projectName nor projectUuid) throw at boot time so configuration errors surface before the instance starts.