Skip to main content
Dify Enterprise deploys with Helm. Most variables are configured through your values.yaml file. The Helm chart writes a fixed set of variables into the API, web, worker, and enterprise ConfigMaps (with defaults drawn from values.yaml), and exposes the rest of the Dify application’s variables through the extraEnv field on each service.
The variables listed here are for reference. The Dify application reads many more variables than the Helm chart sets directly. For the complete application-level list, see the upstream .env.example. Any variable that is not set in values.yaml can be added through extraEnv (see FAQs). If you cannot find a variable in values.yaml, set it through extraEnv.
A default value listed as (Helm default) is the value the chart writes into the ConfigMap from values.yaml. All other defaults are the Dify application’s built-in defaults, which apply when the variable is not set through extraEnv.

Common Variables

These URL variables configure the public addresses of Dify’s services. The Helm chart derives them from the domain settings in values.yaml (global.consoleApiDomain, global.consoleWebDomain, and so on), so you normally set the domains rather than the variables directly.

CONSOLE_API_URL

Default: derived from global.consoleApiDomain The public URL of Dify’s backend API. Used to construct OAuth authorization callbacks (GitHub, Google login), Notion integration, and any plugin that requires OAuth. Also determines whether secure (HTTPS-only) cookies are used. Example: https://api.console.dify.ai

CONSOLE_WEB_URL

Default: derived from global.consoleWebDomain The public URL of Dify’s console frontend. Used to build links in all system emails (invitations, password resets, notifications) and to redirect users back to the console after OAuth login. Also serves as the default CORS allowed origin if CONSOLE_CORS_ALLOW_ORIGINS is not set. Example: https://console.dify.ai

SERVICE_API_URL

Default: derived from global.serviceApiDomain The API Base URL shown to developers in the Dify console: the URL they copy into their code to call the Dify API. Set this to ensure a consistent URL when your server is reachable through multiple addresses. Example: https://api.dify.ai

APP_API_URL

Default: derived from global.appApiDomain The backend API URL for the WebApp frontend (published apps). This variable is used by the web frontend container, not the Python backend. Example: https://api.app.dify.ai

APP_WEB_URL

Default: derived from global.appWebDomain The public URL where published WebApps are accessible. Required for the Human Input node in workflows: form links in email notifications are built as {APP_WEB_URL}/form/{token}. If empty, Human Input email delivery will not include valid form links. Example: https://app.dify.ai

TRIGGER_URL

Default: derived from global.triggerDomain The publicly accessible URL for webhook and integration trigger endpoints. External systems use this address to invoke your workflows. Dify builds trigger callback URLs like {TRIGGER_URL}/triggers/webhook/{id} and displays them in the console. For triggers to work, this must point to a public domain or IP that external systems can reach.

FILES_URL

Default: derived from global.filesDomain The base URL for file preview and download links. Dify generates signed, time-limited URLs for all files (uploaded documents, tool outputs, workspace logos) and serves them to the frontend and multi-modal models. To prevent forgery, file URLs are signed and expire (see FILES_ACCESS_TIMEOUT). Example: https://upload.example.com

INTERNAL_FILES_URL

Default: (empty; falls back to FILES_URL) The file access URL used for communication between services inside the cluster (for example, the plugin daemon and document extractors). Internal services may not be able to reach the external FILES_URL if it routes through an ingress or public domain. Set this through extraEnv when internal services can’t reach the external URL. Example: http://dify-api-svc:5001

FILES_ACCESS_TIMEOUT

Default: 300 (5 minutes) How long signed file URLs remain valid, in seconds. After this time, the URL is rejected and the file must be re-requested. Increase for long-running processes; decrease for tighter security.

Server Configuration

Logging

VariableDefaultDescription
LOG_LEVELINFO (Helm default)Minimum log severity. Levels from least to most severe: DEBUG, INFO, WARNING, ERROR, CRITICAL. For production, ERROR reduces noise.
LOG_OUTPUT_FORMATjson (Helm default)json produces structured logs for aggregation tools (ELK, Datadog). text produces human-readable lines. The chart defaults to json; the application’s own default is text.
LOG_FILE/app/logs/server.logLog file path. When set, enables file-based logging with automatic rotation. When empty, logs only go to console.
LOG_FILE_MAX_SIZE20Maximum log file size in MB before rotation.
LOG_FILE_BACKUP_COUNT5Number of rotated log files to keep.
LOG_DATEFORMAT%Y-%m-%d %H:%M:%STimestamp format for text-format logs (strftime codes).
LOG_TZUTCTimezone for log timestamps. Also sets Celery’s task scheduling timezone.

General

VariableDefaultDescription
MODEapi / worker / beat (Helm default)Service role. The chart sets this per ConfigMap; do not override.
DEBUGfalseEnables verbose logging: node inputs/outputs, tool execution details, full LLM prompts and responses. Not recommended for production.
FLASK_DEBUGfalseStandard Flask debug flag. Not actively used by Dify; DEBUG is the primary control.
ENABLE_REQUEST_LOGGINGfalseLogs a compact access line for every HTTP request. With LOG_LEVEL=DEBUG, additionally logs full request and response bodies.
DEPLOY_ENVPRODUCTION (Helm default)Tags monitoring data in Sentry and OpenTelemetry so you can filter by environment. Also sent as the X-Env response header.
MIGRATION_ENABLEDtrue (API), false (worker/beat) (Helm default)When true, runs database schema migrations automatically on container startup. The chart enables it for the API service only.
CHECK_UPDATE_URLhttps://updates.dify.ai (Helm default)The console checks this URL for newer Dify versions. Set to empty for air-gapped environments.
OPENAI_API_BASEhttps://api.openai.com/v1Legacy variable. Not actively used by Dify’s own code.

SECRET_KEY

Default: set by the chart (see your deployment’s secret configuration) Used for session cookie signing, JWT authentication tokens, file URL signatures (HMAC-SHA256), and encrypting third-party OAuth credentials (AES-256). The Helm chart manages this through a secret.
Changing this key after deployment will immediately log out all users, invalidate all file URLs, and break any plugin integrations that use OAuth, since their encrypted credentials become unrecoverable.

Token & Request Limits

VariableDefaultDescription
ACCESS_TOKEN_EXPIRE_MINUTES60How long a login session’s access token stays valid (in minutes). The browser silently refreshes it using the refresh token.
REFRESH_TOKEN_EXPIRE_DAYS30How long a user can stay logged in without re-entering credentials (in days).
APP_MAX_EXECUTION_TIME1200Maximum time (in seconds) an app execution can run before being terminated. Works alongside WORKFLOW_MAX_EXECUTION_TIME.
APP_DEFAULT_ACTIVE_REQUESTS0Default concurrent request limit per app when no custom limit is set. 0 means unlimited.
APP_MAX_ACTIVE_REQUESTS0Global ceiling for concurrent requests per app. 0 means unlimited.

Worker Configuration

The Helm chart manages worker counts through values.yaml rather than environment variables. serverWorkerAmount controls API Gunicorn workers, and celeryWorkerAmount controls Celery workers per worker deployment. Set them in values.yaml.
VariableDefaultDescription
SERVER_WORKER_AMOUNT1 (Helm default)Number of Gunicorn worker processes. With gevent (default), 1 is usually sufficient. Set through api.serverWorkerAmount in values.yaml.
GUNICORN_TIMEOUT360 (Helm default)If a worker doesn’t respond within this many seconds, Gunicorn restarts it. 360 supports long-lived SSE streaming connections.
CELERY_WORKER_AMOUNT1 (Helm default)Number of Celery worker processes per worker deployment. Set through worker.celeryWorkerAmount in values.yaml.
SERVER_WORKER_CLASSgeventGunicorn worker type. Keep the default; other values break psycopg2 and gRPC patching.
SERVER_WORKER_CONNECTIONS10Maximum concurrent connections per worker. Only applies to async (gevent) workers.
CELERY_WORKER_CLASS(empty; defaults to gevent)Celery worker type. Strongly discouraged to change.

API Tool Configuration

VariableDefaultDescription
API_TOOL_DEFAULT_CONNECT_TIMEOUT10Maximum time (in seconds) to wait for establishing a TCP connection when API Tool nodes call external APIs.
API_TOOL_DEFAULT_READ_TIMEOUT60Maximum time (in seconds) to wait for receiving response data from external APIs called by API Tool nodes.

Database Configuration

The Helm chart configures the main database connection (host, port, credentials, database name) through values.yaml and the shared database ConfigMap, not through individual DB_* variables. The variables below tune the application’s connection pool and can be set through extraEnv.
VariableDefaultDescription
SQLALCHEMY_POOL_SIZE250 (Helm default)Number of persistent connections kept in the pool. The chart default is 250 (the application default is 30). Set through api.db.poolSize / worker.db.poolSize.
SQLALCHEMY_POOL_RECYCLE3600 (Helm default)Recycle connections after this many seconds to prevent stale connections.
SQLALCHEMY_MAX_OVERFLOW10Additional temporary connections allowed when the pool is full.
SQLALCHEMY_POOL_TIMEOUT30How long to wait for a connection when the pool is exhausted.
SQLALCHEMY_POOL_RESET_ON_RETURNrollbackAction when a connection returns to the pool. rollback clears uncommitted transaction state; commit commits it.
SQLALCHEMY_POOL_PRE_PINGfalseTest each connection with a lightweight query before use. Prevents “connection lost” errors but adds slight latency.
SQLALCHEMY_POOL_USE_LIFOfalseReuse the most recently returned connection (LIFO) instead of rotating evenly (FIFO).
SQLALCHEMY_ECHOfalsePrint all SQL statements to logs. Useful for debugging query issues.

Redis Configuration

The Helm chart configures Redis connectivity through values.yaml (the shared Redis configuration). The application supports standalone, Sentinel, and Cluster modes. The variables below are the application-level knobs; in a Helm deployment, prefer the chart’s Redis settings, and use extraEnv for tuning.
VariableDefaultDescription
REDIS_KEY_PREFIX(empty)Optional global prefix applied to all Redis keys, pub/sub channels, Streams names, and Celery broker queues. Useful when multiple Dify instances share one Redis deployment. Turning the prefix on for an existing deployment strands keys written under the previous prefix.
REDIS_USE_SSLfalseEnable SSL/TLS for the Redis connection. Does not automatically apply to the Sentinel protocol.
REDIS_MAX_CONNECTIONS(empty)Maximum connections in the Redis pool. Leave unset for the library default.

Redis SSL Configuration

Only applies when REDIS_USE_SSL=true.
VariableDefaultDescription
REDIS_SSL_CERT_REQSCERT_NONECertificate verification level: CERT_NONE, CERT_OPTIONAL, or CERT_REQUIRED.
REDIS_SSL_CA_CERTS(empty)Path to CA certificate file for verifying the Redis server.
REDIS_SSL_CERTFILE(empty)Path to client certificate for mutual TLS.
REDIS_SSL_KEYFILE(empty)Path to client private key for mutual TLS.

Redis Connection Resilience

VariableDefaultDescription
REDIS_RETRY_RETRIES3Maximum retries per Redis command on transient failures. Set to 0 to disable. Uses exponential backoff with jitter.
REDIS_RETRY_BACKOFF_BASE1.0Base delay in seconds for exponential backoff between retries.
REDIS_RETRY_BACKOFF_CAP10.0Maximum backoff delay in seconds between retries.
REDIS_SOCKET_TIMEOUT5.0Socket timeout in seconds for Redis read/write operations.
REDIS_SOCKET_CONNECT_TIMEOUT5.0Socket timeout in seconds for establishing a Redis connection.
REDIS_HEALTH_CHECK_INTERVAL30Interval in seconds between client-side health checks on idle connections. Set to 0 to disable. Not applied in Cluster mode.

Celery Configuration

The Helm chart manages the Celery broker connection through values.yaml and the shared Celery secret. The variables below are application-level tuning knobs.
VariableDefaultDescription
CELERY_BACKENDredisWhere Celery stores task results. Options: redis (fast, in-memory) or database.
BROKER_USE_SSLfalseAuto-enabled when the broker URL uses the rediss:// scheme.
CELERY_USE_SENTINELfalseEnable Redis Sentinel mode for the Celery broker.
CELERY_SENTINEL_MASTER_NAME(empty)Sentinel service name (Master Name).
CELERY_SENTINEL_PASSWORD(empty)Password for Sentinel authentication.
CELERY_SENTINEL_SOCKET_TIMEOUT0.1Timeout for connecting to Sentinel in seconds.
CELERY_TASK_ANNOTATIONSnullApply runtime settings to specific tasks (for example, rate limits). Format: JSON dictionary. Most users don’t need this.

CORS Configuration

Controls cross-domain access policies for the frontend. The chart writes these only when set in values.yaml.
VariableDefaultDescription
WEB_API_CORS_ALLOW_ORIGINS*Allowed origins for cross-origin requests to the Web API. Example: https://dify.app
CONSOLE_CORS_ALLOW_ORIGINS*Allowed origins for cross-origin requests to the console API. If not set, falls back to CONSOLE_WEB_URL.
COOKIE_DOMAIN(empty)Set to the shared top-level domain (for example, example.com) when frontend and backend run on different subdomains, so authentication cookies can be shared across subdomains.

File Storage Configuration

Configure where Dify stores uploaded files, dataset documents, and encryption keys. Each storage type has its own credential variables; configure only the one you use. In Helm deployments, set these through extraEnv unless the chart already exposes them.

STORAGE_TYPE

Default: opendal Selects the file storage backend. Supported values: opendal, s3, azure-blob, aliyun-oss, google-storage, huawei-obs, volcengine-tos, tencent-cos, baidu-obs, oci-storage, supabase, clickzetta-volume, local (deprecated; internally uses OpenDAL with the filesystem scheme).
Default storage backend using Apache OpenDAL, a unified interface supporting many storage services. Dify automatically scans environment variables matching OPENDAL_<SCHEME>_* and passes them to OpenDAL. For example, with OPENDAL_SCHEME=s3, set OPENDAL_S3_ACCESS_KEY_ID, OPENDAL_S3_SECRET_ACCESS_KEY, etc.
VariableDefaultDescription
OPENDAL_SCHEMEfsStorage service to use. Examples: fs (local filesystem), s3, gcs, azblob.
OPENDAL_FS_ROOTstorageRoot directory for local filesystem storage (used with the fs scheme).
For all available schemes and their configuration options, see the OpenDAL services documentation.
VariableDefaultDescription
S3_ENDPOINT(empty)S3 endpoint address. Required for non-AWS S3-compatible services (MinIO, etc.).
S3_REGIONus-east-1S3 region.
S3_BUCKET_NAMEdifyaiS3 bucket name.
S3_ACCESS_KEY(empty)S3 Access Key. Not needed when using IAM roles.
S3_SECRET_KEY(empty)S3 Secret Key. Not needed when using IAM roles.
S3_ADDRESS_STYLEautoS3 addressing style: auto, path, or virtual. Only applies when S3_USE_AWS_MANAGED_IAM is false.
S3_USE_AWS_MANAGED_IAMfalseUse AWS IAM roles (EC2 instance profile, EKS service account) instead of explicit keys. Credentials are auto-discovered from instance metadata.
VariableDefaultDescription
AZURE_BLOB_ACCOUNT_NAMEdifyaiAzure storage account name.
AZURE_BLOB_ACCOUNT_KEYdifyaiAzure storage account key.
AZURE_BLOB_CONTAINER_NAMEdifyai-containerAzure Blob container name.
AZURE_BLOB_ACCOUNT_URLhttps://<your_account_name>.blob.core.windows.netAzure Blob account URL.
VariableDefaultDescription
GOOGLE_STORAGE_BUCKET_NAME(empty)Google Cloud Storage bucket name.
GOOGLE_STORAGE_SERVICE_ACCOUNT_JSON_BASE64(empty)Base64-encoded service account JSON key.
VariableDefaultDescription
ALIYUN_OSS_BUCKET_NAME(empty)OSS bucket name.
ALIYUN_OSS_ACCESS_KEY(empty)OSS access key.
ALIYUN_OSS_SECRET_KEY(empty)OSS secret key.
ALIYUN_OSS_ENDPOINThttps://oss-ap-southeast-1-internal.aliyuncs.comOSS endpoint. Regions and endpoints reference.
ALIYUN_OSS_REGIONap-southeast-1OSS region.
ALIYUN_OSS_AUTH_VERSIONv4OSS authentication version.
ALIYUN_OSS_PATH(empty)Object path prefix. Don’t start with /. Reference.
ALIYUN_CLOUDBOX_ID(empty)CloudBox ID for CloudBox-based OSS deployments.
VariableDefaultDescription
TENCENT_COS_BUCKET_NAME(empty)COS bucket name.
TENCENT_COS_SECRET_KEY(empty)COS secret key.
TENCENT_COS_SECRET_ID(empty)COS secret ID.
TENCENT_COS_REGION(empty)COS region, for example, ap-guangzhou. Reference.
TENCENT_COS_SCHEME(empty)Protocol to access COS (http or https).
TENCENT_COS_CUSTOM_DOMAIN(empty)Custom domain for COS access.
VariableDefaultDescription
OCI_ENDPOINT(empty)OCI endpoint URL.
OCI_BUCKET_NAME(empty)OCI bucket name.
OCI_ACCESS_KEY(empty)OCI access key.
OCI_SECRET_KEY(empty)OCI secret key.
OCI_REGIONus-ashburn-1OCI region.
VariableDefaultDescription
HUAWEI_OBS_BUCKET_NAME(empty)OBS bucket name.
HUAWEI_OBS_ACCESS_KEY(empty)OBS access key.
HUAWEI_OBS_SECRET_KEY(empty)OBS secret key.
HUAWEI_OBS_SERVER(empty)OBS server URL. Reference.
HUAWEI_OBS_PATH_STYLEfalseUse path-style URLs instead of virtual-hosted-style.
VariableDefaultDescription
VOLCENGINE_TOS_BUCKET_NAME(empty)TOS bucket name.
VOLCENGINE_TOS_ACCESS_KEY(empty)TOS access key.
VOLCENGINE_TOS_SECRET_KEY(empty)TOS secret key.
VOLCENGINE_TOS_ENDPOINT(empty)TOS endpoint URL. Reference.
VOLCENGINE_TOS_REGION(empty)TOS region, for example, cn-guangzhou.
VariableDefaultDescription
BAIDU_OBS_BUCKET_NAME(empty)Baidu OBS bucket name.
BAIDU_OBS_ACCESS_KEY(empty)Baidu OBS access key.
BAIDU_OBS_SECRET_KEY(empty)Baidu OBS secret key.
BAIDU_OBS_ENDPOINT(empty)Baidu OBS server URL.
VariableDefaultDescription
SUPABASE_BUCKET_NAME(empty)Supabase storage bucket name.
SUPABASE_API_KEY(empty)Supabase API key.
SUPABASE_URL(empty)Supabase server URL.
VariableDefaultDescription
CLICKZETTA_VOLUME_TYPEuserVolume type. Options: user, table, external.
CLICKZETTA_VOLUME_NAME(empty)External volume name (required only when TYPE=external).
CLICKZETTA_VOLUME_TABLE_PREFIXdataset_Table volume table prefix (used only when TYPE=table).
CLICKZETTA_VOLUME_DIFY_PREFIXdify_kmDify file directory prefix for isolation from other apps.
ClickZetta Volume reuses the CLICKZETTA_* connection parameters configured in the Vector Database section.

Archive Storage

Separate S3-compatible storage for archiving workflow run logs. Used to archive workflow runs older than the retention period to JSONL format.
VariableDefaultDescription
ARCHIVE_STORAGE_ENABLEDfalseEnable archive storage for workflow log archival.
ARCHIVE_STORAGE_ENDPOINT(empty)S3-compatible endpoint URL.
ARCHIVE_STORAGE_ARCHIVE_BUCKET(empty)Bucket for archived workflow run logs.
ARCHIVE_STORAGE_EXPORT_BUCKET(empty)Bucket for workflow run exports.
ARCHIVE_STORAGE_ACCESS_KEY(empty)Access key.
ARCHIVE_STORAGE_SECRET_KEY(empty)Secret key.
ARCHIVE_STORAGE_REGIONautoStorage region.

Vector Database Configuration

Configure the vector database used for knowledge base embedding storage and similarity search. Each provider has its own set of credential variables; configure only the one you use.

VECTOR_STORE

Default: weaviate Selects the vector database backend. If a dataset already has an index, the dataset’s stored type takes precedence over this setting. Supported values: weaviate, oceanbase, seekdb, qdrant, milvus, myscale, relyt, pgvector, pgvecto-rs, chroma, opensearch, oracle, tencent, elasticsearch, elasticsearch-ja, analyticdb, couchbase, vikingdb, opengauss, tablestore, vastbase, tidb, tidb_on_qdrant, baidu, lindorm, huawei_cloud, upstash, matrixone, clickzetta, alibabacloud_mysql, iris, hologres.
VariableDefaultDescription
VECTOR_INDEX_NAME_PREFIXVector_indexPrefix added to collection names in the vector database. Change this if you share a vector database instance across multiple Dify deployments.
VariableDefaultDescription
WEAVIATE_ENDPOINThttp://weaviate:8080Weaviate REST API endpoint.
WEAVIATE_API_KEY(empty)API key for Weaviate authentication.
WEAVIATE_GRPC_ENDPOINTgrpc://weaviate:50051Separate gRPC endpoint for high-performance binary protocol. Falls back to inferring from the HTTP endpoint if not set.
WEAVIATE_TOKENIZATIONwordTokenization method. Options: word, whitespace, character (better for CJK languages).
seekdb is the lite version of OceanBase and shares the same connection configuration.
VariableDefaultDescription
OCEANBASE_VECTOR_HOSToceanbaseHostname or IP address.
OCEANBASE_VECTOR_PORT2881Port number.
OCEANBASE_VECTOR_USERroot@testDatabase username.
OCEANBASE_VECTOR_PASSWORDdifyai123456Database password.
OCEANBASE_VECTOR_DATABASEtestDatabase name.
OCEANBASE_ENABLE_HYBRID_SEARCHfalseEnable fulltext index for BM25 queries alongside vector search. Requires OceanBase >= 4.3.5.1. Collections must be recreated after enabling.
OCEANBASE_FULLTEXT_PARSERikFulltext parser. Built-in: ngram, beng, space, ngram2, ik.
VariableDefaultDescription
QDRANT_URLhttp://qdrant:6333Qdrant endpoint address.
QDRANT_API_KEYdifyai123456API key for Qdrant.
QDRANT_CLIENT_TIMEOUT20Client timeout in seconds.
QDRANT_GRPC_ENABLEDfalseEnable gRPC communication.
QDRANT_GRPC_PORT6334gRPC port.
QDRANT_REPLICATION_FACTOR1Number of replicas per shard.
VariableDefaultDescription
MILVUS_URIhttp://host.docker.internal:19530Milvus URI. For Zilliz Cloud, use the Public Endpoint.
MILVUS_DATABASE(empty)Database name.
MILVUS_TOKEN(empty)Authentication token. For Zilliz Cloud, use the API Key.
MILVUS_USER(empty)Username.
MILVUS_PASSWORD(empty)Password.
MILVUS_ENABLE_HYBRID_SEARCHfalseEnable BM25 sparse index for full-text search. Requires Milvus >= 2.5.0.
MILVUS_ANALYZER_PARAMS(empty)Analyzer parameters for text fields.
MILVUS_SECUREfalseEnable one-way TLS for the Milvus connection; the client connects over gRPC with TLS and verifies the server certificate.
MILVUS_SERVER_PEM_PATH(empty)Path inside the container to the Milvus server certificate (PEM), used to verify the server when MILVUS_SECURE is on.
MILVUS_SERVER_NAME(empty)TLS SNI server name to verify against (matches the certificate CN/SAN). Required when MILVUS_SERVER_PEM_PATH is set.
VariableDefaultDescription
MYSCALE_HOSTmyscaleMyScale host.
MYSCALE_PORT8123MyScale port.
MYSCALE_USERdefaultUsername.
MYSCALE_PASSWORD(empty)Password.
MYSCALE_DATABASEdifyDatabase name.
MYSCALE_FTS_PARAMS(empty)Full-text search params. Reference.
VariableDefaultDescription
COUCHBASE_CONNECTION_STRINGcouchbase://couchbase-serverConnection string for the Couchbase cluster.
COUCHBASE_USERAdministratorUsername.
COUCHBASE_PASSWORDpasswordPassword.
COUCHBASE_BUCKET_NAMEEmbeddingsBucket name.
COUCHBASE_SCOPE_NAME_defaultScope name.
VariableDefaultDescription
HOLOGRES_HOST(empty)Hostname.
HOLOGRES_PORT80Port number.
HOLOGRES_DATABASE(empty)Database name.
HOLOGRES_ACCESS_KEY_ID(empty)Access key ID (used as PG username).
HOLOGRES_ACCESS_KEY_SECRET(empty)Access key secret (used as PG password).
HOLOGRES_SCHEMApublicSchema name.
HOLOGRES_TOKENIZERjiebaTokenizer for text fields.
HOLOGRES_DISTANCE_METHODCosineDistance method.
HOLOGRES_BASE_QUANTIZATION_TYPErabitqQuantization type.
HOLOGRES_MAX_DEGREE64HNSW max degree.
HOLOGRES_EF_CONSTRUCTION400HNSW ef_construction parameter.
VariableDefaultDescription
PGVECTOR_HOSTpgvectorHostname.
PGVECTOR_PORT5432Port number.
PGVECTOR_USERpostgresUsername.
PGVECTOR_PASSWORDdifyai123456Password.
PGVECTOR_DATABASEdifyDatabase name.
PGVECTOR_MIN_CONNECTION1Minimum pool connections.
PGVECTOR_MAX_CONNECTION5Maximum pool connections.
PGVECTOR_PG_BIGMfalseEnable pg_bigm extension for full-text search.
VariableDefaultDescription
VASTBASE_HOSTvastbaseHostname.
VASTBASE_PORT5432Port number.
VASTBASE_USERdifyUsername.
VASTBASE_PASSWORDDifyai123456Password.
VASTBASE_DATABASEdifyDatabase name.
VASTBASE_MIN_CONNECTION1Minimum pool connections.
VASTBASE_MAX_CONNECTION5Maximum pool connections.
VariableDefaultDescription
PGVECTO_RS_HOSTpgvecto-rsHostname.
PGVECTO_RS_PORT5432Port number.
PGVECTO_RS_USERpostgresUsername.
PGVECTO_RS_PASSWORDdifyai123456Password.
PGVECTO_RS_DATABASEdifyDatabase name.
VariableDefaultDescription
ANALYTICDB_KEY_ID(empty)Aliyun access key ID. Create AccessKey.
ANALYTICDB_KEY_SECRET(empty)Aliyun access key secret.
ANALYTICDB_REGION_IDcn-hangzhouRegion identifier.
ANALYTICDB_INSTANCE_ID(empty)Instance ID, for example, gp-xxxxxx. Create instance.
ANALYTICDB_ACCOUNT(empty)Account name. Create account.
ANALYTICDB_PASSWORD(empty)Account password.
ANALYTICDB_NAMESPACEdifyNamespace (schema). Created automatically if it does not exist.
ANALYTICDB_NAMESPACE_PASSWORD(empty)Namespace password.
ANALYTICDB_HOST(empty)Direct connection host (alternative to API-based access).
ANALYTICDB_PORT5432Direct connection port.
ANALYTICDB_MIN_CONNECTION1Minimum pool connections.
ANALYTICDB_MAX_CONNECTION5Maximum pool connections.
VariableDefaultDescription
TIDB_VECTOR_HOSTtidbHostname.
TIDB_VECTOR_PORT4000Port number.
TIDB_VECTOR_USER(empty)Username.
TIDB_VECTOR_PASSWORD(empty)Password.
TIDB_VECTOR_DATABASEdifyDatabase name.
VariableDefaultDescription
MATRIXONE_HOSTmatrixoneHostname.
MATRIXONE_PORT6001Port number.
MATRIXONE_USERdumpUsername.
MATRIXONE_PASSWORD111Password.
MATRIXONE_DATABASEdifyDatabase name.
VariableDefaultDescription
CHROMA_HOST127.0.0.1Chroma server host.
CHROMA_PORT8000Chroma server port.
CHROMA_TENANTdefault_tenantTenant name.
CHROMA_DATABASEdefault_databaseDatabase name.
CHROMA_AUTH_PROVIDERchromadb.auth.token_authn.TokenAuthClientProviderAuth provider class.
CHROMA_AUTH_CREDENTIALS(empty)Auth credentials.
VariableDefaultDescription
ORACLE_USERdifyOracle username.
ORACLE_PASSWORDdifyOracle password.
ORACLE_DSNoracle:1521/FREEPDB1Data source name.
ORACLE_CONFIG_DIR/app/api/storage/walletOracle configuration directory.
ORACLE_WALLET_LOCATION/app/api/storage/walletWallet location for Autonomous DB.
ORACLE_WALLET_PASSWORDdifyWallet password.
ORACLE_IS_AUTONOMOUSfalseWhether using Oracle Autonomous Database.
VariableDefaultDescription
ALIBABACLOUD_MYSQL_HOST127.0.0.1Hostname.
ALIBABACLOUD_MYSQL_PORT3306Port number.
ALIBABACLOUD_MYSQL_USERrootUsername.
ALIBABACLOUD_MYSQL_PASSWORDdifyai123456Password.
ALIBABACLOUD_MYSQL_DATABASEdifyDatabase name.
ALIBABACLOUD_MYSQL_MAX_CONNECTION5Maximum pool connections.
ALIBABACLOUD_MYSQL_HNSW_M6HNSW M parameter.
VariableDefaultDescription
RELYT_HOSTdbHostname.
RELYT_PORT5432Port number.
RELYT_USERpostgresUsername.
RELYT_PASSWORDdifyai123456Password.
RELYT_DATABASEpostgresDatabase name.
VariableDefaultDescription
OPENSEARCH_HOSTopensearchHostname.
OPENSEARCH_PORT9200Port number.
OPENSEARCH_SECUREtrueUse HTTPS.
OPENSEARCH_VERIFY_CERTStrueVerify SSL certificates.
OPENSEARCH_AUTH_METHODbasicbasic uses username/password. aws_managed_iam uses AWS SigV4 request signing via Boto3 credentials.
OPENSEARCH_USERadminUsername. Only used with basic auth.
OPENSEARCH_PASSWORDadminPassword. Only used with basic auth.
OPENSEARCH_AWS_REGIONap-southeast-1AWS region. Only used with aws_managed_iam auth.
OPENSEARCH_AWS_SERVICEaossAWS service type: es (Managed Cluster) or aoss (OpenSearch Serverless).
VariableDefaultDescription
TENCENT_VECTOR_DB_URLhttp://127.0.0.1Access address. Console.
TENCENT_VECTOR_DB_API_KEYdifyAPI key. Key Management.
TENCENT_VECTOR_DB_TIMEOUT30Request timeout in seconds.
TENCENT_VECTOR_DB_USERNAMEdifyAccount name. Account Management.
TENCENT_VECTOR_DB_DATABASEdifyDatabase name. Create Database.
TENCENT_VECTOR_DB_SHARD1Number of shards.
TENCENT_VECTOR_DB_REPLICAS2Number of replicas.
TENCENT_VECTOR_DB_ENABLE_HYBRID_SEARCHfalseEnable hybrid search. Sparse Vector docs.
VariableDefaultDescription
ELASTICSEARCH_HOST0.0.0.0Hostname.
ELASTICSEARCH_PORT9200Port number.
ELASTICSEARCH_USERNAMEelasticUsername.
ELASTICSEARCH_PASSWORDelasticPassword.
ELASTICSEARCH_USE_CLOUDfalseSwitch to Elastic Cloud mode. When true, uses ELASTICSEARCH_CLOUD_URL and ELASTICSEARCH_API_KEY instead of host/port/username/password.
ELASTICSEARCH_CLOUD_URL(empty)Elastic Cloud endpoint URL. Required when ELASTICSEARCH_USE_CLOUD=true.
ELASTICSEARCH_API_KEY(empty)Elastic Cloud API key. Required when ELASTICSEARCH_USE_CLOUD=true.
ELASTICSEARCH_VERIFY_CERTSfalseVerify SSL certificates.
ELASTICSEARCH_CA_CERTS(empty)Path to CA certificates.
ELASTICSEARCH_REQUEST_TIMEOUT100000Request timeout in milliseconds.
ELASTICSEARCH_RETRY_ON_TIMEOUTtrueRetry on timeout.
ELASTICSEARCH_MAX_RETRIES10Maximum retry attempts.
VariableDefaultDescription
BAIDU_VECTOR_DB_ENDPOINThttp://127.0.0.1:5287Endpoint URL.
BAIDU_VECTOR_DB_CONNECTION_TIMEOUT_MS30000Connection timeout in milliseconds.
BAIDU_VECTOR_DB_ACCOUNTrootAccount name.
BAIDU_VECTOR_DB_API_KEYdifyAPI key.
BAIDU_VECTOR_DB_DATABASEdifyDatabase name.
BAIDU_VECTOR_DB_SHARD1Number of shards.
BAIDU_VECTOR_DB_REPLICAS3Number of replicas.
BAIDU_VECTOR_DB_INVERTED_INDEX_ANALYZERDEFAULT_ANALYZERInverted index analyzer.
BAIDU_VECTOR_DB_INVERTED_INDEX_PARSER_MODECOARSE_MODEInverted index parser mode.
BAIDU_VECTOR_DB_AUTO_BUILD_ROW_COUNT_INCREMENT500Absolute row-count increment that triggers an automatic index rebuild. Works alongside _RATIO; whichever threshold is crossed first wins.
BAIDU_VECTOR_DB_AUTO_BUILD_ROW_COUNT_INCREMENT_RATIO0.05Relative growth that triggers an automatic index rebuild. Whichever threshold is crossed first wins.
BAIDU_VECTOR_DB_REBUILD_INDEX_TIMEOUT_IN_SECONDS300Maximum time the client waits for an index rebuild to complete.
VariableDefaultDescription
VIKINGDB_ACCESS_KEY(empty)Access key.
VIKINGDB_SECRET_KEY(empty)Secret key.
VIKINGDB_REGIONcn-shanghaiRegion.
VIKINGDB_HOSTapi-vikingdb.xxx.volces.comAPI host. Replace with your region-specific endpoint.
VIKINGDB_SCHEMEhttpProtocol scheme (http or https).
VIKINGDB_CONNECTION_TIMEOUT30Connection timeout in seconds.
VIKINGDB_SOCKET_TIMEOUT30Socket timeout in seconds.
VariableDefaultDescription
LINDORM_URLhttp://localhost:30070Lindorm search engine URL. Console.
LINDORM_USERNAMEadminUsername.
LINDORM_PASSWORDadminPassword.
LINDORM_USING_UGCtrueUse UGC mode.
LINDORM_QUERY_TIMEOUT1Query timeout in seconds.
VariableDefaultDescription
OPENGAUSS_HOSTopengaussHostname.
OPENGAUSS_PORT6600Port number.
OPENGAUSS_USERpostgresUsername.
OPENGAUSS_PASSWORDDify@123Password.
OPENGAUSS_DATABASEdifyDatabase name.
OPENGAUSS_MIN_CONNECTION1Minimum pool connections.
OPENGAUSS_MAX_CONNECTION5Maximum pool connections.
OPENGAUSS_ENABLE_PQfalseEnable PQ acceleration.
VariableDefaultDescription
HUAWEI_CLOUD_HOSTShttps://127.0.0.1:9200Cluster endpoint URL.
HUAWEI_CLOUD_USERadminUsername.
HUAWEI_CLOUD_PASSWORDadminPassword.
VariableDefaultDescription
UPSTASH_VECTOR_URL(empty)Upstash Vector endpoint URL.
UPSTASH_VECTOR_TOKEN(empty)Upstash Vector API token.
VariableDefaultDescription
TABLESTORE_ENDPOINThttps://instance-name.cn-hangzhou.ots.aliyuncs.comEndpoint address. Replace instance-name with your instance.
TABLESTORE_INSTANCE_NAME(empty)Instance name.
TABLESTORE_ACCESS_KEY_ID(empty)Access key ID.
TABLESTORE_ACCESS_KEY_SECRET(empty)Access key secret.
TABLESTORE_NORMALIZE_FULLTEXT_BM25_SCOREfalseNormalize fulltext BM25 scores.
VariableDefaultDescription
CLICKZETTA_USERNAME(empty)Username.
CLICKZETTA_PASSWORD(empty)Password.
CLICKZETTA_INSTANCE(empty)Instance name.
CLICKZETTA_SERVICEapi.clickzetta.comService endpoint.
CLICKZETTA_WORKSPACEquick_startWorkspace name.
CLICKZETTA_VCLUSTERdefault_apVirtual cluster.
CLICKZETTA_SCHEMAdifySchema name.
CLICKZETTA_BATCH_SIZE100Batch size for operations.
CLICKZETTA_ENABLE_INVERTED_INDEXtrueEnable inverted index.
CLICKZETTA_ANALYZER_TYPEchineseAnalyzer type.
CLICKZETTA_ANALYZER_MODEsmartAnalyzer mode.
CLICKZETTA_VECTOR_DISTANCE_FUNCTIONcosine_distanceDistance function.
VariableDefaultDescription
IRIS_HOSTirisHostname.
IRIS_SUPER_SERVER_PORT1972Super server port.
IRIS_USER_SYSTEMUsername.
IRIS_PASSWORDDify@1234Password.
IRIS_DATABASEUSERDatabase name.
IRIS_SCHEMAdifySchema name.
IRIS_CONNECTION_URL(empty)Full connection URL (overrides individual settings).
IRIS_MIN_CONNECTION1Minimum pool connections.
IRIS_MAX_CONNECTION3Maximum pool connections.
IRIS_TEXT_INDEXtrueEnable text indexing.
IRIS_TEXT_INDEX_LANGUAGEenText index language.

Knowledge Configuration

VariableDefaultDescription
UPLOAD_FILE_SIZE_LIMIT15 (Helm default)Maximum file size in MB for document uploads (PDFs, Word docs, etc.). Users see a “file too large” error when exceeded. Set through api.limits.uploadFileSize in values.yaml.
UPLOAD_FILE_BATCH_LIMIT5 (Helm default)Maximum number of files allowed per upload batch. Set through api.limits.uploadFileBatchCount.
UPLOAD_FILE_EXTENSION_BLACKLIST(empty)Security blocklist of file extensions that cannot be uploaded. Comma-separated, lowercase, no dots. Example: exe,bat,cmd,com,scr,vbs,ps1,msi,dll.
SINGLE_CHUNK_ATTACHMENT_LIMIT10Maximum number of images that can be embedded in a single knowledge base segment (chunk).
IMAGE_FILE_BATCH_LIMIT10Maximum number of image files per upload batch.
ATTACHMENT_IMAGE_FILE_SIZE_LIMIT2Maximum size in MB for images fetched from external URLs during knowledge base indexing. Different from UPLOAD_IMAGE_FILE_SIZE_LIMIT, which applies to direct uploads.
ATTACHMENT_IMAGE_DOWNLOAD_TIMEOUT60Timeout in seconds when downloading images from external URLs during knowledge base indexing.
ETL_TYPEdify (Helm default)Document extraction library. dify supports txt, md, pdf, html, xlsx, docx, csv. Unstructured adds doc, msg, eml, ppt, pptx, xml, epub. The chart sets Unstructured and wires UNSTRUCTURED_API_URL automatically when global.rag.etlType is Unstructured.
UNSTRUCTURED_API_URL(empty; set by the chart when etlType=Unstructured)Unstructured.io API endpoint. Required when ETL_TYPE is Unstructured.
UNSTRUCTURED_API_KEY(empty)API key for Unstructured.io authentication.
SCARF_NO_ANALYTICStrueDisable the Unstructured library’s telemetry collection.
TOP_K_MAX_VALUE10 (Helm default)Maximum value users can set for the top_k parameter in knowledge base retrieval. Set through global.rag.topKMaxValue.
DATASET_MAX_SEGMENTS_PER_REQUEST0Maximum number of segments per dataset API request. 0 means unlimited.

Annotation Import

VariableDefaultDescription
ANNOTATION_IMPORT_FILE_SIZE_LIMIT2Maximum CSV file size in MB for annotation import. Returns HTTP 413 when exceeded.
ANNOTATION_IMPORT_MAX_RECORDS10000Maximum number of records per annotation import.
ANNOTATION_IMPORT_MIN_RECORDS1Minimum number of valid records required per annotation import.
ANNOTATION_IMPORT_RATE_LIMIT_PER_MINUTE5Maximum annotation import requests per minute per workspace. Returns HTTP 429 when exceeded.
ANNOTATION_IMPORT_RATE_LIMIT_PER_HOUR20Maximum annotation import requests per hour per workspace.
ANNOTATION_IMPORT_MAX_CONCURRENT5Maximum concurrent annotation import tasks per workspace.

Model Configuration

VariableDefaultDescription
PLUGIN_BASED_TOKEN_COUNTING_ENABLEDfalseUse plugin-based token counting for accurate usage tracking. When disabled, token counting returns 0 (faster but cost tracking is less accurate).

Multi-modal Configuration

VariableDefaultDescription
MULTIMODAL_SEND_FORMATbase64How files are sent to multi-modal LLMs. base64 embeds file data in the request (more compatible). url sends a signed URL for the model to fetch (faster, smaller requests, but the model must reach FILES_URL).
UPLOAD_IMAGE_FILE_SIZE_LIMIT5 (Helm default)Maximum image file size in MB for direct uploads (jpg, png, webp, gif, svg). The chart default is 5 (the application default is 10). Set through api.limits.uploadImageFileSize.
UPLOAD_VIDEO_FILE_SIZE_LIMIT100Maximum video file size in MB for direct uploads (mp4, mov, mpeg, webm).
UPLOAD_AUDIO_FILE_SIZE_LIMIT50Maximum audio file size in MB for direct uploads (mp3, m4a, wav, amr, mpga).

Sentry Configuration

Sentry provides error tracking and performance monitoring. In Helm deployments, enable Sentry per service through values.yaml (api.sentry, worker.sentry, web.sentry).
VariableDefaultDescription
SENTRY_DSN(empty)Sentry DSN. The chart sets this per service when Sentry is enabled.
SENTRY_TRACES_SAMPLE_RATE1.0Fraction of requests to include in performance tracing (0.01 = 1%).
SENTRY_PROFILES_SAMPLE_RATE1.0Fraction of requests to include in CPU/memory profiling.
PLUGIN_SENTRY_ENABLEDfalseEnable Sentry for the plugin daemon service.
PLUGIN_SENTRY_DSN(empty)Sentry DSN for the plugin daemon.

Notion Integration Configuration

Connect Dify to Notion as a knowledge base data source. Get integration credentials at https://www.notion.so/my-integrations.
VariableDefaultDescription
NOTION_INTEGRATION_TYPEpublicpublic uses standard OAuth 2.0 (requires an HTTPS redirect URL, plus CLIENT_ID and CLIENT_SECRET). internal uses a direct integration token (works with HTTP).
NOTION_CLIENT_SECRET(empty)OAuth client secret. Required for public integration.
NOTION_CLIENT_ID(empty)OAuth client ID. Required for public integration.
NOTION_INTERNAL_SECRET(empty)Direct integration token from Notion. Required for internal integration.

Mail Configuration

Dify sends emails for account invitations, password resets, login codes, and Human Input node notifications. Configure one of the three supported providers. Email links require CONSOLE_WEB_URL to be set (see Common Variables).
VariableDefaultDescription
MAIL_TYPEresendMail provider: resend, smtp, or sendgrid.
MAIL_DEFAULT_SEND_FROM(empty)Default “From” address for all outgoing emails. Required.
VariableDefaultDescription
RESEND_API_URLhttps://api.resend.comResend API endpoint. Override for self-hosted Resend or a proxy.
RESEND_API_KEY(empty)Resend API key. Required when MAIL_TYPE=resend.
Three TLS modes: implicit TLS (SMTP_USE_TLS=true, SMTP_OPPORTUNISTIC_TLS=false, port 465), STARTTLS (SMTP_USE_TLS=true, SMTP_OPPORTUNISTIC_TLS=true, port 587), or plain (SMTP_USE_TLS=false, port 25).
VariableDefaultDescription
SMTP_SERVER(empty)SMTP server address.
SMTP_PORT465SMTP server port. Use 587 for STARTTLS mode.
SMTP_USERNAME(empty)SMTP username. Can be empty for IP-whitelisted servers.
SMTP_PASSWORD(empty)SMTP password. Can be empty for IP-whitelisted servers.
SMTP_USE_TLStrueEnable TLS. With SMTP_OPPORTUNISTIC_TLS=false, uses implicit TLS.
SMTP_OPPORTUNISTIC_TLSfalseUse STARTTLS (explicit TLS) instead of implicit TLS. Must be used with SMTP_USE_TLS=true.
SMTP_LOCAL_HOSTNAME(empty)Override the hostname sent in SMTP HELO/EHLO. Required when your SMTP server rejects container hostnames (common with Google Workspace, Microsoft 365).
VariableDefaultDescription
SENDGRID_API_KEY(empty)SendGrid API key. Required when MAIL_TYPE=sendgrid.
For more details, see the SendGrid documentation.

Others Configuration

Indexing

VariableDefaultDescription
INDEXING_MAX_SEGMENTATION_TOKENS_LENGTH4000 (Helm default)Maximum token length per text segment when chunking documents for the knowledge base. Larger values retain more context per chunk; smaller values provide finer granularity. Set through global.rag.indexingMaxSegmentationTokensLength.

Token & Invitation

All token expiry variables control how long a one-time-use token stored in Redis remains valid. After expiry, the user must request a new token.
VariableDefaultDescription
INVITE_EXPIRY_HOURS72How long a workspace invitation link stays valid (in hours).
RESET_PASSWORD_TOKEN_EXPIRY_MINUTES5Password reset token validity in minutes.
EMAIL_REGISTER_TOKEN_EXPIRY_MINUTES5Email registration token validity in minutes.
CHANGE_EMAIL_TOKEN_EXPIRY_MINUTES5Change email token validity in minutes.
OWNER_TRANSFER_TOKEN_EXPIRY_MINUTES5Workspace owner transfer token validity in minutes.

Code Execution Sandbox

The sandbox is a separate service that runs Python, JavaScript, and Jinja2 code nodes in isolation. The chart sets CODE_EXECUTION_ENDPOINT automatically to the in-cluster sandbox service.
VariableDefaultDescription
CODE_EXECUTION_ENDPOINTin-cluster sandbox service (Helm default)Sandbox service endpoint. The chart points this at the bundled sandbox service.
CODE_EXECUTION_API_KEYdify-sandboxAPI key for sandbox authentication. Must match SANDBOX_API_KEY in the sandbox service.
CODE_EXECUTION_SSL_VERIFYtrueVerify SSL for sandbox connections.
CODE_EXECUTION_CONNECT_TIMEOUT10Connection timeout in seconds.
CODE_EXECUTION_READ_TIMEOUT60Read timeout in seconds.
CODE_EXECUTION_WRITE_TIMEOUT10Write timeout in seconds.
CODE_EXECUTION_POOL_MAX_CONNECTIONS100Maximum concurrent HTTP connections to the sandbox service.
CODE_EXECUTION_POOL_MAX_KEEPALIVE_CONNECTIONS20Maximum idle connections kept alive in the sandbox pool.
CODE_EXECUTION_POOL_KEEPALIVE_EXPIRY5.0Seconds before idle sandbox connections are closed.
CODE_MAX_NUMBER9223372036854775807Maximum numeric value allowed in code node output.
CODE_MIN_NUMBER-9223372036854775808Minimum numeric value allowed in code node output.
CODE_MAX_STRING_LENGTH400000Maximum string length in code node output.
CODE_MAX_DEPTH5Maximum nesting depth for output data structures.
CODE_MAX_PRECISION20Maximum decimal places for floating-point numbers in output.
CODE_MAX_STRING_ARRAY_LENGTH30Maximum number of elements in a string array output.
CODE_MAX_OBJECT_ARRAY_LENGTH30Maximum number of elements in an object array output.
CODE_MAX_NUMBER_ARRAY_LENGTH1000Maximum number of elements in a number array output.
TEMPLATE_TRANSFORM_MAX_LENGTH400000Maximum character length for Template Transform node output.

Workflow Runtime

VariableDefaultDescription
WORKFLOW_MAX_EXECUTION_STEPS500Maximum number of node executions per workflow run. Exceeding this terminates the workflow.
WORKFLOW_MAX_EXECUTION_TIME1200Maximum wall-clock time in seconds per workflow run.
WORKFLOW_CALL_MAX_DEPTH5Maximum depth for nested workflow-calls-workflow. Prevents infinite recursion.
MAX_VARIABLE_SIZE204800Maximum size in bytes (200 KB) for a single workflow variable.
WORKFLOW_FILE_UPLOAD_LIMIT10Maximum number of files that can be uploaded in a single workflow execution.
WORKFLOW_NODE_EXECUTION_STORAGErdbmsWhere workflow node execution records are stored. rdbms stores everything in the database. hybrid stores new data in object storage and reads from both.
DSL_EXPORT_ENCRYPT_DATASET_IDtrueEncrypt dataset IDs when exporting DSL files. Set to false to export plain IDs for easier cross-environment import.

Workflow Storage Repository

These select which backend implementation handles workflow execution data. The default SQLAlchemy repositories store everything in the database.
VariableDefaultDescription
CORE_WORKFLOW_EXECUTION_REPOSITORYcore.repositories.sqlalchemy_workflow_execution_repository.SQLAlchemyWorkflowExecutionRepositoryRepository implementation for workflow execution records.
CORE_WORKFLOW_NODE_EXECUTION_REPOSITORYcore.repositories.sqlalchemy_workflow_node_execution_repository.SQLAlchemyWorkflowNodeExecutionRepositoryRepository implementation for workflow node execution records.
API_WORKFLOW_RUN_REPOSITORYrepositories.sqlalchemy_api_workflow_run_repository.DifyAPISQLAlchemyWorkflowRunRepositoryService-layer repository for workflow run API operations.
API_WORKFLOW_NODE_EXECUTION_REPOSITORYrepositories.sqlalchemy_api_workflow_node_execution_repository.DifyAPISQLAlchemyWorkflowNodeExecutionRepositoryService-layer repository for workflow node execution API operations.
LOOP_NODE_MAX_COUNT100Maximum iterations for Loop nodes. Prevents infinite loops.
MAX_PARALLEL_LIMIT10Maximum number of parallel branches in a workflow.

GraphEngine Worker Pool

VariableDefaultDescription
GRAPH_ENGINE_MIN_WORKERS3Minimum workers per GraphEngine instance.
GRAPH_ENGINE_MAX_WORKERS10Maximum workers per GraphEngine instance.
GRAPH_ENGINE_SCALE_UP_THRESHOLD3Queue depth that triggers spawning additional workers.
GRAPH_ENGINE_SCALE_DOWN_IDLE_TIME5.0Seconds of idle time before excess workers are removed.

Workflow Log Cleanup

The chart enables this through workerBeat.enableWorkflowLogCleanup, which sets WORKFLOW_LOG_CLEANUP_ENABLED on the beat ConfigMap. The remaining variables are not set by the chart; configure them through extraEnv on the worker and beat services.
VariableDefaultDescription
WORKFLOW_LOG_CLEANUP_ENABLEDfalse (Helm default)Enable automatic cleanup of workflow execution logs at 2:00 AM daily. Set through workerBeat.enableWorkflowLogCleanup.
WORKFLOW_LOG_RETENTION_DAYS30Number of days to retain workflow logs before cleanup.
WORKFLOW_LOG_CLEANUP_BATCH_SIZE100Number of log entries processed per cleanup batch.
WORKFLOW_LOG_CLEANUP_SPECIFIC_WORKFLOW_IDS(empty)Comma-separated list of workflow IDs to limit cleanup to. When empty, all workflow logs are cleaned.

HTTP Request Node

These configure the HTTP Request node used in workflows to call external APIs.
VariableDefaultDescription
HTTP_REQUEST_NODE_MAX_TEXT_SIZE1048576Maximum text response size in bytes (1 MB). Responses larger than this are truncated.
HTTP_REQUEST_NODE_MAX_BINARY_SIZE10485760Maximum binary response size in bytes (10 MB).
HTTP_REQUEST_NODE_SSL_VERIFYtrueVerify SSL certificates. Disable for testing with self-signed certificates.
HTTP_REQUEST_MAX_CONNECT_TIMEOUT10Maximum connect timeout users can set in the workflow editor (in seconds).
HTTP_REQUEST_MAX_READ_TIMEOUT600Maximum read timeout ceiling (in seconds).
HTTP_REQUEST_MAX_WRITE_TIMEOUT600Maximum write timeout ceiling (in seconds).

Webhook

VariableDefaultDescription
WEBHOOK_REQUEST_BODY_MAX_SIZE10485760Maximum webhook payload size in bytes (10 MB). Larger payloads are rejected with a 413 error.

SSRF Protection

All outbound HTTP requests from Dify (HTTP nodes, image downloads, etc.) are routed through a proxy that blocks requests to internal/private IP ranges, preventing Server-Side Request Forgery (SSRF) attacks. The chart sets SSRF_PROXY_HTTP_URL and SSRF_PROXY_HTTPS_URL automatically when the SSRF proxy is enabled.
VariableDefaultDescription
SSRF_PROXY_HTTP_URLin-cluster SSRF proxy (Helm default)SSRF proxy URL for HTTP requests.
SSRF_PROXY_HTTPS_URLin-cluster SSRF proxy (Helm default)SSRF proxy URL for HTTPS requests.
SSRF_POOL_MAX_CONNECTIONS100Maximum concurrent connections in the SSRF HTTP client pool.
SSRF_POOL_MAX_KEEPALIVE_CONNECTIONS20Maximum idle connections kept alive in the SSRF pool.
SSRF_POOL_KEEPALIVE_EXPIRY5.0Seconds before idle SSRF connections are closed.
SSRF_PROXY_ALLOW_PRIVATE_IPS(empty)Comma- or space-separated private IPs or CIDR ranges to allow through the SSRF proxy, overriding the default private-network block. Use when HTTP or tool requests must reach specific internal hosts.
SSRF_PROXY_ALLOW_PRIVATE_DOMAINS(empty)Comma- or space-separated internal domains to allow through the SSRF proxy, overriding the default private-network block.
RESPECT_XFORWARD_HEADERS_ENABLEDfalseTrust X-Forwarded-For/Proto/Port headers from reverse proxies. Only enable behind a single trusted reverse proxy.

Agent Configuration

VariableDefaultDescription
MAX_TOOLS_NUM10Maximum number of tools an agent can use simultaneously.
MAX_ITERATIONS_NUM99Maximum reasoning iterations per agent execution.

Web Frontend Service

These variables are used by the Next.js web frontend container only, and do not affect the Python backend.
VariableDefaultDescription
TEXT_GENERATION_TIMEOUT_MS60000Frontend timeout for streaming text generation UI. If a stream stalls for longer than this, the UI pauses rendering.
ALLOW_INLINE_STYLESfalseAllow inline style attributes and <style> blocks in user-generated Markdown content. Disabled by default for security.
ALLOW_UNSAFE_DATA_SCHEMEfalseAllow rendering URLs with the data: scheme. Disabled by default for security.
MARKETPLACE_URLset by the chart (Helm default)Marketplace web URL shown in the frontend. Set through global.marketplace.url.

Enterprise-Specific Configuration

These variables apply only to Dify Enterprise. The Helm chart sets them on the API and worker ConfigMaps when enterprise.enabled is true.
VariableDefaultDescription
ENTERPRISE_ENABLEDtrue (set by the chart when enterprise is enabled)Master switch for enterprise features. Contact your Dify representative for licensing before enabling.
CAN_REPLACE_LOGOtrue (Helm default when enterprise is enabled)Allow customization of the workspace/console logo. The chart sets this to true for enterprise deployments.
MODEL_LB_ENABLEDtrue (Helm default when enterprise is enabled)Enable load balancing across multiple credentials for a model. The chart sets this to true for enterprise deployments (the application default is false).
ENTERPRISE_API_URLin-cluster enterprise service (Helm default)Internal URL of the enterprise backend service. Set automatically by the chart.
ENTERPRISE_REQUEST_TIMEOUT5Maximum timeout in seconds for calls from the Dify API to the enterprise backend.
ENTERPRISE_DISABLE_RUNTIME_CREDENTIAL_CHECKfalseWhen true, credential policy checks run only when saving workflows, not at runtime. Trades consistency for runtime performance.
INNER_APItrue (set by the chart when the inner API is enabled)Enable the internal API used for service-to-service calls.

Enterprise Telemetry

OpenTelemetry export for enterprise audit and tracing. The chart enables these when both enterprise.enabled and global.otel.enabled are true, wiring the endpoint to the in-cluster enterprise collector.
VariableDefaultDescription
ENTERPRISE_TELEMETRY_ENABLEDfalse (set to true by the chart when OTel is enabled)Enable enterprise telemetry collection. Also requires ENTERPRISE_ENABLED=true.
ENTERPRISE_OTLP_ENDPOINTin-cluster collector (Helm default)Enterprise OTel collector endpoint.
ENTERPRISE_OTLP_PROTOCOLgrpc (Helm default; application default http)OTLP protocol: http or grpc.
ENTERPRISE_OTLP_HEADERS(empty)Auth headers for OTLP export (key=value,key2=value2).
ENTERPRISE_OTLP_API_KEY(empty)Bearer token for enterprise OTLP export authentication.
ENTERPRISE_INCLUDE_CONTENTfalseInclude input/output content in traces. Off by default to avoid logging sensitive data.
ENTERPRISE_SERVICE_NAMEdifyService name reported for OTel resources.
ENTERPRISE_OTEL_SAMPLING_RATE1.0Sampling rate for enterprise traces (0.0 to 1.0).

ModelProvider & Tool Position Configuration

Customize which tools and model providers are available in the app interface and their display order. Use comma-separated values with no spaces between items. The chart writes these from api.positionTool and api.positionProvider in values.yaml.
VariableDefaultDescription
POSITION_TOOL_PINS(empty)Pin specific tools to the top of the list. Example: bing,google.
POSITION_TOOL_INCLUDES(empty)Only show listed tools. If unset, all tools are available.
POSITION_TOOL_EXCLUDES(empty)Hide specific tools (pinned tools are not affected).
POSITION_PROVIDER_PINS(empty)Pin specific model providers to the top. Example: openai,anthropic.
POSITION_PROVIDER_INCLUDES(empty)Only show listed providers. If unset, all providers are available.
POSITION_PROVIDER_EXCLUDES(empty)Hide specific providers (pinned providers are not affected).

Plugin Daemon Configuration

The plugin daemon is a separate service that manages plugin lifecycle (installation, execution, upgrades). The chart sets the daemon URL, key, and marketplace settings automatically when the plugin daemon is enabled.
VariableDefaultDescription
PLUGIN_DAEMON_URLin-cluster plugin daemon service (Helm default)Plugin daemon service URL.
PLUGIN_DAEMON_KEYset by the chart (Helm default)Authentication key for the plugin daemon. Derived from global.innerApiKey.
PLUGIN_MODEL_PROVIDERS_CACHE_TTL86400How long (seconds) to cache each tenant’s plugin model-provider list in Redis. Invalidated automatically when a tenant installs, removes, or upgrades a plugin.
PLUGIN_DAEMON_PORT5002 (Helm default)Plugin daemon listening port.
PLUGIN_DAEMON_TIMEOUT600.0Timeout in seconds for all plugin daemon requests.
PLUGIN_MAX_PACKAGE_SIZE52428800 (Helm default)Maximum plugin package size in bytes (50 MB).
PLUGIN_MODEL_SCHEMA_CACHE_TTL3600How long to cache plugin model schemas in seconds.
MARKETPLACE_ENABLEDtrue (Helm default)Enable the plugin marketplace. When disabled, only locally installed plugins are available. Set through global.marketplace.enabled.
MARKETPLACE_API_URLhttps://marketplace.dify.ai (Helm default)Marketplace API endpoint. Set through global.marketplace.apiUrl.
FORCE_VERIFYING_SIGNATUREtrueRequire valid signatures before installing plugins.
PLUGIN_MAX_EXECUTION_TIMEOUT600Plugin execution timeout in seconds (plugin daemon side).
PIP_MIRROR_URL(empty)Custom PyPI mirror URL used by the plugin daemon when installing plugin dependencies. Useful for air-gapped environments.
ENDPOINT_URL_TEMPLATEderived from global.consoleApiDomain (Helm default)URL template for plugin endpoints. {hook_id} is replaced with the actual hook ID.

OTLP / OpenTelemetry Configuration

Application-level OpenTelemetry instrumentation (distinct from the enterprise telemetry above). When enabled, Dify instruments Flask and exports telemetry to an OTLP collector.
VariableDefaultDescription
ENABLE_OTELfalseMaster switch for application OpenTelemetry instrumentation.
OTLP_TRACE_ENDPOINT(empty)Dedicated trace endpoint URL. If unset, falls back to {OTLP_BASE_ENDPOINT}/v1/traces.
OTLP_METRIC_ENDPOINT(empty)Dedicated metric endpoint URL. If unset, falls back to {OTLP_BASE_ENDPOINT}/v1/metrics.
OTLP_BASE_ENDPOINThttp://localhost:4318Base OTLP collector URL.
OTLP_API_KEY(empty)API key for OTLP authentication. Sent as Authorization: Bearer header.
OTEL_EXPORTER_TYPEotlpExporter type. otlp exports to a collector; other values use a console exporter.
OTEL_EXPORTER_OTLP_PROTOCOL(empty)Protocol for OTLP export. grpc uses gRPC exporters; anything else uses HTTP.
OTEL_SAMPLING_RATE0.1Fraction of requests to trace (0.1 = 10%).
OTEL_BATCH_EXPORT_SCHEDULE_DELAY5000Delay in milliseconds between batch exports.
OTEL_MAX_QUEUE_SIZE2048Maximum number of spans queued before dropping.
OTEL_MAX_EXPORT_BATCH_SIZE512Maximum spans per export batch.
OTEL_METRIC_EXPORT_INTERVAL60000Metric export interval in milliseconds.
OTEL_BATCH_EXPORT_TIMEOUT10000Batch span export timeout in milliseconds.
OTEL_METRIC_EXPORT_TIMEOUT30000Metric export timeout in milliseconds.

Miscellaneous

VariableDefaultDescription
CSP_WHITELIST(empty)Additional domains to allow in Content Security Policy headers.
ALLOW_EMBEDfalseAllow Dify pages to be embedded in iframes. When false, sets X-Frame-Options: DENY to prevent clickjacking.
SWAGGER_UI_ENABLEDfalse (Helm default)Expose Swagger UI for browsing API documentation. Swagger endpoints bypass authentication. The chart disables this.
SWAGGER_UI_PATH/swagger-ui.htmlURL path for Swagger UI.
MAX_SUBMIT_COUNT100Maximum concurrent task submissions in the thread pool used for parallel workflow node execution.
TENANT_ISOLATED_TASK_CONCURRENCY1Number of document indexing or RAG pipeline tasks processed simultaneously per tenant.

Scheduled Tasks Configuration

Dify uses Celery Beat to run background maintenance tasks on configurable schedules.
VariableDefaultDescription
ENABLE_CLEAN_EMBEDDING_CACHE_TASKfalseDelete expired embedding cache records at 2:00 AM daily.
ENABLE_CLEAN_UNUSED_DATASETS_TASKfalseDisable documents in knowledge bases inactive within the retention period. Runs at 3:00 AM daily.
ENABLE_CLEAN_MESSAGESfalseDelete conversation messages older than the retention period at 4:00 AM daily.
ENABLE_MAIL_CLEAN_DOCUMENT_NOTIFY_TASKfalseEmail workspace owners a list of knowledge bases that had documents auto-disabled by the cleanup task. Runs every Monday at 10:00 AM.
ENABLE_DATASETS_QUEUE_MONITORfalseMonitor the dataset processing queue backlog in Redis. Sends email alerts when the queue exceeds the threshold.
QUEUE_MONITOR_INTERVAL30How often to check the queue (in minutes).
QUEUE_MONITOR_THRESHOLD200Queue size that triggers an alert email.
QUEUE_MONITOR_ALERT_EMAILS(empty)Email addresses to receive queue alerts (comma-separated).
ENABLE_CHECK_UPGRADABLE_PLUGIN_TASKtrueCheck the marketplace for newer plugin versions every 15 minutes.
ENABLE_WORKFLOW_SCHEDULE_POLLER_TASKtrueEnable the workflow schedule poller that triggers scheduled workflow runs.
WORKFLOW_SCHEDULE_POLLER_INTERVAL1How often to check for due scheduled workflows (in minutes).
WORKFLOW_SCHEDULE_POLLER_BATCH_SIZE100Maximum number of due schedules fetched per poll cycle.
WORKFLOW_SCHEDULE_MAX_DISPATCH_PER_TICK0Circuit breaker: maximum schedules dispatched per tick. 0 means unlimited.
ENABLE_WORKFLOW_RUN_CLEANUP_TASKfalseEnable automatic cleanup of workflow run records.
ENABLE_CREATE_TIDB_SERVERLESS_TASKfalsePre-create TiDB Serverless clusters for vector database pooling.
ENABLE_UPDATE_TIDB_SERVERLESS_STATUS_TASKfalseUpdate TiDB Serverless cluster status periodically.
ENABLE_HUMAN_INPUT_TIMEOUT_TASKtrueCheck for expired Human Input forms and resume or stop timed-out workflows.
HUMAN_INPUT_TIMEOUT_TASK_INTERVAL1How often to check for expired Human Input forms (in minutes).

Record Retention & Cleanup

VariableDefaultDescription
SANDBOX_EXPIRED_RECORDS_RETENTION_DAYS30Records older than this many days are eligible for deletion.
SANDBOX_EXPIRED_RECORDS_CLEAN_BATCH_SIZE1000Number of records processed per cleanup batch.
SANDBOX_EXPIRED_RECORDS_CLEAN_BATCH_MAX_INTERVAL200Maximum random delay in milliseconds between cleanup batches.
SANDBOX_EXPIRED_RECORDS_CLEAN_TASK_LOCK_TTL90000Redis lock TTL in seconds (~25 hours) to prevent concurrent cleanup task execution.

Aliyun SLS Logstore Configuration

Optional integration with Aliyun Simple Log Service for storing workflow execution logs externally instead of in the database.
VariableDefaultDescription
ALIYUN_SLS_ACCESS_KEY_ID(empty)Aliyun access key ID for SLS authentication.
ALIYUN_SLS_ACCESS_KEY_SECRET(empty)Aliyun access key secret for SLS authentication.
ALIYUN_SLS_ENDPOINT(empty)SLS service endpoint URL (for example, cn-hangzhou.log.aliyuncs.com).
ALIYUN_SLS_REGION(empty)Aliyun region (for example, cn-hangzhou).
ALIYUN_SLS_PROJECT_NAME(empty)SLS project name for storing workflow logs.
ALIYUN_SLS_LOGSTORE_TTL365Data retention in days for SLS logstores. Use 3650 for permanent storage.
LOGSTORE_DUAL_WRITE_ENABLEDfalseWrite workflow data to both SLS and PostgreSQL simultaneously. Useful during migration to SLS.
LOGSTORE_DUAL_READ_ENABLEDtrueFall back to PostgreSQL when SLS returns no results.
LOGSTORE_ENABLE_PUT_GRAPH_FIELDtrueInclude the full workflow graph definition in SLS logs. Set to false to reduce storage.

Event Bus Configuration

Redis-based event transport between API and Celery workers.
VariableDefaultDescription
EVENT_BUS_REDIS_URL(empty)Redis connection URL for event streaming. When empty, uses the main Redis connection settings.
EVENT_BUS_REDIS_CHANNEL_TYPEpubsubTransport type: pubsub, sharded, or streams (at-least-once delivery).
EVENT_BUS_REDIS_USE_CLUSTERSfalseEnable Redis Cluster mode for the event bus. Recommended for large deployments.

Plugin Daemon Storage Configuration

The plugin daemon can store plugin packages in different storage backends. Configure only the provider matching PLUGIN_STORAGE_TYPE.
VariableDefaultDescription
PLUGIN_STORAGE_TYPElocalPlugin storage backend: local, aws_s3, tencent_cos, azure_blob, aliyun_oss, volcengine_tos.
PLUGIN_STORAGE_LOCAL_ROOT/app/storageRoot directory for local plugin storage.
PLUGIN_WORKING_PATH/app/storage/cwdWorking directory for plugin execution.
PLUGIN_INSTALLED_PATHpluginSubdirectory for installed plugins.
PLUGIN_PACKAGE_CACHE_PATHplugin_packagesSubdirectory for cached plugin packages.
PLUGIN_MEDIA_CACHE_PATHassetsSubdirectory for cached media assets.
PLUGIN_STORAGE_OSS_BUCKET(empty)Object storage bucket name (shared across S3/COS/OSS/TOS providers).
PLUGIN_PYTHON_ENV_INIT_TIMEOUT120Timeout in seconds for initializing Python environments for plugins.
PLUGIN_STDIO_BUFFER_SIZE1024Buffer size in bytes for plugin stdio communication.
PLUGIN_STDIO_MAX_BUFFER_SIZE5242880Maximum buffer size in bytes (5 MB) for plugin stdio communication.
VariableDefaultDescription
PLUGIN_S3_USE_AWSfalseUse AWS S3 (vs S3-compatible services).
PLUGIN_S3_USE_AWS_MANAGED_IAMfalseUse IAM roles instead of explicit credentials.
PLUGIN_S3_ENDPOINT(empty)S3 endpoint URL.
PLUGIN_S3_USE_PATH_STYLEfalseUse path-style URLs instead of virtual-hosted.
PLUGIN_AWS_ACCESS_KEY(empty)AWS access key.
PLUGIN_AWS_SECRET_KEY(empty)AWS secret key.
PLUGIN_AWS_REGION(empty)AWS region.
VariableDefaultDescription
PLUGIN_AZURE_BLOB_STORAGE_CONTAINER_NAME(empty)Azure Blob container name.
PLUGIN_AZURE_BLOB_STORAGE_CONNECTION_STRING(empty)Azure Blob connection string.
VariableDefaultDescription
PLUGIN_TENCENT_COS_SECRET_KEY(empty)Tencent COS secret key.
PLUGIN_TENCENT_COS_SECRET_ID(empty)Tencent COS secret ID.
PLUGIN_TENCENT_COS_REGION(empty)Tencent COS region.
VariableDefaultDescription
PLUGIN_ALIYUN_OSS_REGION(empty)Aliyun OSS region.
PLUGIN_ALIYUN_OSS_ENDPOINT(empty)Aliyun OSS endpoint.
PLUGIN_ALIYUN_OSS_ACCESS_KEY_ID(empty)Aliyun OSS access key ID.
PLUGIN_ALIYUN_OSS_ACCESS_KEY_SECRET(empty)Aliyun OSS access key secret.
PLUGIN_ALIYUN_OSS_AUTH_VERSIONv4Aliyun OSS authentication version.
PLUGIN_ALIYUN_OSS_PATH(empty)Aliyun OSS path prefix.
VariableDefaultDescription
PLUGIN_VOLCENGINE_TOS_ENDPOINT(empty)Volcengine TOS endpoint.
PLUGIN_VOLCENGINE_TOS_ACCESS_KEY(empty)Volcengine TOS access key.
PLUGIN_VOLCENGINE_TOS_SECRET_KEY(empty)Volcengine TOS secret key.
PLUGIN_VOLCENGINE_TOS_REGION(empty)Volcengine TOS region.

FAQs

How do I set a variable that is not in values.yaml?

Add it through the extraEnv field for the service that needs it (api, worker, or web). For example, to set two variables on the API service:
api:
  extraEnv:
    - name: ENV_FROM_COMMUNITY1
      value: "env123"
    - name: ENV_FROM_COMMUNITY2
      value: "env123"
The same pattern applies to worker.extraEnv and web.extraEnv. Set the variable on every service that reads it.

How do I configure HTTP_PROXY and HTTPS_PROXY?

For security reasons, you may need to route the Dify API service’s outbound traffic through a proxy. Use the extraEnv field:
api:
  extraEnv:
    - name: "HTTP_PROXY"
      value: "http://proxy.example.com:8080"
    - name: "HTTPS_PROXY"
      value: "http://proxy.example.com:8080"