Skip to content

Configuration Reference

All configuration can be provided via environment variables or appsettings.json. The same .env file works for both Docker and standalone mode.

Short env var names

The .env file uses friendly short names (DB_HOST, JWT_SECRET, DISCORD_CLIENT_ID, etc.). The app automatically translates these to .NET's configuration format at startup. You can use either the short names or the __-delimited names shown in the table below.

Server

Setting Env Variable Default Description
Port PORT 8082 HTTP port the app listens on. In Docker, this is the host port. Standalone, this is the port the app binds to.
Server:Port Server__Port 8082 Alternative to PORT for the .NET config convention. PORT takes precedence. Ignored when ASPNETCORE_URLS is set.

Required settings

Setting .env name .NET env variable Description
Database DB_HOST, DB_PORT, DB_NAME, DB_USER, DB_PASSWORD ConnectionStrings__PoracleDb MySQL connection to Poracle database. Short vars are auto-composed into a connection string.
JWT Secret JWT_SECRET Jwt__Secret JWT signing key (minimum 32 characters)
Discord Client ID DISCORD_CLIENT_ID Discord__ClientId Discord OAuth2 application client ID
Discord Client Secret DISCORD_CLIENT_SECRET Discord__ClientSecret Discord OAuth2 application client secret
Poracle API Address PORACLE_API_ADDRESS Poracle__ApiAddress PoracleNG API base URL. Critical -- all alarm tracking, human/profile management, location, and area operations are proxied through this endpoint.
Poracle API Secret PORACLE_API_SECRET Poracle__ApiSecret PoracleNG API shared secret. Sent as the X-Poracle-Secret header on every request.
Admin IDs PORACLE_ADMIN_IDS Poracle__AdminIds Comma-separated Discord admin user IDs

Optional settings

Authentication

Setting .env name .NET env variable Default Description
JWT Expiration Jwt__ExpirationMinutes 1440 Token expiry (24 hours)
JWT Issuer JWT_ISSUER Jwt__Issuer PoracleWeb Issuer claim (iss) baked into signed tokens. Override only if validating tokens externally.
JWT Audience JWT_AUDIENCE Jwt__Audience PoracleWeb.App Audience claim (aud) baked into signed tokens. Override only if validating tokens externally.
Discord Bot Token DISCORD_BOT_TOKEN Discord__BotToken Enables Discord avatar display
Discord Guild ID DISCORD_GUILD_ID Discord__GuildId Discord server ID
Discord Geofence Forum DISCORD_GEOFENCE_FORUM_CHANNEL_ID Discord__GeofenceForumChannelId Forum channel for geofence submission threads
Telegram Enabled TELEGRAM_ENABLED Telegram__Enabled false Enable Telegram authentication
Telegram Bot Token TELEGRAM_BOT_TOKEN Telegram__BotToken Telegram bot token
Telegram Bot Username TELEGRAM_BOT_USERNAME Telegram__BotUsername Telegram bot username

External SSO / OIDC

Optional. Delegates PoracleWeb.NET login to your own OAuth2/OIDC provider (e.g. PogoAlerts) for single sign-on. See External SSO setup for the full setup guide.

The provider is enabled automatically when OIDC_CLIENT_ID plus all three of OIDC_AUTHORIZATION_URL, OIDC_TOKEN_URL, and OIDC_USERINFO_URL are set. Set OIDC_ENABLED explicitly to override the inference.

Setting .env name .NET env variable Default Description
Enabled OIDC_ENABLED Oidc__Enabled Master switch. Auto-inferred true when OIDC_CLIENT_ID and the three endpoint URLs are all set. When false, the provider is hidden regardless of other values.
Provider Name OIDC_PROVIDER_NAME Oidc__ProviderName "" Display name shown on the login button (e.g. PogoAlerts).
Authorization URL OIDC_AUTHORIZATION_URL Oidc__AuthorizationUrl "" Browser-facing authorize endpoint. Any existing query string is preserved.
Token URL OIDC_TOKEN_URL Oidc__TokenUrl "" Token endpoint that exchanges the authorization code for an access token.
UserInfo URL OIDC_USERINFO_URL Oidc__UserInfoUrl "" UserInfo endpoint returning the user's claims.
End Session URL OIDC_END_SESSION_URL Oidc__EndSessionUrl "" Optional RP-initiated logout (end-session) endpoint. When set, enables single logout (the provider's session is also ended). When empty, logout is local-only.
Client ID OIDC_CLIENT_ID Oidc__ClientId "" OAuth2 client ID.
Client Secret OIDC_CLIENT_SECRET Oidc__ClientSecret "" OAuth2 client secret. Read from config only — never stored in the database.
Scopes OIDC_SCOPES Oidc__Scopes openid profile email Space-delimited OAuth scopes requested at authorization time.
Identity Claim OIDC_IDENTITY_CLAIM Oidc__IdentityClaim discord_id UserInfo claim whose value maps to the Poracle human id (a Discord/Telegram id). Falls back to sub when the configured claim is absent.
Username Claim OIDC_USERNAME_CLAIM Oidc__UsernameClaim preferred_username UserInfo claim used as the display username.
Avatar Claim OIDC_AVATAR_CLAIM Oidc__AvatarClaim picture UserInfo claim used as the avatar URL.
Identity Type OIDC_IDENTITY_TYPE Oidc__IdentityType discord:user Value written to the JWT type claim for users logging in via this provider.
Use PKCE OIDC_USE_PKCE Oidc__UsePkce true Use PKCE (Proof Key for Code Exchange) for the authorization-code flow.
Force Local Login AUTH_FORCE_LOCAL Auth__ForceLocal false Break-glass override forcing the local login page regardless of the SSO mode. Recovery path when an admin switches to OIDC against a broken/unreachable provider and gets locked out.

OIDC refresh tokens

Optional, opt-in. Enables silent server-side session renewal and provider-side revocation propagation. See OIDC Refresh Tokens for full detail.

Setting .env name .NET env variable Default Description
Use Refresh Tokens OIDC_USE_REFRESH_TOKENS Oidc__UseRefreshTokens false Master opt-in for brokering the provider's refresh token (silent renewal + revocation propagation). Requires the provider to issue a refresh token.
Access Token Minutes OIDC_ACCESS_TOKEN_MINUTES Oidc__AccessTokenMinutes 30 Internal JWT lifetime (minutes) for refresh-backed OIDC sessions only. Other logins keep Jwt__ExpirationMinutes.
Refresh Token Lifetime (days) OIDC_REFRESH_TOKEN_LIFETIME_DAYS Oidc__RefreshTokenLifetimeDays 30 PoracleWeb-side absolute cap (days) on a refresh session before a real re-login is forced.
Revoked Retention (days) OIDC_SESSION_REVOKED_RETENTION_DAYS Oidc__RevokedRetentionDays 2 How long (days) revoked/rotated session rows are retained for replay detection before cleanup deletes them.
Offline Access Scope OIDC_OFFLINE_ACCESS_SCOPE Oidc__OfflineAccessScope offline_access Scope appended to the authorize request so a compliant provider issues a refresh token. Set empty for providers that issue refresh tokens unconditionally or use a non-standard mechanism (e.g. Google's access_type=offline).
Token Auth Method OIDC_TOKEN_AUTH_METHOD Oidc__TokenEndpointAuthMethod client_secret_post How client credentials are presented at the token endpoint: client_secret_post (form body) or client_secret_basic (HTTP Basic header).

Databases

Setting .env name .NET env variable Description
PoracleWeb.NET DB WEB_DB_HOST, WEB_DB_PORT, WEB_DB_NAME, WEB_DB_USER, WEB_DB_PASSWORD ConnectionStrings__PoracleWebDb MySQL connection to PoracleWeb.NET database (site settings, webhook delegates, quick picks, user geofences). Short vars are auto-composed into a connection string.
Scanner DB SCANNER_DB_CONNECTION ConnectionStrings__ScannerDb Scanner database connection (Golbat). Optional. Used by the gym picker search in raid/gym/egg add dialogs. Provide a full connection string.

Golbat API

Optional. Enables "currently spawning" Pokemon availability indicators in the Pokemon selector.

Setting .env name .NET env variable Description
Golbat API Address GOLBAT_API_ADDRESS Golbat__ApiAddress Golbat scanner API URL (e.g., http://localhost:9001). When set, the Pokemon selector shows which species are actively spawning.
Golbat API Secret GOLBAT_API_SECRET Golbat__ApiSecret Golbat API secret. Sent as the X-Golbat-Secret header on every request. Must match Golbat's api_secret config value.

Koji geofence API

Required for the custom geofences feature.

Setting .env name .NET env variable Description
Koji API Address KOJI_API_ADDRESS Koji__ApiAddress Koji geofence server URL (e.g., http://localhost:8080)
Koji Bearer Token KOJI_BEARER_TOKEN Koji__BearerToken Koji API bearer token for authentication
Koji Project ID KOJI_PROJECT_ID Koji__ProjectId Koji project ID for admin-promoted geofences (default: 0)
Koji Project Name KOJI_PROJECT_NAME Koji__ProjectName Koji project name for /geofence/poracle/{name} endpoint

CORS

Setting .env name .NET env variable Description
CORS Origin CORS_ORIGIN Cors__AllowedOrigins__0 Allowed CORS origin. Required in production (empty = crash). Not required in development mode.

Configuration sources

Source Use case
.env file (project root) Both Docker and standalone — the primary config file. Docker Compose reads it natively; standalone mode loads it on startup. Short env var names are auto-translated to .NET format.
appsettings.json Default values. You rarely need to edit this.
appsettings.Development.json Local development overrides (gitignored)
docker-compose.yml Local copy of docker-compose.yml.example (gitignored). Uses env_file: .env to load all configuration — no per-key environment: entries are needed. Edit only to change ports, volumes, or image tags.
poracle_web.site_settings table Runtime admin-configurable settings (migrated from deprecated pweb_settings)

PoracleNG must be reachable

Poracle:ApiAddress must point to a running PoracleNG instance that is reachable from the PoracleWeb.NET container. All alarm tracking, human/profile management, location, area operations, and active hours management are proxied through this API. If PoracleNG is unreachable, alarm operations fail entirely and user management (registration, login, location, areas, profile switch, active hours) also fails. The Poracle:ApiSecret must match the server.apiSecret value in PoracleNG's config.

Secrets

appsettings.Development.json is gitignored and holds all connection strings, JWT secret, Discord/Telegram credentials, and Poracle API address/secret. Never commit secrets to the repository.

Runtime settings

Looking for settings you can change without restarting? See Site Settings for admin-configurable runtime settings like branding, feature toggles, alarm types, and more.