Skip to main content
🛠 This page is for engineering teams self-hosting their own Lightdash instance. If you want to configure any of these settings, please speak to the Lightdash team or your Lightdash administrators.
This is a reference to all environment variables that can be used to configure a Lightdash deployment.

Postgres database

These variables configure the Postgres database Lightdash uses to store its own application data (not your warehouse). Lightdash also accepts all standard postgres environment variables.

Server and networking

Core variables that control how the Lightdash server runs, how it’s reached, and how sessions and cookies behave.

Licensing

Query limits and behavior

Control how many rows a query can return, page sizes, exports, and chart-version retention.

Scheduler

Variables that control the scheduler worker and background cleanup jobs.

Headless browser

Configure the headless browser used for screenshots and PDF exports.
The headless-browser container has its own session timeout (for example, browserless v2’s TIMEOUT, which defaults to 30 seconds). That value must be greater than or equal to HEADLESS_BROWSER_SCREENSHOT_TIMEOUT_MS, otherwise the browser will terminate the session before Lightdash’s readiness wait expires and the screenshot will fail. If you raise HEADLESS_BROWSER_SCREENSHOT_TIMEOUT_MS for dashboards that legitimately take longer than three minutes to render, raise the browser container’s session timeout to match.

Personal access tokens

Variables that control PAT availability and lifetime.

Timezone and localization

Soft delete

Configure whether deletions are soft (recoverable) and for how long.

Custom metrics

UI customization

Replace default URLs and tweak in-product UI surfaces.

Feature toggles

Enable or disable individual product features across the instance.

Feature flags

Use these to force feature flags on or off across your deployment regardless of cloud-side targeting or per-organization overrides. Both variables accept a comma-separated list of feature-flag IDs (kebab-case strings — the flag IDs themselves, not env-var names). Useful for local dev flows where you want to toggle flags without touching targeting rules.

Athena

Snowflake

SMTP

This is a reference to all the SMTP environment variables that can be used to configure a Lightdash email client. [1] EMAIL_SMTP_PASSWORD or EMAIL_SMTP_ACCESS_TOKEN needs to be provided

SSO

These variables enable you to control Single Sign On (SSO) functionality.

S3

These variables allow you to configure S3 Object Storage, which is required to self-host Lightdash.

Persistent download URLs

When enabled, CSV and dashboard ZIP exports return a stable Lightdash-hosted URL (e.g. https://lightdash.example.com/api/v1/file/{id}) instead of a direct S3 signed URL. Each time this URL is accessed, Lightdash generates a short-lived S3 signed URL and redirects to it — so the underlying URL never goes stale and download links survive IAM credential rotation. The variables below act as instance-wide defaults. Organization admins can override them per organization (and per channel) from Settings → Organization → Exporting. See Configuring download link expiration.
Scheduled-delivery links longer than 7 days automatically switch to a persistent URL, even if PERSISTENT_DOWNLOAD_URLS_ENABLED is false. AWS presigned S3 URLs cannot live past 7 days, so this prevents links from silently breaking.

Cache

Note that you will need an Enterprise License Key for this functionality.
These variables are deprecated; use the RESULTS_S3_* versions instead.

Logging

Prometheus

Security

Analytics & Event Tracking

AI Analyst

These variables enable you to configure the AI Analyst functionality. Note that you will need an Enterprise Licence Key for this functionality. The AI Analyst supports multiple providers for flexibility. Choose one of the provider configurations below based on your preferred AI service. OpenAI and Anthropic are the recommended providers as they are the most tested and stable.

Minimum Required Setup

To enable AI Analyst, set AI_COPILOT_ENABLED=true and provide an API key for AI_DEFAULT_PROVIDER (e.g., OPENAI_API_KEY for OpenAI, ANTHROPIC_API_KEY for Anthropic).

OpenAI Configuration

Using an LLM gateway or proxy

If your organization uses an OpenAI-compatible proxy like LiteLLM, you can connect it to Lightdash by setting AI_DEFAULT_PROVIDER=openai and pointing OPENAI_BASE_URL to your proxy URL. For example:
  • AI_DEFAULT_PROVIDER=openai
  • OPENAI_API_KEY=<your-proxy-api-key>
  • OPENAI_BASE_URL=<your-proxy-url>
  • OPENAI_MODEL_NAME=<model-name-configured-in-your-proxy>
Make sure your proxy has the model names correctly mapped. For example, if you set OPENAI_MODEL_NAME=gpt-4o, your proxy needs to have that model routed to whatever underlying provider you’re using. The same applies for the embedding model. If you want to expose multiple models through the proxy, use OPENAI_AVAILABLE_MODELS with a comma-separated list of model names. If your proxy or gateway doesn’t support streaming (SSE) completions, also set OPENAI_SUPPORTS_STREAMING=false. Lightdash will then make a single non-streaming request per model call — the AI agent keeps working unchanged, including the chat UI. Note that while a response is generating no bytes flow through the connection, so make sure any reverse proxy in the path has a read/idle timeout above your longest completion time. If your gateway enforces Zero Data Retention (ZDR), also set OPENAI_ZERO_DATA_RETENTION=true — otherwise multi-step AI agent conversations with reasoning models will fail.

Anthropic Configuration

Azure AI Configuration

OpenRouter Configuration

AWS Bedrock Configuration

Supported Models

OpenAI: gpt-5.1, gpt-5.2 (default) Anthropic: claude-sonnet-4-5, claude-haiku-4-5, claude-sonnet-4 AWS Bedrock: claude-sonnet-4-5, claude-haiku-4-5, claude-sonnet-4
Exact model snapshots are automatically assigned (e.g., gpt-5.1gpt-5.1-2025-11-13).
For Bedrock, the region prefix is also added based on BEDROCK_REGION (e.g., claude-sonnet-4-5us.anthropic.claude-sonnet-4-5-20250929-v1:0).

Slack Integration

These variables enable you to configure the Slack integration.

GitHub Integration

These variables enable you to configure Github integrations

GitLab Integration

These variables enable you to configure the GitLab integration for dbt project sync.

Microsoft Teams Integration

These variables enable you to configure Microsoft Teams integration.

Google Cloud Platform

These variables enable you to configure Google Cloud Platform integration.

Embedding

Note that you will need an Enterprise Licence Key for this functionality.

Custom roles

Note that you will need an Enterprise Licence Key for this functionality.

Service account

Note that you will need an Enterprise Licence Key for this functionality.

SCIM

Note that you will need an Enterprise Licence Key for this functionality.

Sentry

These variables enable you to configure Sentry for error tracking.

Intercom & Pylon

These variables enable you to configure Intercom and Pylon for customer support and feedback.

Kubernetes

These variables enable you to configure Kubernetes integration.

Organization appearance

These variables allow you to customize the default appearance settings for your Lightdash instance’s organizations. This color palette will be set for all organizations in your instance. You can’t choose another one while these env vars are set.

Pre-aggregates

Enterprise-only. Configure DuckDB-based pre-aggregate result storage.

Data apps runtime

Configure the sandboxed runtime that powers data apps. Sandboxes execute through E2B.

Managed agent

Enterprise-only. Configures the scheduled managed agent that runs skills on a cron.

MCP

Metrics SQL API

Postgres wire protocol endpoint for the semantic layer. See Metrics SQL API.

NATS worker

Optional NATS-backed scheduler worker. When enabled, Lightdash publishes scheduler jobs to NATS instead of polling Postgres.

Initialize instance

When a new Lightdash instance is created, and there are no orgs and projects. You can initialize a new org and project using ENV variables to simplify the deployment process.
Initialization is skipped if you already have an organization and project.On subsequent restarts, only the update instance call is made. However, if you have multiple organizations or projects, the update will fail and the instance will not start. To safely restart without issues, remove the variables specified in the Update instance section below.
Initialize instance is only available on Lightdash Enterprise plans.For more information on our plans, visit our pricing page.
Currently we only support Databricks project types and Github dbt configuration.
In order to login as the admin user using SSO, you must enable the following ENV variable too:
This will alow you to link your SSO account with the email provided without using an invitation code.
This email will be trusted, and any user with an OIDC account with that email will access the admin user.

Update instance

On server start, we will check the following variables, and update some configuration of the organization or project. If multiple organizations or projects exist, you must set LD_SETUP_ORGANIZATION_UUID and/or LD_SETUP_PROJECT_UUID to target a specific one.
Update instance is only available on Lightdash Enterprise plans.For more information on our plans, visit our pricing page.

Initialize multiple projects

Set LD_SETUP_PROJECTS to a JSON array to provision multiple projects at once. This is a drop-in replacement for the single-project LD_SETUP_PROJECT_* variables described in Initialize instance — when LD_SETUP_PROJECTS is set, the legacy LD_SETUP_PROJECT_* and LD_SETUP_GITHUB_* variables are ignored. On every boot, Lightdash matches each entry to an existing project by its name: new names are created, existing names are updated in place.
Currently we only support Databricks project types and GitHub dbt configuration for multi-project setup.
Project names are the primary key. Renaming an entry creates a new project rather than renaming the existing one — charts and dashboards will stay on the old project.

Required companion variables

The admin, organization, and API key variables from Initialize instance still apply. LD_SETUP_ADMIN_EMAIL is required — without it, LD_SETUP_PROJECTS is ignored.

Schema

LD_SETUP_PROJECTS must be a JSON array. Each entry has the following shape:

Databricks warehouse fields

GitHub dbt connection fields

Example

Quote the whole value in single quotes in your shell so that $, backticks, and double quotes inside the JSON are not re-interpreted. When injecting via a secret manager or Kubernetes Secret, no escaping is needed — just paste the JSON as-is.

Databricks M2M OAuth example

Use a Databricks Service Principal when you want non-interactive, machine-to-machine authentication instead of a PAT. Lightdash exchanges the client_id + client_secret for an access token automatically on the first compile and refreshes it as needed — no user interaction is required.
If you already have an M2M Service Principal configured for dbt, the field names are different. Map your dbt profile fields to Lightdash’s warehouseConnection like this:
M2M is non-interactive by design — Lightdash uses the OAuth client-credentials grant. No browser popup, no per-user sign-in. The Service Principal needs CAN USE on the SQL warehouse and the appropriate SELECT/USE CATALOG/USE SCHEMA grants on your data.

Validation

LD_SETUP_PROJECTS is parsed and validated at boot. Lightdash will fail to start with a descriptive error if any of the following are true:
Credentials in LD_SETUP_PROJECTS are the source of truth on every boot. If an admin rotates a PAT or OAuth secret in the UI, the next restart will overwrite it with the value from this variable. Keep the variable in sync with your secret manager, or omit a project from the array once you no longer want it managed via env.

Migrating from LD_SETUP_PROJECT_*

LD_SETUP_PROJECTS replaces the single-project LD_SETUP_PROJECT_NAME, LD_SETUP_PROJECT_HOST, LD_SETUP_PROJECT_HTTP_PATH, LD_SETUP_PROJECT_PAT, LD_SETUP_PROJECT_SCHEMA, LD_SETUP_PROJECT_CATALOG, LD_SETUP_PROJECT_COMPUTE, LD_SETUP_GITHUB_*, and LD_SETUP_DBT_VERSION variables. When both are set, LD_SETUP_PROJECTS takes precedence and the legacy variables are ignored. To migrate:
  1. Move your existing project config into a JSON object (use the existing project’s exact name so it is updated in place rather than recreated).
  2. Set LD_SETUP_PROJECTS to a single-element array containing that object.
  3. Remove the legacy LD_SETUP_PROJECT_* and LD_SETUP_GITHUB_* variables from your deployment.

Declare user attributes

Set LD_SETUP_USER_ATTRIBUTES to a JSON array to declare user attributes and their group-value mappings as instance config. Lightdash reconciles the array on every deploy, so you no longer need a manual post-deploy API or CLI step to (re)apply attributes after a release.
User attribute setup is only available on Lightdash Enterprise plans.For more information on our plans, visit our pricing page.
On every boot, Lightdash matches each entry to an existing user attribute by its name: new names are created, existing names are updated in place. Attributes that are not present in the array are left untouched — this reconcile is non-destructive and never deletes attributes you created in the UI.

Schema

Each entry in the array has the following shape:

Example

Group resolution

Group bindings are resolved by group name because group UUIDs aren’t known at deploy time — groups provisioned via SCIM are created by your IdP, not by Lightdash. If a group name in groups doesn’t match any existing group at the time the deploy runs (for example, because SCIM hasn’t synced it yet), Lightdash logs a warning and skips that mapping rather than failing the deploy. The mapping is retried on the next deploy, so once the group exists the binding reconciles automatically.

Per-user mappings

LD_SETUP_USER_ATTRIBUTES only supports group-based mappings. Per-user (by-email) values still need to be assigned through the UI or API.

Declare group → project access

Set LD_SETUP_GROUP_PROJECT_ACCESS to a JSON array to declare group → project role assignments as instance config. Lightdash reconciles the array on every deploy, so you no longer need to re-apply group access through the UI or API after each release. This is the project-access equivalent of LD_SETUP_USER_ATTRIBUTES.
Group project access setup is only available on Lightdash Enterprise plans and uses groups and (optionally) custom roles, which are Enterprise features.For more information on our plans, visit our pricing page.
On every boot, Lightdash matches each entry to a group and project, then either creates the access, updates it if the role differs, or leaves it untouched when it already matches. Group accesses that are not present in the array are left untouched — this reconcile is non-destructive and never removes access you assigned in the UI. This is especially useful for instances that provision groups via SCIM: SCIM group UUIDs aren’t known at deploy time, so this lets you declare role mappings by group name once and have them applied automatically as groups sync from your IdP.

Schema

Each entry in the array has the following shape:

Example

Group, project, and role resolution

  • Groups are resolved by groupName because group UUIDs aren’t known at deploy time when groups are provisioned via SCIM.
  • Projects are resolved by projectUuid when set, otherwise by projectName.
  • Roles are resolved as a system role first; if the value doesn’t match a system role, Lightdash looks up a custom role with that name.
If a group, project, or custom role can’t be resolved at the time the deploy runs (for example, because SCIM hasn’t synced the group yet), Lightdash logs a warning and skips that entry rather than failing the deploy. The entry is retried on the next deploy, so once the group, project, or role exists the access reconciles automatically. Malformed JSON or entries that fail schema validation (e.g. missing groupName, or neither projectName nor projectUuid) throw at boot time so configuration errors surface before the instance starts.