Skip to main content
Configure Open WebUI behavior using environment variables. This reference documents all available configuration options.

Core Settings

Application

VariableDefaultDescription
ENVdevEnvironment mode: dev, test, or prod
PORT8080Port number for the web server
WEBUI_NAMEOpen WebUICustom name for your instance
WEBUI_BUILD_HASHdev-buildBuild version identifier
DATA_DIR./backend/dataDirectory for storing application data
FRONTEND_BUILD_DIR./buildFrontend build files location
STATIC_DIR./staticStatic files directory
ENABLE_SIGNUPtrueAllow new user registration
DEFAULT_USER_ROLEpendingDefault role for new users

Database

VariableDefaultDescription
DATABASE_URLsqlite:///./data/webui.dbDatabase connection URL
DATABASE_TYPE-Database type: postgresql, sqlite, etc.
DATABASE_USER-Database username
DATABASE_PASSWORD-Database password
DATABASE_HOST-Database host
DATABASE_PORT-Database port
DATABASE_NAME-Database name
DATABASE_SCHEMA-Database schema (PostgreSQL)
DATABASE_POOL_SIZE-Connection pool size
DATABASE_POOL_MAX_OVERFLOW0Max pool overflow connections
DATABASE_POOL_TIMEOUT30Pool connection timeout (seconds)
DATABASE_POOL_RECYCLE3600Connection recycle time (seconds)
DATABASE_ENABLE_SQLITE_WALfalseEnable SQLite WAL mode
DATABASE_ENABLE_SESSION_SHARINGfalseReuse database sessions
ENABLE_DB_MIGRATIONStrueAutomatically run database migrations
RESET_CONFIG_ON_STARTfalseReset configuration on startup

PostgreSQL Example

DATABASE_TYPE=postgresql
DATABASE_USER=openwebui
DATABASE_PASSWORD=your-password
DATABASE_HOST=localhost
DATABASE_PORT=5432
DATABASE_NAME=openwebui
Or use a connection URL: 
DATABASE_URL=postgresql://openwebui:password@localhost:5432/openwebui

AI Model Configuration

Ollama

VariableDefaultDescription
OLLAMA_BASE_URL/ollamaOllama API base URL
USE_OLLAMA_DOCKER-Build with bundled Ollama

OpenAI

VariableDefaultDescription
OPENAI_API_BASE_URL-OpenAI-compatible API base URL
OPENAI_API_KEY-OpenAI API key

Model Caching

VariableDefaultDescription
MODELS_CACHE_TTL1Model list cache TTL (seconds)
ENABLE_CUSTOM_MODEL_FALLBACKfalseEnable custom model fallback
BYPASS_MODEL_ACCESS_CONTROLfalseBypass model access restrictions

Authentication & Security

Core Authentication

VariableDefaultDescription
WEBUI_AUTHtrueEnable authentication (required for security)
WEBUI_SECRET_KEYt0p-s3cr3tSecret key for JWT tokens
ENABLE_INITIAL_ADMIN_SIGNUPfalseAllow initial admin signup
ENABLE_SIGNUP_PASSWORD_CONFIRMATIONfalseRequire password confirmation
ENABLE_PASSWORD_VALIDATIONfalseEnable password validation
PASSWORD_VALIDATION_REGEX_PATTERN(complex)Password validation regex
PASSWORD_VALIDATION_HINT-Password requirements hint
Always set WEBUI_SECRET_KEY to a secure random value in production. Generate one with:
openssl rand -base64 32

Admin Account Creation

Create admin account on startup:
VariableDefaultDescription
WEBUI_ADMIN_EMAIL-Admin email address
WEBUI_ADMIN_PASSWORD-Admin password
WEBUI_ADMIN_NAMEAdminAdmin display name

Session & Cookies

VariableDefaultDescription
WEBUI_SESSION_COOKIE_SAME_SITElaxSession cookie SameSite attribute
WEBUI_SESSION_COOKIE_SECUREfalseSession cookie Secure flag
WEBUI_AUTH_COOKIE_SAME_SITE(session)Auth cookie SameSite attribute
WEBUI_AUTH_COOKIE_SECUREfalseAuth cookie Secure flag
WEBUI_AUTH_SIGNOUT_REDIRECT_URL-Redirect URL after signout

Trusted Headers

VariableDefaultDescription
WEBUI_AUTH_TRUSTED_EMAIL_HEADER-Trusted email header name
WEBUI_AUTH_TRUSTED_NAME_HEADER-Trusted name header name
WEBUI_AUTH_TRUSTED_GROUPS_HEADER-Trusted groups header name

OAuth

VariableDefaultDescription
ENABLE_OAUTH_EMAIL_FALLBACKfalseUse email as fallback for OAuth
ENABLE_OAUTH_ID_TOKEN_COOKIEtrueStore ID token in cookie
OAUTH_CLIENT_INFO_ENCRYPTION_KEY(WEBUI_SECRET_KEY)Encryption key for OAuth client info
OAUTH_SESSION_TOKEN_ENCRYPTION_KEY(WEBUI_SECRET_KEY)Encryption key for OAuth tokens
OAUTH_MAX_SESSIONS_PER_USER10Max concurrent OAuth sessions per user
ENABLE_OAUTH_TOKEN_EXCHANGEfalseAllow OAuth token exchange

SCIM

VariableDefaultDescription
ENABLE_SCIMfalseEnable SCIM 2.0 provisioning
SCIM_TOKEN-SCIM authentication token
SCIM_AUTH_PROVIDER-OAuth provider for SCIM users

RAG & Embeddings

Embedding Models

VariableDefaultDescription
RAG_EMBEDDING_MODELsentence-transformers/all-MiniLM-L6-v2Sentence transformer model
RAG_RERANKING_MODEL-Reranking model
AUXILIARY_EMBEDDING_MODELTaylorAI/bge-micro-v2Auxiliary embedding model
SENTENCE_TRANSFORMERS_HOME./cache/embedding/modelsModel cache directory
RAG_EMBEDDING_TIMEOUT-Embedding operation timeout
RAG_SYSTEM_CONTEXTfalseUse system context for RAG

Sentence Transformers

VariableDefaultDescription
SENTENCE_TRANSFORMERS_BACKENDtorchBackend for sentence transformers
SENTENCE_TRANSFORMERS_MODEL_KWARGS-Model keyword arguments (JSON)
SENTENCE_TRANSFORMERS_CROSS_ENCODER_BACKENDtorchCross-encoder backend
SENTENCE_TRANSFORMERS_CROSS_ENCODER_MODEL_KWARGS-Cross-encoder kwargs (JSON)
SENTENCE_TRANSFORMERS_CROSS_ENCODER_SIGMOID_ACTIVATION_FUNCTIONtrueApply sigmoid to reranking scores

Whisper (Speech-to-Text)

VariableDefaultDescription
WHISPER_MODELbaseWhisper model size
WHISPER_MODEL_DIR./cache/whisper/modelsWhisper model cache

Tiktoken

VariableDefaultDescription
TIKTOKEN_ENCODING_NAMEcl100k_baseTiktoken encoding
TIKTOKEN_CACHE_DIR./cache/tiktokenTiktoken cache directory

Redis

VariableDefaultDescription
REDIS_URL-Redis connection URL
REDIS_CLUSTERfalseUse Redis cluster mode
REDIS_KEY_PREFIXopen-webuiRedis key prefix
REDIS_SENTINEL_HOSTS-Redis Sentinel hosts (comma-separated)
REDIS_SENTINEL_PORT26379Redis Sentinel port
REDIS_SENTINEL_MAX_RETRY_COUNT2Max retries for Sentinel failover
REDIS_SOCKET_CONNECT_TIMEOUT-Socket connection timeout
REDIS_RECONNECT_DELAY-Reconnection delay

WebSocket

VariableDefaultDescription
ENABLE_WEBSOCKET_SUPPORTtrueEnable WebSocket support
WEBSOCKET_MANAGER-WebSocket manager backend
WEBSOCKET_REDIS_URL(REDIS_URL)Redis URL for WebSocket
WEBSOCKET_REDIS_CLUSTER(REDIS_CLUSTER)Use Redis cluster for WebSocket
WEBSOCKET_REDIS_OPTIONS-Redis options (JSON)
WEBSOCKET_REDIS_LOCK_TIMEOUT60Redis lock timeout
WEBSOCKET_SENTINEL_HOSTS-Sentinel hosts for WebSocket
WEBSOCKET_SENTINEL_PORT26379Sentinel port for WebSocket
WEBSOCKET_SERVER_LOGGINGfalseEnable WebSocket server logging
WEBSOCKET_SERVER_ENGINEIO_LOGGINGfalseEnable Engine.IO logging
WEBSOCKET_SERVER_PING_TIMEOUT20WebSocket ping timeout
WEBSOCKET_SERVER_PING_INTERVAL25WebSocket ping interval

HTTP Client

VariableDefaultDescription
REQUESTS_VERIFYtrueVerify SSL certificates
AIOHTTP_CLIENT_TIMEOUT-Default aiohttp timeout
AIOHTTP_CLIENT_SESSION_SSLtrueEnable SSL for aiohttp
AIOHTTP_CLIENT_TIMEOUT_MODEL_LIST10Timeout for model list requests
AIOHTTP_CLIENT_TIMEOUT_TOOL_SERVER_DATA10Timeout for tool server data
AIOHTTP_CLIENT_SESSION_TOOL_SERVER_SSLtrueSSL for tool servers

Chat Configuration

VariableDefaultDescription
ENABLE_CHAT_RESPONSE_BASE64_IMAGE_URL_CONVERSIONfalseConvert base64 images to URLs
CHAT_RESPONSE_STREAM_DELTA_CHUNK_SIZE1Stream delta chunk size
CHAT_RESPONSE_MAX_TOOL_CALL_RETRIES30Max tool call retries
CHAT_STREAM_RESPONSE_CHUNK_MAX_BUFFER_SIZE-Max buffer size for streaming
ENABLE_REALTIME_CHAT_SAVEfalseSave chats in real-time
ENABLE_QUERIES_CACHEfalseCache query results

Logging

VariableDefaultDescription
GLOBAL_LOG_LEVELINFOLogging level: DEBUG, INFO, WARNING, ERROR, CRITICAL
LOG_FORMAT-Log format: json for structured logging

Audit Logging

VariableDefaultDescription
ENABLE_AUDIT_STDOUTfalseLog audit events to stdout
ENABLE_AUDIT_LOGS_FILEtrueLog audit events to file
AUDIT_LOGS_FILE_PATH./data/audit.logAudit log file path
AUDIT_LOG_FILE_ROTATION_SIZE10MBLog rotation size
AUDIT_UVICORN_LOGGER_NAMESuvicorn.accessLogger names for audit (comma-separated)
AUDIT_LOG_LEVELNONEAudit level: NONE, METADATA, REQUEST, REQUEST_RESPONSE
MAX_BODY_LOG_SIZE2048Max body size to log (bytes)
AUDIT_EXCLUDED_PATHS/chats,/chat,/foldersPaths to exclude (comma-separated)

OpenTelemetry

VariableDefaultDescription
ENABLE_OTELfalseEnable OpenTelemetry
ENABLE_OTEL_TRACESfalseEnable trace export
ENABLE_OTEL_METRICSfalseEnable metrics export
ENABLE_OTEL_LOGSfalseEnable log export
OTEL_EXPORTER_OTLP_ENDPOINThttp://localhost:4317OTLP endpoint
OTEL_METRICS_EXPORTER_OTLP_ENDPOINT(OTEL_EXPORTER_OTLP_ENDPOINT)Metrics endpoint
OTEL_LOGS_EXPORTER_OTLP_ENDPOINT(OTEL_EXPORTER_OTLP_ENDPOINT)Logs endpoint
OTEL_EXPORTER_OTLP_INSECUREfalseUse insecure connection
OTEL_SERVICE_NAMEopen-webuiService name
OTEL_RESOURCE_ATTRIBUTES-Resource attributes (key1=val1,key2=val2)
OTEL_TRACES_SAMPLERparentbased_always_onTrace sampler
OTEL_OTLP_SPAN_EXPORTERgrpcSpan exporter: grpc or http
OTEL_BASIC_AUTH_USERNAME-Basic auth username
OTEL_BASIC_AUTH_PASSWORD-Basic auth password

Performance

Uvicorn Workers

VariableDefaultDescription
UVICORN_WORKERS1Number of Uvicorn worker processes

Compression

VariableDefaultDescription
ENABLE_COMPRESSION_MIDDLEWAREtrueEnable response compression

User Activity

VariableDefaultDescription
DATABASE_USER_ACTIVE_STATUS_UPDATE_INTERVAL-Update interval for active status
ENABLE_PUBLIC_ACTIVE_USERS_COUNTtrueShow active user count publicly

Network & CORS

VariableDefaultDescription
CORS_ALLOW_ORIGIN*CORS allowed origins
FORWARDED_ALLOW_IPS*Allowed IPs for forwarded headers

Features

VariableDefaultDescription
ENABLE_VERSION_UPDATE_CHECKtrueCheck for updates
OFFLINE_MODEfalseRun in offline mode
SAFE_MODEfalseEnable safe mode
ENABLE_EASTER_EGGStrueEnable easter eggs
ENABLE_FORWARD_USER_INFO_HEADERSfalseForward user info in headers
ENABLE_STAR_SESSIONS_MIDDLEWAREfalseEnable star sessions middleware (experimental)

User Info Headers

VariableDefaultDescription
FORWARD_USER_INFO_HEADER_USER_NAMEX-OpenWebUI-User-NameHeader for username
FORWARD_USER_INFO_HEADER_USER_IDX-OpenWebUI-User-IdHeader for user ID
FORWARD_USER_INFO_HEADER_USER_EMAILX-OpenWebUI-User-EmailHeader for email
FORWARD_USER_INFO_HEADER_USER_ROLEX-OpenWebUI-User-RoleHeader for role

Session Info Headers

VariableDefaultDescription
FORWARD_SESSION_INFO_HEADER_MESSAGE_IDX-OpenWebUI-Message-IdHeader for message ID
FORWARD_SESSION_INFO_HEADER_CHAT_IDX-OpenWebUI-Chat-IdHeader for chat ID

Tools & Extensions

VariableDefaultDescription
ENABLE_PIP_INSTALL_FRONTMATTER_REQUIREMENTStrueAllow pip install from frontmatter
PIP_OPTIONS-Additional pip options
PIP_PACKAGE_INDEX_OPTIONS-pip package index options

PWA

VariableDefaultDescription
EXTERNAL_PWA_MANIFEST_URL-External PWA manifest URL

Groups

VariableDefaultDescription
DEFAULT_GROUP_SHARE_PERMISSIONmembersDefault group share permission: true, false, or members

Telemetry

VariableDefaultDescription
SCARF_NO_ANALYTICStrueDisable Scarf analytics
DO_NOT_TRACKtrueHonor Do Not Track
ANONYMIZED_TELEMETRYfalseEnable anonymized telemetry

Docker-Specific

These are build-time arguments, not runtime environment variables:
Build ArgDefaultDescription
USE_CUDAfalseBuild with CUDA support
USE_OLLAMAfalseBundle Ollama in image
USE_SLIMfalseSlim build without models
USE_CUDA_VERcu128CUDA version: cu117, cu121, cu128
USE_EMBEDDING_MODELsentence-transformers/all-MiniLM-L6-v2Embedding model
USE_RERANKING_MODEL-Reranking model
USE_AUXILIARY_EMBEDDING_MODELTaylorAI/bge-micro-v2Auxiliary model
BUILD_HASHdev-buildBuild hash
UID / GID0User/Group ID
USE_PERMISSION_HARDENINGfalseOpenShift permission hardening

Example Configurations

Basic Production Setup

.env
# Application
ENV=prod
PORT=8080
WEBUI_NAME="My Open WebUI"

# Security
WEBUI_SECRET_KEY=<generate-random-key>
WEBUI_SESSION_COOKIE_SECURE=true
WEBUI_AUTH_COOKIE_SECURE=true

# Database
DATABASE_URL=postgresql://user:pass@localhost:5432/openwebui

# AI Models
OLLAMA_BASE_URL=http://ollama:11434
OPENAI_API_KEY=sk-...

# CORS
CORS_ALLOW_ORIGIN=https://myapp.com

# Telemetry
SCARF_NO_ANALYTICS=true
DO_NOT_TRACK=true

Scaled Deployment with Redis

.env
# Application
UVICORN_WORKERS=4
ENV=prod

# Database
DATABASE_URL=postgresql://user:pass@postgres:5432/openwebui
DATABASE_POOL_SIZE=20

# Redis
REDIS_URL=redis://redis:6379/0
WEBSOCKET_MANAGER=redis
WEBSOCKET_REDIS_URL=redis://redis:6379/0

# Security
WEBUI_SECRET_KEY=<secret>
WEBUI_SESSION_COOKIE_SECURE=true

Development Setup

.env
# Application
ENV=dev
GLOBAL_LOG_LEVEL=DEBUG

# Database
DATABASE_URL=sqlite:///./data/webui.db

# AI Models
OLLAMA_BASE_URL=http://localhost:11434

# CORS (allow all for development)
CORS_ALLOW_ORIGIN=*

Next Steps

Docker Deployment

Deploy with Docker

Kubernetes

Deploy on Kubernetes

Reverse Proxy

Configure reverse proxy

Updating

Update your deployment

Build docs developers (and LLMs) love

Get started for freeTalk to us