Configuration

All configuration is read from environment variables (Pydantic Settings). The container honours the variables below; the Helm chart surfaces the common ones and passes anything else through extraEnv. Log-export variables live on the Log Export / SIEM page.

Core

Variable	Default	Description
`PORT`	`80`	Listening port
`DEBUG`	`false`	Debug logging, serves `/docs`, and bypasses admin auth
`API_URL`	`https://api.roboflow.com`	Upstream API server
`REPO_URL`	`https://repo.roboflow.com`	Upstream repository server
`REQUEST_TIMEOUT`	`30`	Connect/pool timeout (s) — not a total cap on streamed bodies
`STREAMING_IDLE_TIMEOUT`	`600`	Per-chunk idle timeout (s) for multi-GB transfers
`WORKERS`	`0`	Uvicorn workers (0 = one per CPU core)
`EXTRA_PROXY_HOSTS`	—	Comma-separated extra domains for the `/proxy` allowlist

Cache

Behaviour and tiers are covered in Caching.

Variable	Default	Description
`CACHE_ENABLED`	`true`	Master switch for the response cache
`CACHE_DIRECTORY`	`/var/cache/secure-gateway`	Disk path (ignored when S3 is set)
`CACHE_MAX_SIZE_GB`	`50`	Disk cache cap before eviction
`CACHE_FREE_DISK_BUFFER_GB`	`5`	Free space the gateway always keeps available
`CACHE_MAX_ENTRY_SIZE_MB`	`2048`	Skip caching responses larger than this
`CACHE_ADMIN_TOKEN`	—	Bearer token for `/_cache/` and `/_logs/`
`CACHE_S3_BUCKET`	—	S3 bucket; set this to switch from disk to S3
`CACHE_S3_PREFIX`	`cache/`	Key prefix within the bucket
`CACHE_S3_REGION`	auto	Bucket region
`CACHE_S3_ENDPOINT_URL`	—	Custom endpoint for MinIO / GCS / R2
`CACHE_S3_ACCESS_KEY` / `_SECRET_KEY`	—	Static keys; empty = use IAM/instance role

TLS

Usage and the upstream-vs-in-pod decision are covered in TLS & Certificates.

Variable	Default	Description
`TLS_CERT_FILE`	—	Certificate for inbound HTTPS (with `TLS_KEY_FILE`, serves HTTPS on `PORT`)
`TLS_KEY_FILE`	—	Private key for inbound HTTPS
`TLS_CA_BUNDLE`	—	Custom CA bundle for outbound trust (Zscaler, corporate TLS proxy)