Configuration Reference
All environment variables and settings for configuring ABAXUS in production.
Database Configuration
| Variable | Required | Default | Description |
|---|---|---|---|
DATABASE_URL | Yes | — | Full PostgreSQL connection string: postgresql://user:pass@host:5432/dbname |
DATABASE_MAX_CONNECTIONS | No | 25 | Maximum connection pool size. Set to (CPU cores × 2) + effective_io_concurrency |
DATABASE_IDLE_TIMEOUT | No | 600s | Time before idle connections are closed |
DATABASE_CONNECT_TIMEOUT | No | 10s | Timeout for acquiring a connection from the pool |
DATABASE_SSL_MODE | No | require | PostgreSQL SSL mode: disable, require, verify-ca, verify-full |
For production, always use SSL_MODE=verify-full with a valid CA certificate. Disable SSL only in local development.
API Server Configuration
| Variable | Required | Default | Description |
|---|---|---|---|
PORT | No | 8080 | HTTP port the API server listens on |
API_MASTER_KEY | Yes | — | 32+ character random string. Used to derive and validate API keys. Rotate with care — rotation invalidates all existing API keys. |
API_RATE_LIMIT_RPM | No | 6000 | Global rate limit in requests per minute per API key |
API_MAX_BODY_SIZE | No | 1mb | Maximum request body size. Increase for large batch event requests (up to 10mb for 1k events). |
LOG_LEVEL | No | info | Log verbosity: debug, info, warn, error |
LOG_FORMAT | No | json | Log format: json (structured) or text (human-readable for local dev) |
CORS_ALLOWED_ORIGINS | No | — | Comma-separated list of allowed CORS origins. Required if calling ABAXUS from browser clients. |
Payment Provider Credentials
Payment provider credentials are set in the ABAXUS dashboard under Settings → Integrations after initial deployment. They can also be set via environment variables:
Stripe
| Variable | Required | Description |
|---|---|---|
STRIPE_SECRET_KEY | Conditional | Stripe secret key (sk_live_... or sk_test_...) |
STRIPE_WEBHOOK_SECRET | Conditional | Webhook signing secret for verifying Stripe events (whsec_...) |
STRIPE_API_VERSION | No | Stripe API version to pin to (e.g., 2024-06-20). Defaults to ABAXUS’s tested version. |
The Stripe webhook secret is required if you want ABAXUS to receive and process Stripe webhook events (e.g., for confirming async payment intents). Register your ABAXUS webhook endpoint (/v1/webhooks/stripe) in the Stripe Dashboard.
Adyen
| Variable | Required | Description |
|---|---|---|
ADYEN_API_KEY | Conditional | Adyen API key from the Customer Area |
ADYEN_MERCHANT_ACCOUNT | Conditional | Your Adyen merchant account name |
ADYEN_ENVIRONMENT | No | test or live (default: live) |
ADYEN_LIVE_URL_PREFIX | Conditional | Required when ADYEN_ENVIRONMENT=live. Your unique live endpoint prefix from Adyen. |
ADYEN_HMAC_KEY | Conditional | HMAC key for webhook verification |
API Key Management
ABAXUS uses two types of API keys:
Secret keys (sk_...): Full API access. Can create, read, update, and delete any resource. Never expose in client-side code. Use for server-to-server communication — your backend services, billing scripts, and admin operations.
Publishable keys (pk_...): Read-only access, limited to entitlement checks and customer-facing usage queries. Safe to embed in browser or mobile clients. Cannot access invoice data, payment method details, or billing configuration.
Create API keys via the ABAXUS dashboard or via POST /v1/api-keys. Keys are shown only once at creation — ABAXUS stores a hashed version. If a key is lost, revoke it and create a new one.
Background Worker Configuration
| Variable | Required | Default | Description |
|---|---|---|---|
WORKER_POLL_INTERVAL | No | 60s | How often the worker checks for pending amendments to apply |
WORKER_BATCH_SIZE | No | 50 | Number of amendment records to process per polling cycle |
WORKER_EVENT_QUEUE_CONCURRENCY | No | 10 | Concurrent event ingestion queue workers |
WORKER_INVOICE_JOB_TIMEOUT | No | 30m | Maximum time for a bulk invoice job before it’s marked failed |
Redis Configuration (Optional)
| Variable | Required | Default | Description |
|---|---|---|---|
REDIS_URL | No | — | Redis connection string: redis://user:pass@host:6379/0. If not set, Redis is not used. |
REDIS_ENTITLEMENTS_TTL | No | 30s | TTL for cached entitlement check responses |
REDIS_USAGE_SUMMARY_TTL | No | 60s | TTL for cached usage summary responses |
Observability
ABAXUS exposes Prometheus metrics at /metrics (requires authentication — use your Prometheus scraper’s API key):
Key metrics exported:
abaxus_api_requests_total— total requests by endpoint, method, and status codeabaxus_api_request_duration_seconds— request latency histogramabaxus_events_ingested_total— events accepted by the ingestion queueabaxus_events_queue_depth— current depth of the processing queueabaxus_invoice_charge_total— invoice charges by status (success/failure)abaxus_worker_amendment_processing_seconds— amendment processing latency
Configure structured logging with a log aggregator (Loki, Datadog, CloudWatch). ABAXUS emits JSON logs with consistent fields: level, msg, trace_id, customer_id (where applicable), duration_ms, and error (on failures).