Environment Variables
All backend configuration is done via environment variables. The backend reads from a .env file in the working directory or from the system environment.
Core
| Variable |
Default |
Description |
APP_ENV |
development |
Environment name. Set to production in prod. |
DATABASE_URL |
sqlite:///./xinference_saas.db |
SQLAlchemy database URL |
DATABASE_AUTO_CREATE_SCHEMA |
false |
Auto-create DB tables on startup (dev only) |
Auth & Sessions
| Variable |
Default |
Description |
SESSION_COOKIE_SECURE |
false |
Require HTTPS for session cookies. Must be true in production. |
SESSION_COOKIE_SAMESITE |
lax |
Cookie SameSite policy: lax, strict, or none |
SESSION_COOKIE_MAX_AGE |
604800 |
Cookie TTL in seconds (default: 7 days) |
SESSION_EXPIRE_MINUTES |
10080 |
Session expiry in minutes (default: 7 days) |
SESSION_COOKIE_NAME |
auto |
Override the session cookie name |
Warning
SESSION_COOKIE_SAMESITE=none requires SESSION_COOKIE_SECURE=true. The backend validates this combination on startup and will refuse to start with an unsafe configuration.
CORS
| Variable |
Default |
Description |
CORS_ALLOW_ORIGINS |
`` (empty) |
Comma-separated list of allowed origins |
XINFERENCE_FRONTEND_URL |
/ |
URL of the frontend. Must be included in CORS_ALLOW_ORIGINS. |
Same-site example (app.example.com + api.example.com):
CORS_ALLOW_ORIGINS=https://app.example.com
XINFERENCE_FRONTEND_URL=https://app.example.com
SESSION_COOKIE_SECURE=true
SESSION_COOKIE_SAMESITE=lax
Cross-site example (app.example.com + api.other-domain.com):
CORS_ALLOW_ORIGINS=https://app.example.com
XINFERENCE_FRONTEND_URL=https://app.example.com
SESSION_COOKIE_SECURE=true
SESSION_COOKIE_SAMESITE=none
Google SSO
| Variable |
Description |
GOOGLE_OIDC_CLIENT_ID |
Google OAuth client ID |
GOOGLE_OIDC_CLIENT_SECRET |
Google OAuth client secret |
GOOGLE_OIDC_REDIRECT_URI |
OAuth callback URL (must match Google Console) |
AWS
| Variable |
Default |
Description |
XINFERENCE_SAAS_CLOUD_PROVIDER |
fake |
Set to aws for real provisioning |
XINFERENCE_SAAS_AWS_REGION |
— |
AWS region (e.g. us-east-1) |
XINFERENCE_SAAS_AWS_AMI_ID |
— |
AMI ID with Xinference pre-installed |
XINFERENCE_SAAS_AWS_SUBNET_ID |
— |
Subnet ID for EC2 instances |
XINFERENCE_SAAS_AWS_SECURITY_GROUP_IDS |
— |
Comma-separated security group IDs |
XINFERENCE_SAAS_AWS_IAM_INSTANCE_PROFILE_NAME |
— |
IAM instance profile for workers |
XINFERENCE_SAAS_AWS_KEY_NAME |
— |
EC2 key pair name (optional, for SSH access) |
XINFERENCE_SAAS_AWS_ASSOCIATE_PUBLIC_IP |
false |
Assign public IPs (for testing outside VPC) |
Xinference Worker
| Variable |
Default |
Description |
XINFERENCE_SAAS_XINFERENCE_CLIENT |
fake |
Set to real for real Xinference calls |
XINFERENCE_SAAS_XINFERENCE_READY_TIMEOUT_SECONDS |
600 |
Max wait for model to load |
XINFERENCE_SAAS_XINFERENCE_TIMEOUT_SECONDS |
30 |
Per-request HTTP timeout |
XINFERENCE_SAAS_XINFERENCE_IMAGE |
xprobe/xinference:latest |
Docker image for Xinference |
XINFERENCE_SAAS_XINFERENCE_API_KEY |
— |
API key for Xinference server |
Cluster Behavior
| Variable |
Default |
Description |
XINFERENCE_SAAS_CLUSTER_IDLE_TTL_SECONDS |
900 |
Seconds of inactivity before auto-termination (default: 15 min) |
XINFERENCE_SAAS_SUPERVISOR_ENDPOINT_HOST |
private |
Use private (VPC) or public IP for supervisor |
XINFERENCE_SAAS_AWS_SUPERVISOR_INSTANCE_TYPE |
t3.small |
Instance type for cluster supervisor node |
XINFERENCE_SAAS_RECONCILER_ENABLED |
false |
Enable background reconciler loop |
XINFERENCE_SAAS_RECONCILER_INTERVAL_SECONDS |
60 |
How often the reconciler runs |
Billing & Stripe
Billing is backed by Stripe. Configure the following to enable subscriptions, payment methods, invoices, and webhooks.
| Variable |
Description |
STRIPE_SECRET_KEY |
Stripe API secret key |
STRIPE_PUBLISHABLE_KEY |
Stripe publishable key (returned by GET /v1/billing/config) |
STRIPE_WEBHOOK_SECRET |
Secret used to verify Stripe webhook signatures (POST /v1/billing/webhook) |
STRIPE_DEFAULT_COLLECTION_METHOD |
Default subscription collection method (charge_automatically or send_invoice) |
STRIPE_CHECKOUT_SESSION_CURRENCY |
Currency used for Stripe Checkout sessions |
STRIPE_BILLING_PORTAL_RETURN_PATH |
Return path after the Stripe customer portal |
STRIPE_SUBSCRIPTION_PAYMENT_BEHAVIOR |
Stripe subscription payment behavior |
STRIPE_SUBSCRIPTION_DAYS_UNTIL_DUE |
Days until an invoice is due (for send_invoice) |
BILLING_STRIPE_CATALOG_NAMESPACE |
Namespace for the Stripe billing catalog |
BILLING_SEED_DEFAULT_PRICE_PLAN |
Seed the aws-ondemand-default price plan on startup only when no active default plan exists |
Email
| Variable |
Description |
SMTP_HOST |
SMTP server hostname |
SMTP_PORT |
SMTP port (typically 587 or 465) |
SMTP_USERNAME |
SMTP username |
SMTP_PASSWORD |
SMTP password |
SMTP_USE_TLS / SMTP_USE_SSL |
Transport security toggles |
EMAIL_FROM |
Sender address for transactional emails |
INVITATION_EMAIL_FROM / INVITATION_EMAIL_REPLY_TO |
Sender and reply-to addresses for invitation emails |
Leave SMTP_HOST empty to skip email delivery. Password-reset abuse controls (PASSWORD_RESET_EMAIL_COOLDOWN_SECONDS, PASSWORD_RESET_IP_WINDOW_SECONDS, PASSWORD_RESET_IP_MAX_REQUESTS) are also configurable.