ThunderHub
Reference

Environment variables

Every environment variable ThunderHub reads, grouped by feature.

ThunderHub reads .env (committed defaults) then .env.local (your overrides). In Docker, pass these with -e VAR=value or via Compose environment:. Every variable is optional unless marked required.

The authoritative source is src/server/config/configuration.ts in the ThunderHub repo.

Server

VariableDefaultDescription
NODE_ENVdevelopmentSet to production for prod builds. Affects JWT secret randomness, encrypted-macaroon support, logging.
PORT3000 (prod), 3001 (dev)HTTP server port.
HOSTlocalhostBind address.
LOG_LEVEL(Winston default)silly, debug, verbose, http, info, warn, or error.
LOG_JSONfalseEmit logs as JSON lines for aggregators.
USE_HTTPSfalseMark session cookies Secure and tighten Helmet CSP. Set when fronted by HTTPS.
BASE_PATH(empty)URL prefix for the app (e.g. /thub). Must be set at build time.
TOR_PROXY_SERVER(empty)SOCKS proxy for outbound HTTP. e.g. socks://127.0.0.1:9050.

Interface

VariableDefaultDescription
THEMEdarkdark or light. Default theme — users can override.
CURRENCYsatsat, btc, or any supported fiat code.

Privacy / external services

VariableDefaultDescription
MEMPOOL_URLhttps://mempool.spaceBase URL for mempool fee + block height lookups.
FETCH_PRICEStrueSet false to skip BTC fiat price fetches.
FETCH_FEEStrueSet false to skip mempool fee fetches.
DISABLE_LINKSfalseSet true to hide external links (block explorers, node directories).
DISABLE_LNMARKETSfalseSet true to hide the LN Markets integration.
NO_VERSION_CHECKfalseSet true to skip the GitHub release check.

Account

VariableDefaultDescription
ACCOUNT_CONFIG_PATH(empty)Path to thubConfig.yaml. See YAML accounts.
MASTER_PASSWORD_OVERRIDE(empty)When set, hashed at boot and used for every YAML account without its own password.
DISABLE_TWOFAfalseSkip TOTP verification at login even for accounts that have a twofaSecret.
YML_ENV_1YML_ENV_4(empty)Placeholder values substituted into accounts[] fields in the YAML.

SSO

VariableDefaultDescription
COOKIE_PATH(empty)Path to the SSO cookie file. ThunderHub reads it on login and rotates it after success.
SSO_SERVER_URL(empty)LiT gRPC endpoint, e.g. 127.0.0.1:10009.
SSO_CERT_PATH(empty)Path to the LiT TLS certificate.
SSO_MACAROON_PATH(empty)Path to the directory containing the LiT macaroons (admin.macaroon is read from there).
SSO_NODE_TYPElndlnd or litd. Controls how the SSO account is wired to providers.
MULTI_SSOfalseEnable multi-SSO mode (switch across multiple SSO configs from the UI).
DANGEROUS_NO_SSO_AUTHfalseSkip the cookie check at login. Dev only. See SSO.
LOGOUT_URL(empty)Redirect URL after logout. Useful with SSO platforms.

Database

VariableDefaultDescription
DB_TYPE(unset)sqlite, postgres, or unset to disable the database. See Database.
DB_SQLITE_PATH(empty)Path to the SQLite file. Required when DB_TYPE=sqlite.
DB_POSTGRES_URL(empty)Postgres connection URL. Required when DB_TYPE=postgres.
DB_ENCRYPTION_KEY(empty)64-char hex string (32 bytes). Enables AES-256-GCM at-rest encryption of DB-stored credentials. Generate with openssl rand -hex 32.

Subscriptions

These toggle the long-lived LND streams that power live dashboard updates.

VariableDefaultDescription
DISABLE_ALL_SUBSfalseDisable every subscription at once.
DISABLE_INVOICE_SUBfalseDisable the invoice subscription.
DISABLE_PAYMENT_SUBfalseDisable the payment subscription.
DISABLE_FORWARD_SUBfalseDisable the forwarding subscription.
DISABLE_CHANNEL_SUBfalseDisable the channel subscription.
DISABLE_BACKUP_SUBfalseDisable the static channel backup subscription.

Amboss

VariableDefaultDescription
DISABLE_HEALTHCHECK_PINGSfalseStop sending periodic health pings to Amboss.
DISABLE_BALANCE_PUSHESfalseStop pushing on-chain / channel balance updates to Amboss.

Throttling

VariableDefaultDescription
THROTTLE_TTL10NestJS Throttler window length in seconds.
THROTTLE_LIMIT10Max requests per window per IP. Public auth mutations stack stricter per-endpoint limits on top.

URL overrides (dev / Amboss)

These let you point ThunderHub at a non-production Amboss backend. Most operators don't need them.

VariableDefaultDescription
SPACE_API_URLderived per networkAmboss Space API.
AMBOSS_AUTH_URLderived per networkAmboss Auth API.
MAGMA_API_URLderived per networkAmboss Magma API.
TRADE_API_URLderived per networkAmboss Trade API.

By default ThunderHub picks *.amboss.tech for mainnet, *-dev.amboss.tech for testnet/mutinynet.

AGENTS.md for AI coding agents

Drop this AGENTS.md into the ThunderHub repo root so AI coding agents have the setup context they need.

YAML schema

Field-by-field reference for thubConfig.yaml — top-level options and per-account fields.

On this page

ServerInterfacePrivacy / external servicesAccountSSODatabaseSubscriptionsAmbossThrottlingURL overrides (dev / Amboss)