> ## Documentation Index > Fetch the complete documentation index at: https://engineering.unkey.com/llms.txt > Use this file to discover all available pages before exploring further. # Configuration > Configuration model and required settings for the api service ## Configuration model Unkey services read configuration from a TOML file passed at startup. Environment variables can be referenced with `${VAR}` and are expanded before parsing. Defaults and validation run after parsing. The config schema maps to [`svc/api/config.go`](https://github.com/unkeyed/unkey/blob/main/svc/api/config.go). Minimal config example: ```toml theme={"theme":"kanagawa-wave"} instance_id = "${POD_NAME}" platform = "aws" http_port = 7070 region = "${UNKEY_REGION}" redis_url = "${UNKEY_REDIS_URL}" [database] primary = "${UNKEY_DATABASE_PRIMARY}" readonly_replica = "${UNKEY_DATABASE_REPLICA}" [clickhouse] url = "${UNKEY_CLICKHOUSE_URL}" analytics_url = "${UNKEY_CLICKHOUSE_ANALYTICS_URL}" [control] url = "${UNKEY_CTRL_URL}" token = "${UNKEY_CTRL_TOKEN}" [vault] url = "${UNKEY_VAULT_URL}" token = "${UNKEY_VAULT_TOKEN}" ``` Instance identifier for logs and cache invalidation. Example: `"api-7d9b8c4f5d-2kq7m"`. Platform label for logs and metrics. Example: `"aws"`. Container image identifier logged at startup. Example: `"ghcr.io/unkeyed/unkey:v2.0.77"`. HTTP server port. Example: `7070`. Region label for logs and analytics. Example: `"us-east-1"`. Redis connection string for counters and usage limiting. Example: `"redis://redis:6379"`. Enables test-only behaviors. Do not use in production. Maximum request size in bytes. MySQL configuration. Primary MySQL DSN. Optional read replica DSN. ClickHouse configuration. ClickHouse connection string for shared analytics. Base URL for workspace-specific analytics connections. TLS settings for HTTPS. Disable TLS when true. Path to TLS certificate. Path to TLS key. Vault connection. Vault base URL. Bearer token for Vault. Gossip-based cache invalidation. Bind address for gossip. LAN gossip port. WAN gossip port. LAN seed addresses. WAN seed addresses. Base64-encoded secret key for gossip encryption. Control plane connection. Control API URL. Bearer token for control API. pprof endpoint configuration. Basic auth username. Basic auth password. Tracing, logging, and metrics configuration. Trace sampling rate. Log sampling rate. Slow log threshold. Prometheus port for the `/metrics` listener. To disable metrics, omit the `observability.metrics` section. ## Environment variables The Helm chart provides these variables for the default config template: Region label for logs and traces. Redis URL for counters and usage limiting. MySQL primary DSN. MySQL read replica DSN. ClickHouse shared URL. ClickHouse analytics base URL. Control API URL. Control API token. Vault URL. Vault bearer token. pprof username. pprof password. WAN seed list for gossip. Gossip secret key. ## Example configuration ```toml theme={"theme":"kanagawa-wave"} instance_id = "${POD_NAME}" platform = "aws" http_port = 7070 region = "${UNKEY_REGION}" redis_url = "${UNKEY_REDIS_URL}" [observability.tracing] sample_rate = 0.1 [observability.logging] sample_rate = 0.01 slow_threshold = "1s" [observability.metrics] prometheus_port = 2112 [database] primary = "${UNKEY_DATABASE_PRIMARY}" readonly_replica = "${UNKEY_DATABASE_REPLICA}" [clickhouse] url = "${UNKEY_CLICKHOUSE_URL}" analytics_url = "${UNKEY_CLICKHOUSE_ANALYTICS_URL}" [control] url = "${UNKEY_CTRL_URL}" token = "${UNKEY_CTRL_TOKEN}" [vault] url = "${UNKEY_VAULT_URL}" token = "${UNKEY_VAULT_TOKEN}" [pprof] username = "${UNKEY_PPROF_USERNAME}" password = "${UNKEY_PPROF_PASSWORD}" [gossip] lan_port = 7946 wan_port = 7947 lan_seeds = ["unkey-api-gossip-lan"] wan_seeds = ["${UNKEY_GOSSIP_WAN_SEEDS}"] secret_key = "${UNKEY_GOSSIP_SECRET_KEY}" ``` ## Related docs * [Overview](/architecture/services/api/overview)