Configure - Basedash Documentation

Environment configuration

Basedash requires several environment variables to be configured before deployment. The fastest way to get started is using our environment file generator.

Quick start: Generate environment file

Visit https://proud-dog-65.deno.dev/ to generate a ready-to-use .env file with securely generated secrets.

Fresh secrets every time: Refresh the page to generate a new set of random values
Copy and customize: Download the file and customize it for your deployment
Secure by default: All encryption keys, secrets, and passwords are randomly generated

Required core variables

These variables must be set for Basedash to function: Database connection:

DATABASE_URL=postgresql://basedash:password@postgres:5432/basedash_charts

Encryption keys:

# Used for encrypting configuration overrides (must be exactly 32 bytes/64 hex chars)
CRYPTO_KEY=your_crypto_key_here

# Used for encrypting sensitive database fields
# Format: k1.aesgcm256.[base64-string]
# Generate with: npx @47ng/cloak generate
PRISMA_FIELD_ENCRYPTION_KEY=your_prisma_encryption_key_here

Optional configuration

Application settings:

# Base URL for your deployment (highly recommended for production)
BASE_URL=https://your-domain.com

# Log level (fatal, error, warn, info, debug, trace)
LOG_LEVEL=warn

# Application port
APP_PORT=3000

Why BASE_URL matters: Setting BASE_URL is highly recommended for production deployments as it’s used for:

Email links - Ensures invitation emails, password resets, and notifications contain the correct URL to access your Basedash instance
OAuth callbacks - Required for SSO, MCP connection redirects, and third-party integrations to redirect users back to your deployment
Shared dashboard links - Generated share links will use this URL so recipients can access dashboards
Webhooks and API callbacks - External services need the correct URL to communicate with your instance
CORS configuration - Helps ensure proper cross-origin request handling

Examples:

https://basedash.your-company.com - Production deployment with custom domain
https://analytics.acme.io - Custom branded URL
http://localhost:3000 - Local development only (not recommended for production)

PostgreSQL database

PostgreSQL is the only database dependency required by Basedash.

Automatic PostgreSQL setup

When using Agent deployment or our provided docker-compose file, PostgreSQL is automatically included and configured:

PostgreSQL 16 Alpine container is deployed alongside Basedash
Automatic migrations run on startup
Health checks ensure the database is ready before the app starts
Persistent storage via Docker volumes

PostgreSQL configuration

The following environment variables configure the PostgreSQL instance:

POSTGRES_DB=basedash_charts
POSTGRES_USER=basedash
POSTGRES_PASSWORD=your_secure_password_here
POSTGRES_PORT=5432

Using an external PostgreSQL instance

If you prefer to use an existing PostgreSQL instance instead of the bundled one:

Point DATABASE_URL to your external instance:

DATABASE_URL=postgresql://user:password@your-postgres-host:5432/dbname

Ensure your PostgreSQL version is 16 or higher
Create the database:
```
CREATE DATABASE basedash_charts;
```
Migrations will run automatically on first startup

Database backups

For production deployments, we recommend regular backups:

# Create backup
docker compose exec postgres pg_dump -U basedash basedash_charts > backup.sql

# Restore backup
docker compose exec -T postgres psql -U basedash basedash_charts < backup.sql

AI configuration

Basedash’s AI features require an AI provider. You can use OpenAI, Azure OpenAI, or other OpenAI-compatible providers.

OpenAI (default)

To use OpenAI’s API:

# Provider selection (optional - defaults to OpenAI)
AI_PROVIDER=default

# OpenAI API key (required for AI features)
OPENAI_API_KEY=sk-your-openai-api-key

# Optional: Organization and project IDs
OPENAI_ORGANIZATION_ID=org-your-org-id
OPENAI_PROJECT_ID=proj_your-project-id

# Optional: Custom model
OPENAI_MODEL=gpt-4o

# Optional: Custom base URL for OpenAI-compatible APIs
OPENAI_BASE_URL=https://api.openai.com/v1

Azure OpenAI

To use Azure OpenAI Service:

AI_PROVIDER=azure-openai

AZURE_OPENAI_API_KEY=your-azure-api-key
AZURE_OPENAI_RESOURCE_NAME=your-resource-name
AZURE_OPENAI_API_VERSION=2024-02-15-preview
AZURE_OPENAI_BASE_URL=https://your-resource-name.openai.azure.com
AZURE_OPENAI_DEPLOYMENT_NAME=o3-mini

Alternative AI providers

Any OpenAI-compatible API can be used by setting a custom OPENAI_BASE_URL:

# Example: Using a local LLM server
OPENAI_BASE_URL=http://localhost:8080/v1
OPENAI_API_KEY=your-api-key

AI feature considerations

When using custom AI models or providers:

SQL generation quality may vary from our tested models
Performance benchmarks are maintained for default OpenAI models only
New features may require specific model capabilities
Token limits and pricing vary by provider

Email configuration

Email is used for notifications, automations, and user invitations. Basedash supports SMTP for outbound email.

SMTP configuration

Configure your SMTP server:

EMAIL_PROVIDER=smtp

SMTP_HOST=smtp.your-provider.com
SMTP_PORT=587
SMTP_USER=your-smtp-username
SMTP_PASSWORD=your-smtp-password
SMTP_TLS=true
SMTP_FROM_EMAIL=noreply@your-domain.com

Common SMTP providers:

Resend: smtp.resend.com:587
SendGrid: smtp.sendgrid.net:587
Mailgun: smtp.mailgun.org:587
AWS SES: email-smtp.us-east-1.amazonaws.com:587
Gmail: smtp.gmail.com:587 (requires app password)

Amazon SES configuration

Configure Amazon Simple Email Service (SES) directly:

EMAIL_PROVIDER=ses

SES_ACCESS_KEY_ID=your-access-key-id
SES_SECRET_ACCESS_KEY=your-secret-access-key
SES_REGION=us-east-2
SES_FROM_EMAIL=noreply@your-domain.com

Ensure your SES account is out of sandbox mode for production use, and that the SES_FROM_EMAIL address is verified in your SES configuration.

Email features

With email configured, users can:

Receive dashboard sharing invitations
Get alert notifications
Access password reset functionality
Receive automation deliveries

Authentication and access control

SSO integration - Connect to your existing identity providers (see our SSO documentation for details)
Custom auth providers - We can add support for specific providers as needed
Multi-organization support - Deploy multiple workspaces or organizations
Granular permissions - Maintain the same access control features as cloud

Disable public signups

For private deployments where you want to restrict who can create accounts, you can disable public signups:

DISABLE_PUBLIC_SIGNUPS=true

When enabled, this blocks manual signup while still allowing:

First user signup - Automatically allowed to bootstrap the instance
User invitations - Team members can still be invited via magic links
JWT SSO - Embedded authentication continues to work
Enterprise SSO - SAML/OIDC authentication is unaffected
Existing users - Login for users who already have accounts

This is useful when you want to control exactly who has access to your Basedash instance and prevent unauthorized users from creating new organizations.

License key

Self-hosted Basedash instances require a license key for proper operation. The license key enables license validation, usage tracking, and ensures you receive ongoing support and updates.

Obtaining a license key

Contact Basedash at support@basedash.com to obtain your license key. Once you have it, add it to your environment configuration:

LICENSE_KEY=your-license-key-here

License behavior

Startup validation:

The server validates the license key against the Basedash license server on startup
If LICENSE_KEY is missing, the server refuses to start
If the license is invalid, expired, or inactive, the server refuses to start

Periodic heartbeats:

A heartbeat is sent to the Basedash license server every 6 hours
Heartbeats report basic usage metrics (organization and user counts) and app version for billing purposes
If a heartbeat fails, the app retries with exponential backoff (starting at 5 minutes, doubling up to 6 hours)

While running:

No banner is displayed when your license is active and valid
If the license expires or becomes invalid while the server is running, an error banner is displayed and new organization creation is disabled
If the license server cannot be reached during a heartbeat, a warning banner is displayed and new organization creation is disabled until the next successful heartbeat

Sandbox licenses

Sandbox licenses are intended for QA and CI environments. When using a sandbox license a “Sandbox environment” info banner is displayed at the top of the app and usage is not counted towards your billing.

Troubleshooting license issues

Server won’t start — missing license key: Add your LICENSE_KEY to your environment configuration and restart the application. Server won’t start — invalid, expired, or inactive license: The server validates the license on startup and will refuse to start if it is not valid. Check the server logs for the specific error, then contact Basedash at support@basedash.com to resolve. “Unable to verify license” warning banner: This appears when the server cannot reach the license server during a periodic heartbeat. The app continues to run but new organization creation is disabled until the next successful heartbeat.

Check that your deployment has outbound network access to charts.basedash.com
Verify no firewall rules are blocking HTTPS traffic
The application will retry with exponential backoff (5 minutes, then doubling up to 6 hours)

“License has expired” error banner: Contact Basedash at support@basedash.com to renew your license. While expired, new organization creation is disabled. “License has been deactivated” error banner: Your license has been manually deactivated. Contact support@basedash.com to resolve this issue.

Update management

Agent deployment updates

With Agent deployment, updates are managed through the Distr customer portal:

Automatic updates - Enable automatic updates for the latest features and fixes
Version pinning - Lock to a specific version for stability and testing
Update scheduling - Control when updates are applied
Rollback support - Revert to previous versions if needed

Container deployment updates

When using container deployment, you control the update process:

Check for new versions in the Distr customer portal
Pull the new image from the registry:
```
docker compose pull
```
Restart services to apply the update:
```
docker compose up -d
```
Verify deployment health after updating

Version locking for compliance

For organizations with strict change control:

Lock to specific versions for training periods or audits
Test updates in a staging environment before production
Coordinate updates with your internal release schedule

Advanced configuration

Storage (optional)

For avatar and icon uploads, configure S3-compatible storage:

S3_BUCKET_NAME=your-bucket-name
S3_BUCKET_ACCESS_KEY_ID=your-access-key
S3_BUCKET_SECRET_ACCESS_KEY=your-secret-key
S3_BUCKET_REGION=us-east-1
S3_BUCKET_ENDPOINT=https://s3.amazonaws.com

Compatible with AWS S3, DigitalOcean Spaces, Google Cloud and other S3-compatible services. By default, the public CDN URL for uploaded files is constructed as https://{S3_BUCKET_NAME}.{S3_BUCKET_ENDPOINT_HOST}. If your CDN uses a different URL pattern (e.g., a custom domain or path-style URLs), set the CDN base URL explicitly:

S3_CDN_BASE_URL=https://cdn.example.com

Google Cloud Storage setup

Follow these steps to configure Google Cloud Storage (GCS) as your S3-compatible storage backend.

Step 1: Create a Google Cloud Storage Bucket

Go to the Google Cloud Console
Navigate to Cloud Storage → Buckets
Click Create bucket
Configure the bucket:
- Name: Choose a globally unique name (e.g., basedash-uploads-yourcompany)
- Location type: Choose based on your needs (Regional is typically fine)
- Region: Select a region close to your users
- Storage class: Standard
- Access control: Choose Fine-grained (required for ACL-based public-read access)
- Public access prevention: Uncheck “Enforce public access prevention on this bucket” (since Basedash uploads files with public-read ACL)
Click Create

Step 2: Configure Bucket Permissions

Go to your bucket → Permissions tab
Click Grant Access
Add allUsers as a principal with the role Storage Object Viewer (this allows public read access to uploaded files)

Step 3: Enable Interoperability (S3-Compatible Access)

Go to Cloud Storage → Settings (gear icon in the left sidebar)
Click the Interoperability tab
Under “Access keys for service accounts,” click Create a key for a service account
Select or create a service account with Storage Admin permissions for your bucket
Click Create key
Save both values:
- Access key (this is your S3_BUCKET_ACCESS_KEY_ID)
- Secret (this is your S3_BUCKET_SECRET_ACCESS_KEY)

Step 4: Configure CORS

Since Basedash uploads files directly from the browser using pre-signed URLs, you need to configure CORS. Create a file called cors.json:

[
  {
    "origin": ["https://your-basedash-domain.com", "http://localhost:3000"],
    "method": ["GET", "PUT", "HEAD"],
    "responseHeader": ["Content-Type", "Content-Length", "x-amz-acl"],
    "maxAgeSeconds": 3600
  }
]

Apply the CORS configuration using the gcloud CLI:

gcloud storage buckets update gs://YOUR_BUCKET_NAME --cors-file=cors.json

Or via the Console:

Install Google Cloud SDK if not already installed
Run the command above

Step 5: Set Environment Variables

Add these environment variables to your Basedash deployment:

# Required
S3_BUCKET_NAME=your-bucket-name
S3_BUCKET_ENDPOINT=https://storage.googleapis.com
S3_BUCKET_REGION=auto
S3_BUCKET_ACCESS_KEY_ID=GOOG1E...  # Your interoperability access key
S3_BUCKET_SECRET_ACCESS_KEY=...    # Your interoperability secret

# Optional - CDN URL for serving files
# S3_CDN_BASE_URL=https://your-cdn-domain.com

Note about the CDN URL: If you don’t set up a CDN, Basedash will automatically construct the public URL using S3_BUCKET_NAME and S3_BUCKET_ENDPOINT. Only set S3_CDN_BASE_URL if you have configured a CDN (like Google Cloud CDN) to serve files from your bucket.

Step 6: Verify the Setup

After deploying with the new environment variables:

Try uploading a user avatar or organization icon
Check that the file appears in your GCS bucket
Verify the public URL works by accessing it directly

Summary of Environment Variables

Variable	Value	Description
`S3_BUCKET_NAME`	`your-bucket-name`	The GCS bucket name
`S3_BUCKET_ENDPOINT`	`https://storage.googleapis.com`	GCS S3-compatible endpoint
`S3_BUCKET_REGION`	`auto`	Can be `auto` or your bucket’s region
`S3_BUCKET_ACCESS_KEY_ID`	Your HMAC access key	From Interoperability settings
`S3_BUCKET_SECRET_ACCESS_KEY`	Your HMAC secret	From Interoperability settings
`S3_CDN_BASE_URL`	`https://your-cdn-domain.com`	(Optional) Only set if using a CDN

Slack integration (optional) - ALPHA

Note: Slack integration is currently in alpha and not fully supported for self-hosted deployments.

Enable Slack notifications and automations:

SLACK_CLIENT_ID=your-slack-client-id
SLACK_CLIENT_SECRET=your-slack-client-secret
SLACK_SIGNING_SECRET=your-signing-secret
SLACK_BOT_TOKEN=xoxb-your-bot-token

Logging

Control application verbosity:

# Minimal logging (default) - warnings and errors only
LOG_LEVEL=warn

# Standard production - includes informational messages
LOG_LEVEL=info

# Debugging - detailed diagnostic information
LOG_LEVEL=debug

# Maximum verbosity - trace-level details
LOG_LEVEL=trace

Log levels: fatal, error, warn, info, debug, trace

Support and troubleshooting

Getting help

Distr customer portal - Monitor deployment health and access support resources
Email support - Reach out to support@basedash.com for configuration assistance
Documentation - Refer to deployment-specific guides in the portal

Health monitoring

Check application health:

# Application health endpoint
curl http://localhost:3000/health

# Database connectivity
docker compose exec postgres pg_isready -U basedash

# View application logs
docker compose logs -f app

# View database logs
docker compose logs -f postgres

Common configuration issues

Application won’t start:

Verify all required environment variables are set
Check DATABASE_URL format and accessibility
Ensure CRYPTO_KEY is exactly 64 hex characters
Review logs: docker compose logs app

AI features not working:

Verify OPENAI_API_KEY is set correctly
Check API key has sufficient credits/quota
Test connectivity to AI provider endpoint

Email delivery failing:

Verify SMTP credentials and host
Check SMTP_PORT matches your provider (usually 587 or 465)
Ensure firewall allows outbound connections on SMTP port
Test with a simple SMTP client to verify credentials

Getting started

Features

Essentials

Self-hosting

Documentation Index

​Environment configuration

​Quick start: Generate environment file

​Required core variables

​Optional configuration

​PostgreSQL database

​Automatic PostgreSQL setup

​PostgreSQL configuration

​Using an external PostgreSQL instance

​Database backups

​AI configuration

​OpenAI (default)

​Azure OpenAI

​Alternative AI providers

​AI feature considerations

​Email configuration

​SMTP configuration

​Amazon SES configuration

​Email features

​Authentication and access control

​Disable public signups

​License key

​Obtaining a license key

​License behavior

​Sandbox licenses

​Troubleshooting license issues

​Update management

​Agent deployment updates

​Container deployment updates

​Version locking for compliance

​Advanced configuration

​Storage (optional)

​Step 1: Create a Google Cloud Storage Bucket

​Step 2: Configure Bucket Permissions

​Step 3: Enable Interoperability (S3-Compatible Access)

​Step 4: Configure CORS

​Step 5: Set Environment Variables

​Step 6: Verify the Setup

​Summary of Environment Variables

​Slack integration (optional) - ALPHA

​Logging

​Support and troubleshooting

​Getting help

​Health monitoring

​Common configuration issues