Skip to main content
CoreSDK
Quickstart
Reference

Environment Variables

All CoreSDK environment variables

Environment Variables

CoreSDK reads configuration from environment variables at startup. Environment variables take precedence over coresdk.toml values but are overridden by explicit builder/constructor calls in code.

Precedence order (highest to lowest)

  1. Code — builder methods / constructor options
  2. Environment variables
  3. coresdk.toml config file
  4. Built-in defaults

Complete variable reference

Core / Identity

VariableTypeDefaultDescription
CORESDK_SIDECAR_ADDRstring[::1]:50051gRPC address of the sidecar daemon. Used by wrapper SDKs to connect.
CORESDK_TENANT_IDstringTenant ID for this service instance.
CORESDK_SERVICE_NAMEstringbinary nameValue of the service.name OTel resource attribute.
CORESDK_FAIL_MODEstringopenopen — allow requests when sidecar is unreachable. closed — reject all requests on sidecar failure.

Authentication

VariableTypeDefaultDescription
CORESDK_JWKS_URLstring (URL)HTTPS URL of the JWKS endpoint used to verify JWT signatures.
CORESDK_JWT_LEEWAY_SECSu320Clock-skew tolerance in seconds for exp / nbf claims.

Policy

VariableTypeDefaultDescription
CORESDK_POLICY_DIRstring (path)./policiesDirectory containing .rego policy files. Hot-reloaded on change.

Observability

VariableTypeDefaultDescription
OTEL_EXPORTER_OTLP_ENDPOINTstring (URL)OTLP gRPC endpoint for traces, metrics, and logs (e.g. http://otel-collector:4317). Standard OpenTelemetry variable.
CORESDK_LOG_LEVELstringinfoMinimum log level: trace, debug, info, warn, error.

Example .env file

# Core
CORESDK_SIDECAR_ADDR=[::1]:50051
CORESDK_TENANT_ID=acme-corp
CORESDK_SERVICE_NAME=orders-service
CORESDK_FAIL_MODE=open

# Auth
CORESDK_JWKS_URL=https://idp.acme.com/.well-known/jwks.json

# Policy
CORESDK_POLICY_DIR=./policies

# Observability
OTEL_EXPORTER_OTLP_ENDPOINT=http://otel-collector:4317
CORESDK_LOG_LEVEL=info

Security notes

  • Never commit secrets to source control. Use a secrets manager (AWS Secrets Manager, GCP Secret Manager, HashiCorp Vault) or a .env file excluded by .gitignore.
  • CORESDK_JWKS_URL must be an https:// URL in production. HTTP is permitted only in local development.
  • Set CORESDK_FAIL_MODE=closed in high-security deployments to ensure requests are rejected if the sidecar is unreachable rather than allowed through.

CLI Reference

Complete reference for the CoreSDK CLI — sidecar management, policy testing, and config validation.

Changelog

CoreSDK version history

On this page

Environment VariablesPrecedence order (highest to lowest)Complete variable referenceCore / IdentityAuthenticationPolicyObservabilityExample .env fileSecurity notes