Skip to main content

Configuration

All configuration is via environment variables. The only strictly required one is LAUNCHPAD_JWT_SECRET, without which the app refuses to start in production. Everything else has a sensible default or is optional. Email can also be configured in the UI (first-run wizard or Settings → Email), which is stored in the database and takes precedence over the email env vars.

Required

VariablePurpose
LAUNCHPAD_JWT_SECRETSecret used to sign session JWTs. Generate one with openssl rand -hex 32. The app won't start in production without it.
VariableDefaultPurpose
LAUNCHPAD_BASE_URLhttp://localhost:5173Public base URL of this deployment. Used for links in emails and as the WebAuthn (passkey) origin. Set it to the URL users actually visit.
LAUNCHPAD_DB_PATH./data/launchpad.dbPath to the SQLite database file. The Docker image sets this to /app/data/launchpad.db.
LAUNCHPAD_DOMAINarc.localhostDisplay domain shown in the UI.
LAUNCHPAD_ALLOW_PRIVATE_ENDPOINTSfalseAllow registering Arc endpoints on private/localhost addresses. See below.
Get LAUNCHPAD_BASE_URL right

This one value drives several behaviors that silently break if it's wrong for how you serve the app:

  • Session cookies: the secure flag tracks the URL's scheme. On a plain-HTTP deployment served over http://, secure is off so the cookie persists; a mismatch can make login "succeed" then bounce back to the login page.
  • CSRF / ORIGIN: the Docker image derives ORIGIN from LAUNCHPAD_BASE_URL; a wrong value causes form actions (including finishing setup) to fail with a 403.
  • Passkeys & email links: WebAuthn is bound to this origin, and email links are built from it.

Set it to the exact scheme + host + port users hit (e.g. http://localhost:3000 or https://launchpad.example.com).

adapter-node / reverse proxy

Launchpad is a SvelteKit app built with adapter-node. It validates the Origin header on POST form submissions (CSRF). The Docker image handles this automatically by deriving ORIGIN from LAUNCHPAD_BASE_URL. For other cases:

VariablePurpose
ORIGINThe public origin, e.g. http://localhost:3000. Set this if you run node build directly (not via the Docker image).
PROTOCOL_HEADERe.g. x-forwarded-proto, for a reverse proxy that terminates TLS and forwards the original scheme.
HOST_HEADERe.g. x-forwarded-host, for a reverse proxy that rewrites the host.
PORTPort the server listens on. Default 3000.

See the adapter-node environment variables reference for details.

Private endpoints

By default Launchpad rejects Arc endpoints that resolve to a private, loopback, or link-local address (localhost, 127.0.0.1, 10.x, 192.168.x, *.internal, cloud metadata, …). This is an SSRF safeguard: the built-in proxy forwards requests to whatever endpoint you register, so untrusted endpoints must not be able to reach internal services.

Set LAUNCHPAD_ALLOW_PRIVATE_ENDPOINTS=true only when your Arc server is intentionally on a private network reachable from the Launchpad host (e.g. the same box, the same Docker network, or the same Kubernetes cluster). Even when enabled, the proxy still resolves-and-pins the target IP per request, so it stays safe against DNS rebinding.

Email (optional)

Email is normally configured in the UI. As an alternative, operators can set it via env vars (the DB setting wins if both are present). Without any email config, transactional emails (invites, verification, password reset) are printed to the server console instead of being sent.

Mailgun:

VariablePurpose
MAILGUN_API_KEYMailgun API key.
MAILGUN_DOMAINSending domain.
MAILGUN_API_URLhttps://api.mailgun.net (US) or https://api.eu.mailgun.net (EU).

SMTP (any provider):

VariablePurpose
SMTP_HOSTSMTP server host.
SMTP_PORTPort. Default 587.
SMTP_SECUREtrue for port 465 (implicit TLS), else false.
SMTP_USER / SMTP_PASSCredentials.
EMAIL_FROMFrom header, e.g. Arc Launchpad <noreply@example.com>.

Other optional integrations

VariablePurpose
PUBLIC_TURNSTILE_SITE_KEY / TURNSTILE_SECRET_KEYCloudflare Turnstile CAPTCHA on signup. Skipped if unset.
GCHAT_OPS_WEBHOOK_URLGoogle Chat webhook for ops alerting on silent server-side failures.
GOOGLE_CLIENT_ID / GOOGLE_CLIENT_SECRETGoogle OAuth sign-in. Optional.

Put it behind TLS

For anything beyond local testing, run Launchpad behind a reverse proxy that terminates TLS, and set LAUNCHPAD_BASE_URL to your public HTTPS URL so cookies, CSRF, email links, and passkey origins all line up. If you're already using Traefik for Arc, the same pattern extends cleanly to Launchpad; see the Traefik + Let's Encrypt guide.