Skip to main content

Environment Variable Reference

This reference is derived from active variable reads in the codebase.

Use it as the canonical starting point for deployment config.

Server (wavry-server)

VariableDefaultPurpose
WAVRY_LISTEN_ADDR0.0.0.0:0UDP bind address for host runtime
WAVRY_NO_ENCRYPTfalsedisable encryption (development/debug only)
WAVRY_DISPLAY_IDunsetforce capture display ID
WAVRY_GATEWAY_URLws://127.0.0.1:3000/wssignaling gateway URL
WAVRY_SESSION_TOKENunsetsignaling auth/session token
WAVRY_ENABLE_WEBRTCfalseenable WebRTC bridge path
WAVRY_RECORDfalseenable local recording
WAVRY_RECORD_DIRrecordingsrecording output directory
WAVRY_RECORD_QUALITYstandardrecording quality preset
WAVRY_FILE_OUT_DIRreceived-filesincoming file transfer output directory
WAVRY_FILE_MAX_BYTEScode default (DEFAULT_MAX_FILE_BYTES)max inbound file size
WAVRY_FILE_TRANSFER_SHARE_PERCENT15.0max video bitrate share for file transfer
WAVRY_FILE_TRANSFER_MIN_KBPS256file-transfer bandwidth floor
WAVRY_FILE_TRANSFER_MAX_KBPS4096file-transfer bandwidth cap
WAVRY_AUDIO_SOURCEsystemaudio route (system, microphone, app:<name>, disabled)
WAVRY_SERVER_ALLOW_PUBLIC_BINDfalseallow non-loopback host bind

Client Runtime (wavry-client and shared signaling/client paths)

VariableDefaultPurpose
WAVRY_ALLOW_INSECURE_NO_ENCRYPTfalseallow --no-encrypt mode
WAVRY_CLIENT_ALLOW_PUBLIC_CONNECTfalseallow non-loopback targets in insecure mode
WAVRY_ALLOW_INSECURE_SIGNALINGfalsepermit insecure signaling URLs in guarded paths
WAVRY_SIGNALING_TLS_PINS_SHA256unsetoptional cert pin hashes for signaling
WAVRY_ENVIRONMENT_PRODUCTIONfalseenforce production signaling/TOTP guardrails
WAVRY_ENVIRONMENTunsetif set to production, enables production guardrails

Gateway (wavry-gateway)

Core runtime

VariableDefaultPurpose
WAVRY_GATEWAY_BIND_ADDR0.0.0.0:3000HTTP bind address
WAVRY_ALLOW_PUBLIC_BINDfalseallow non-loopback HTTP bind
DATABASE_URLsqlite:gateway.dbSQLx database DSN
RUST_LOGwavry_gateway=info,tower_http=infologging filter
WAVRY_GATEWAY_RELAY_PORT0UDP relay helper bind port
WAVRY_GATEWAY_RELAY_BIND_ADDR127.0.0.1:<relay_port>gateway-local relay bind addr
WAVRY_GATEWAY_RELAY_ALLOW_PUBLIC_BINDfalseallow non-loopback gateway relay bind
WAVRY_RELAY_SESSION_TTL_SECS300 (min 30)gateway relay session TTL
WAVRY_RELAY_SESSION_LIMIT4096max in-memory relay sessions
WAVRY_RELAY_PUBLIC_ADDR127.0.0.1:3478relay address advertised to clients
WAVRY_WS_MAX_CONNECTIONS4096max concurrent WS signaling connections
WAVRY_WS_MAX_PER_IP16per-IP WS connection cap
WAVRY_ENABLE_INSECURE_WEBTRANSPORT_RUNTIMEfalseenable runtime-gated WebTransport server
WEBTRANSPORT_BIND_ADDR0.0.0.0:0WebTransport bind address when enabled
ADMIN_PANEL_TOKENunsetbearer token for admin routes (required to enable admin panel)

CORS / Origin policy

VariableDefaultPurpose
WAVRY_ALLOWED_ORIGINSbuilt-in localhost setcomma-separated allowed browser origins
WAVRY_CORS_ALLOW_ANYfalsepermissive CORS (development only)
WAVRY_WS_REQUIRE_ORIGINtruerequire Origin for WS upgrade
WAVRY_WS_ALLOW_MISSING_ORIGINfalseallow missing Origin header on WS

Rate limiting and edge hardening

VariableDefault
WAVRY_AUTH_RATE_LIMIT20
WAVRY_AUTH_RATE_WINDOW_SECS60
WAVRY_AUTH_RATE_MAX_KEYS10000
WAVRY_POST_AUTH_RATE_LIMIT60
WAVRY_POST_AUTH_RATE_WINDOW_SECS60
WAVRY_POST_AUTH_RATE_MAX_KEYS50000
WAVRY_WEBRTC_RATE_LIMIT120
WAVRY_WEBRTC_RATE_WINDOW_SECS60
WAVRY_WEBRTC_RATE_MAX_KEYS50000
WAVRY_WS_BIND_RATE_LIMIT10
WAVRY_WS_BIND_RATE_WINDOW_SECS60
WAVRY_WS_BIND_RATE_MAX_KEYS50000
WAVRY_GLOBAL_RATE_LIMIT600
WAVRY_GLOBAL_RATE_WINDOW_SECS60
WAVRY_GLOBAL_RATE_MAX_KEYS200000
WAVRY_TRUST_PROXY_HEADERSfalse

TOTP key management

VariableDefaultPurpose
WAVRY_TOTP_KEY_B64unsetbase64 32-byte key for encrypted stored TOTP secret
WAVRY_ALLOW_INSECURE_TOTPfalseallow plaintext TOTP secret mode in non-production

Master (wavry-master)

VariableDefaultPurpose
WAVRY_MASTER_ALLOWED_ORIGINSlocalhost/tauri defaultsallowed origins for CORS + WS checks
WAVRY_MASTER_CORS_ALLOW_ANYfalsepermissive CORS mode
WAVRY_MASTER_WS_REQUIRE_ORIGINtruerequire Origin on master WS
WAVRY_MASTER_WS_ALLOW_MISSING_ORIGINfalseallow missing Origin on master WS
WAVRY_MASTER_ALLOW_PUBLIC_BINDfalseallow non-loopback bind
WAVRY_MASTER_INSECURE_DEVfalseinsecure dev auth mode toggle (feature-gated)
WAVRY_MASTER_SIGNING_KEYunsetsigning key (hex) for relay lease tokens
WAVRY_MASTER_KEY_FILEunsetpath to signing key file (hex)
WAVRY_MASTER_KEY_IDderived from public keyactive signing key identifier embedded in lease claims
WAVRY_MASTER_LEASE_TTL_SECS900 (clamped 60..3600)relay lease token lifetime in seconds
ADMIN_PANEL_TOKENunsetbearer token for admin endpoints

Relay (wavry-relay)

VariableDefaultPurpose
WAVRY_RELAY_LISTEN0.0.0.0:4000UDP listen address
WAVRY_MASTER_URLhttp://localhost:8080master server URL
WAVRY_RELAY_MASTER_PUBLIC_KEYunsetrelay-side verification key
WAVRY_RELAY_ALLOW_INSECURE_DEVfalseallow missing verification key in dev mode
WAVRY_ALLOW_INSECURE_RELAYfalsehard override required to run insecure relay mode
WAVRY_RELAY_REGIONunsetrelay metadata region
WAVRY_RELAY_ASNunsetrelay metadata ASN
WAVRY_RELAY_MAX_BITRATE20000relay advertised max bitrate (kbps)
WAVRY_RELAY_HEALTH_LISTEN127.0.0.1:9091relay HTTP health/readiness/metrics bind
WAVRY_RELAY_ALLOW_PUBLIC_BINDfalseallow non-loopback relay bind

Web / VR / Platform-Specific

VariableDefaultComponent
WAVRY_WT_CERTcert.pemweb transport runtime cert path (wavry-web)
WAVRY_WT_KEYkey.pemweb transport runtime key path (wavry-web)
WAVRY_USE_VULKANunset (presence enables)Linux OpenXR path toggle (wavry-vr-openxr)

Security Guidance

  • Prefer explicit allowlists (WAVRY_ALLOWED_ORIGINS, WAVRY_MASTER_ALLOWED_ORIGINS) over wildcard mode.
  • Keep all ALLOW_INSECURE* and *_ALLOW_PUBLIC_BIND flags disabled in production by default.
  • Set WAVRY_TOTP_KEY_B64 for production to avoid insecure secret handling paths.
  • Always set ADMIN_PANEL_TOKEN to a high-entropy value if admin APIs are exposed.