Getting started

MESSAGING_PROVIDER_GMAIL_ENABLED=true
CALENDAR_PROVIDER_GOOGLE_ENABLED=true
MESSAGING_PROVIDER_MICROSOFT_ENABLED=false
CALENDAR_PROVIDER_MICROSOFT_ENABLED=false
AUTH_GOOGLE_CLIENT_ID=<client-id>
AUTH_GOOGLE_CLIENT_SECRET=<client-secret>
AUTH_GOOGLE_CALLBACK_URL=https://<your-domain>/auth/google/redirect if you want to use Google SSO
AUTH_GOOGLE_APIS_CALLBACK_URL=https://<your-domain>/auth/google-apis/get-access-token

Enable APIs

On Google Cloud Console, go to APIs & Services and enable the following APIs:

Authorized redirect URIs

Under Credentials, in OAuth 2.0 Client IDs, you need to add the following redirect URIs to your project:

https://<your-domain>/auth/google/redirect if you want to use Google SSO
https://<your-domain>/auth/google-apis/get-access-token

Configure scopes

See relevant source code

If your app is in test mode

If your app is in test mode, you will need to add test users to your project.

Under OAuth consent screen, add your test users to the "Test users" section.

Start the cron jobs

# from your worker container
yarn command:prod cron:messaging:messages-import
yarn command:prod cron:messaging:message-list-fetch
yarn command:prod cron:calendar:calendar-event-list-fetch
yarn command:prod cron:calendar:calendar-events-import
yarn command:prod cron:messaging:ongoing-stale
yarn command:prod cron:calendar:ongoing-stale
yarn command:prod cron:workflow:automated-cron-trigger

For Outlook and Outlook Calendar (Microsoft 365)

Users must have a Microsoft 365 Licence to be able to use the Calendar and Messaging API. They will not be able to sync their account on Twenty without one.

Create a project in Microsoft Azure

You will need to create a project in Microsoft Azure and get the credentials.

Then you can set the following environment variables:

MESSAGING_PROVIDER_MICROSOFT_ENABLED=true
CALENDAR_PROVIDER_MICROSOFT_ENABLED=true
AUTH_MICROSOFT_ENABLED=true
AUTH_MICROSOFT_CLIENT_ID=<client-id>
AUTH_MICROSOFT_CLIENT_SECRET=<client-secret>
AUTH_MICROSOFT_CALLBACK_URL=https://<your-domain>/auth/microsoft/redirect if you want to use Microsoft SSO
AUTH_MICROSOFT_APIS_CALLBACK_URL=https://<your-domain>/auth/microsoft-apis/get-access-token

Enable APIs

On Microsoft Azure Console enable the following APIs in "Permissions":

Microsoft Graph: Mail.ReadWrite
Microsoft Graph: Mail.Send
Microsoft Graph: Calendars.Read
Microsoft Graph: User.Read
Microsoft Graph: openid
Microsoft Graph: email
Microsoft Graph: profile
Microsoft Graph: offline_access

Note: "Mail.ReadWrite" and "Mail.Send" are only mandatory if you want to send emails using our workflow actions. You can use "Mail.Read" instead if you only want to receive emails.

Authorized redirect URIs

You need to add the following redirect URIs to your project:

https://<your-domain>/auth/microsoft/redirect if you want to use Microsoft SSO
https://<your-domain>/auth/microsoft-apis/get-access-token

Configure scopes

See relevant source code

'openid'
'email'
'profile'
'offline_access'
'Mail.ReadWrite'
'Mail.Send'
'Calendars.Read'

If your app is in test mode

If your app is in test mode, you will need to add test users to your project.

Add your test users to the "Users and groups" section.

Start the cron jobs

# from your worker container
yarn command:prod cron:messaging:messages-import
yarn command:prod cron:messaging:message-list-fetch
yarn command:prod cron:calendar:calendar-event-list-fetch
yarn command:prod cron:calendar:calendar-events-import
yarn command:prod cron:messaging:ongoing-stale
yarn command:prod cron:calendar:ongoing-stale
yarn command:prod cron:workflow:automated-cron-trigger

Setup Environment Variables

Frontend

Variable	Example	Description
REACT_APP_SERVER_BASE_URL	http://localhost:3000	Url of backend server
GENERATE_SOURCEMAP	false	Generate source maps for debugging
CHROMATIC_PROJECT_TOKEN		Chromatic token used for CI

Backend

Config

Variable	Example	Description
PG_DATABASE_URL	postgres://user:pw@localhost:5432/default?connection_limit=1	Database connection
PG_SSL_ALLOW_SELF_SIGNED	false	Allow self signed certificates
REDIS_URL	redis://localhost:6379	Redis connection url
FRONT_DOMAIN	localhost	Domain of the hosted frontend
DEFAULT_SUBDOMAIN	app	The default subdomain name when multiworkspace mode is enabled
SERVER_URL	http://localhost:3000	Url to the hosted server
FRONTEND_URL	$SERVER_URL	Url to the frontend server. Same as SERVER_URL by default
PORT	3000	Port of the backend server
CACHE_STORAGE_TTL	3600 * 24 * 7	Cache TTL in seconds

Security

Variable	Example	Description
API_RATE_LIMITING_TTL	100	API rate limiting time window
API_RATE_LIMITING_LIMIT	200	API rate limiting max requests

Tokens

Variable	Example	Description
APP_SECRET	<random>	Secret used for encryption across the app
ACCESS_TOKEN_EXPIRES_IN	30m	Access token expiration time
LOGIN_TOKEN_EXPIRES_IN	15m	Login token expiration time
REFRESH_TOKEN_EXPIRES_IN	90d	Refresh token expiration time
REFRESH_TOKEN_COOL_DOWN	1m	Refresh token cooldown
FILE_TOKEN_EXPIRES_IN	1d	File token expiration time

Auth

Variable	Example	Description
MESSAGING_PROVIDER_GMAIL_ENABLED	false	Enable Gmail API connection
CALENDAR_PROVIDER_GOOGLE_ENABLED	false	Enable Google Calendar API connection
AUTH_GOOGLE_APIS_CALLBACK_URL	https://[YourDomain]/auth/google-apis/get-access-token	Google APIs auth callback
AUTH_PASSWORD_ENABLED	false	Enable Email/Password login
AUTH_GOOGLE_ENABLED	false	Enable Google SSO login
AUTH_GOOGLE_CLIENT_ID	123456789012-xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.apps.googleusercontent.com	Google client ID
AUTH_GOOGLE_CLIENT_SECRET		Google client secret
AUTH_GOOGLE_CALLBACK_URL	https://[YourDomain]/auth/google/redirect	Google auth callback
AUTH_MICROSOFT_ENABLED	false	Enable Microsoft SSO login
AUTH_MICROSOFT_CLIENT_ID		Microsoft client ID
AUTH_MICROSOFT_CLIENT_SECRET		Microsoft client secret
AUTH_MICROSOFT_CALLBACK_URL	https://[YourDomain]/auth/microsoft/redirect	Microsoft auth callback
AUTH_MICROSOFT_APIS_CALLBACK_URL	http://[YourDomain]/auth/microsoft-apis/get-access-token	Microsoft APIs auth callback
IS_MULTIWORKSPACE_ENABLED	false	Allows the use of multiple workspaces. Requires a web server that can manage wildcards for subdomains.
PASSWORD_RESET_TOKEN_EXPIRES_IN	5m	Password reset token expiration time

Email

Variable	Example	Description
IS_EMAIL_VERIFICATION_REQUIRED	false	If enabled, users must verify their email address before signing in. When true, users will receive a verification email after registration
EMAIL_VERIFICATION_TOKEN_EXPIRES_IN	1h	How long email verification tokens remain valid before requiring a new verification email
EMAIL_FROM_ADDRESS	[email protected]	Global email From: header used to send emails
EMAIL_FROM_NAME	John from YourDomain	Global name From: header used to send emails
EMAIL_SYSTEM_ADDRESS	[email protected]	Email address used as a destination to send internal system notification
EMAIL_DRIVER	logger	Email driver: 'logger' (to log emails in console) or 'smtp'
EMAIL_SMTP_HOST		Email SMTP Host
EMAIL_SMTP_PORT		Email SMTP Port
EMAIL_SMTP_USER		Email SMTP User
EMAIL_SMTP_PASSWORD		Email SMTP Password

Email SMTP Server configuration examples

Gmail

Office365

Smtp4dev

You will need to provision an App Password.

EMAIL_DRIVER=smtp
EMAIL_SMTP_HOST=smtp.gmail.com
EMAIL_SMTP_PORT=465
EMAIL_SMTP_USER=gmail_email_address
EMAIL_SMTP_PASSWORD='gmail_app_password'

Storage

Variable	Example	Description
STORAGE_TYPE	local	Storage driver: 'local' or 's3'
STORAGE_S3_REGION		Storage Region
STORAGE_S3_NAME		Bucket Name
STORAGE_S3_ENDPOINT		Use if a different Endpoint is needed (for example Google)
STORAGE_S3_ACCESS_KEY_ID		Optional depending on the authentication method
STORAGE_S3_SECRET_ACCESS_KEY		Optional depending on the authentication method
STORAGE_LOCAL_PATH	.local-storage	Data path (local storage)

Custom Code Execution

Variable	Example	Description
SERVERLESS_TYPE	local	Serverless driver type: 'local' or 'lambda'
SERVERLESS_LAMBDA_REGION		Lambda Region
SERVERLESS_LAMBDA_ROLE		Lambda Role
SERVERLESS_LAMBDA_SUBHOSTING_ROLE		Role to assume when hosting lambdas in dedicated AWS account
SERVERLESS_LAMBDA_ACCESS_KEY_ID		Optional depending on the authentication method
SERVERLESS_LAMBDA_SECRET_ACCESS_KEY		Optional depending on the authentication method

Logging and Observability

Variable	Example	Description
LOGGER_DRIVER	console	Currently, only supports 'console'
LOGGER_IS_BUFFER_ENABLED	true	Buffer the logs before sending them to the logging driver
LOG_LEVELS	error,warn	The loglevels which are logged to the logging driver. Can include: 'log', 'warn', 'error'
EXCEPTION_HANDLER_DRIVER	sentry	The exception handler driver can be: 'console' or 'sentry'
SENTRY_ENVIRONMENT	main	The sentry environment used if sentry logging driver is selected
SENTRY_DSN	https://[email protected]/xxx	The sentry logging endpoint used if sentry logging driver is selected
SENTRY_FRONT_DSN	https://[email protected]/xxx	The sentry logging endpoint used by the frontend if sentry logging driver is selected
METER_DRIVER	console	The meter driver can be: 'console' and/or 'opentelemetry'
OTLP_COLLECTOR_ENDPOINT_URL		The OpenTelemetry collector endpoint collects metrics if opentelemetry meter driver is selected. The collector has to be set separately.

Data enrichment and AI

Variable	Example	Description
OPENAI_API_KEY	sk-proj-abcdabcd...	OpenAI API key
LLM_CHAT_MODEL_DRIVER	openai	LLM provider
LLM_TRACING_DRIVER	langfuse	Where to output LangChain logs. 'langfuse' or 'console'.
LANGFUSE_SECRET_KEY	sk-lf-abcdabcd-abcd...	Langfuse secret key
LANGFUSE_PUBLIC_KEY	pk-lf-abcdabcd-abcd...	Langfuse public key

Serverless functions

This feature is WIP and is not yet useful for most users.

Variable	Example	Description
SERVERLESS_TYPE	local	Functions can either be executed through Lambda or directly by the main node process
SERVERLESS_LAMBDA_REGION	us-east-1	If you use the Lambda driver, region of the Lambda function
SERVERLESS_LAMBDA_ROLE	arn:aws:iam::121334:role/lambda-execution-role	If you use the Lambda driver, name of the IAM role with the right permissions
SERVERLESS_LAMBDA_SUBHOSTING_ROLE	arn:aws:iam::121334:role/lambda-deployment-role	If you host lambdas in a dedicated AWS account, name of the IAM role to assume in the dedicated account

Support Chat

Variable	Example	Description
SUPPORT_DRIVER	front	Support driver ('front' or 'none')
SUPPORT_FRONT_HMAC_KEY	<secret>	Support chat key
SUPPORT_FRONT_CHAT_ID	<id>	Support chat id

Telemetry

Variable	Example	Description
TELEMETRY_ENABLED	true	Change this if you want to disable telemetry
TELEMETRY_ANONYMIZATION_ENABLED	true	Telemetry is anonymized by default, you probably don't want to change this

Debug / Development

Variable	Example	Description
SIGN_IN_PREFILLED	true	Prefill the Sign in form for usage in a demo or dev environment

Workspace Cleaning

Variable	Example	Description
WORKSPACE_INACTIVE_DAYS_BEFORE_NOTIFICATION		Number of inactive days before sending workspace deleting warning email
WORKSPACE_INACTIVE_DAYS_BEFORE_SOFT_DELETION		Number of inactive days before soft deleting workspace
WORKSPACE_INACTIVE_DAYS_BEFORE_DELETION		Number of inactive days before destroying workspace

Captcha

Variable	Example	Description
CAPTCHA_DRIVER		The captcha driver can be 'google-recaptcha' or 'turnstile'
CAPTCHA_SITE_KEY		The captcha site key
CAPTCHA_SECRET_KEY		The captcha secret key

Noticed something to change?

As an open-source company, we welcome contributions through Github. Help us keep it up-to-date, accurate, and easy to understand by getting involved and sharing your ideas!

Edit Content