This static configuration index lists source-level defaults. Effective values also include config files, environment variables, CLI overrides, path resolution, and timezone fallback.
See Full Configuration Example for YAML templates. Run synctv config show --output yaml to inspect the effective configuration for the current binary with secrets redacted.
OAuth2 provider instances are Runtime Settings . Remote media provider instances are persisted through the management API/CLI and are not static config-file fields.
Most fields can keep their defaults. Production launch should prioritize secrets, database, entrypoints, security boundaries, and backups.
Setting When to change it Common mistake After change Production guidance jwt.secretAny production deployment Keeping change-me-in-production or committing it Restart required; old tokens may become invalid Inject through Secret Manager or secret file security.opaque_server_setup_secretLocal password/OPAQUE login Regenerating it on every deployment Restart required; casual changes can break password records Generate once and back it up security.credential_encryption_keyStoring encrypted provider credentials Not 64 hex chars, or losing the key Restart required; losing it breaks encrypted credential reads Use openssl rand -hex 32 and back it up database.url / split fieldsProduction PostgreSQL Pointing at local dev DB or oversizing the pool Restart required PostgreSQL must be persistent and backed up redis.url / split fieldsProduction, OAuth2, multi-replica, rate limits, L2 cache Different replicas use different Redis or key prefixes collide Restart required Recommended in production, required for multi-replica mode server.cors_allowed_originsWeb frontend and API use different origins Using * or adding a path Restart required Use exact origins such as https://app.example.com server.trusted_proxiesA reverse proxy or Ingress sits in front Trusting the whole internet Restart required Trust only proxy networks you control management.*CLI or operations control plane is needed Exposing TCP management publicly without a token Restart required Prefer Unix socket; TCP must be authenticated metrics.*Prometheus or alerting is used Exposing /metrics publicly Restart required Use auth and network isolation webauthn.*Passkeys are enabled rp_origin does not match the real originRestart required Use only production HTTPS origins email.*Email verification, password reset, email MFA, notifications TLS/port/from address mismatch Restart required Verify with synctv settings test-email cluster.* / cluster.secretMulti-replica cluster Cluster enabled without Redis or cluster secret Restart required All replicas share PostgreSQL, Redis, and secrets livestream.*RTMP/FLV/HLS livestreaming HLS storage model differs between replicas Restart required Use shared filesystem or OSS for high traffic proxy_slice_cache.*Proxy Range slice cache is needed Expecting full-file cache Restart required Mount enough storage; only Range slices are cached
Shortest verification loop:
synctv config show --output yaml
curl -fsS http://localhost:8080/health/ready
Production Compose uses .env.postgres, .env.redis, and .env.synctv; it does not require a hand-written full YAML file. Before launch, confirm:
Goal Compose/env focus Config field Initial administrator SYNCTV_BOOTSTRAP_ROOT_PASSWORDbootstrap.root_passwordToken signing SYNCTV_JWT_SECRETjwt.secretOPAQUE password login SYNCTV_SECURITY_OPAQUE_SERVER_SETUP_SECRETsecurity.opaque_server_setup_secretProvider credential encryption SYNCTV_SECURITY_CREDENTIAL_ENCRYPTION_KEYsecurity.credential_encryption_keyWeb frontend CORS SYNCTV_SERVER_CORS_ALLOWED_ORIGINS='["https://app.example.com"]'server.cors_allowed_originsPostgreSQL .env.postgres and Compose volumedatabase.*Redis .env.redis, Compose Redis service, and key prefixredis.*Runtime files Compose /data volume data_dir
Use the field index below for bare-metal, Kubernetes, secret files, or custom YAML.
Field Type / values Default Meaning server.hostIP/listen address 0.0.0.0Main API listen address server.portport 8080HTTP REST, public gRPC, and health-check port server.enable_reflectionboolean falseEnable public gRPC reflection server.trusted_proxiesstring array []Trusted reverse proxy IPs/CIDRs server.cors_allowed_originsstring array []Frontend origins allowed by startup CORS server.advertise_hoststring ""Address other nodes use to reach this node server.shutdown_drain_timeout_secondsseconds 30Graceful shutdown drain timeout server.grpc_max_message_size_bytesbytes 16777216Maximum gRPC message size server.grpc_compression_enabledboolean trueAllow gRPC gzip compression negotiation
Field Type / values Default Meaning time.timezoneIANA timezone ""Timezone for human-readable formatting and local datetime parsing public_ids.sqidsobject or null nullEnable sqids public IDs when configured public_ids.sqids.alphabetstring or null nullsqids alphabet public_ids.sqids.min_lengthinteger 12Minimum sqids length security.credential_encryption_key64-character hex secret ""Provider credential encryption key security.opaque_server_setup_secretsecret string ""Stable OPAQUE server setup secret security.ssrf.enabledboolean falseEnable global SSRF protection for server-side outbound requests security.ssrf.allow_private_network_targetsboolean falseAllow server-side outbound requests to private/loopback/link-local/reserved/metadata targets security.ssrf.allowed_hostsstring array []Additional hostnames allowed by the global SSRF policy security.ssrf.allowed_ip_rangesIP/CIDR string array []Additional IPs or CIDR ranges allowed by the global SSRF policy
Field Type / values Default Meaning metrics.enabledboolean falseStart the dedicated metrics listener metrics.hostIP/listen address 0.0.0.0Metrics listen address metrics.portport 9090Metrics listen port metrics.tls.enabledboolean falseEnable TLS on the metrics listener metrics.tls.cert_pathfile path ""Metrics TLS certificate metrics.tls.key_pathfile path ""Metrics TLS private key metrics.auth.modebearer_token, basic, or kubernetesbearer_tokenMetrics authentication mode metrics.auth.bearer_tokensecret string ""Bearer token for bearer-token mode metrics.auth.basic_usernamestring ""Basic-auth username metrics.auth.basic_passwordsecret string ""Basic-auth password metrics.auth.kubernetes.audiencestring ""Kubernetes TokenReview audience metrics.auth.kubernetes.authentication_cache_ttl_secondsseconds 60TokenReview result cache TTL metrics.auth.kubernetes.authorization_cache_ttl_secondsseconds 60SubjectAccessReview result cache TTL
Field Type / values Default Meaning management.enabledboolean trueEnable the management endpoint management.transportunix or tcpunix on Unix, tcp elsewhereManagement endpoint transport management.portport 50052TCP management port management.unix_socket_pathfile path platform-specific Unix socket path management.auth_tokensecret string ""TCP management bearer token management.enable_reflectionboolean falseManagement gRPC reflection
Field Type / values Default Meaning database.urlPostgreSQL URL postgresql://synctv:synctv@localhost:5432/synctvComplete database connection URL database.hoststring ""Database host for split configuration database.portport 0Database port for split configuration database.usernamestring ""Database username database.passwordsecret string ""Database password database.namestring ""Database name database.max_connectionsinteger 20Maximum pool connections database.min_connectionsinteger 5Minimum idle pool connections database.connect_timeout_secondsseconds 10Connection timeout database.idle_timeout_secondsseconds 600Idle connection timeout database.max_lifetime_secondsseconds 1800Maximum connection lifetime
Field Type / values Default Meaning redis.urlRedis URL ""Complete Redis connection URL redis.hoststring ""Redis host for split configuration redis.portport 0Redis port for split configuration redis.usernamestring ""Redis username redis.passwordsecret string ""Redis password redis.databaseinteger 0Redis database index redis.connect_timeout_secondsseconds 5Redis connection timeout redis.response_timeout_secondsseconds 5Redis command response timeout redis.pipeline_buffer_sizeinteger 512Redis connection manager pipeline buffer size redis.key_prefixstring synctv:Redis key prefix redis.deployment_modestandalone or sentinelstandaloneRedis deployment mode redis.sentinel_master_namestring or null nullSentinel master name redis.sentinel_addressesstring array []Sentinel node addresses
Field Type / values Default Meaning jwt.secretsecret string change-me-in-productionToken signing secret jwt.access_token_duration_hourshours 1Access-token lifetime jwt.refresh_token_duration_daysdays 30Refresh-token lifetime jwt.guest_token_duration_hourshours 4Guest-token lifetime jwt.clock_skew_leeway_secsseconds 60Token timestamp skew allowance logging.levelerror, warn, info, debug, or traceinfoLog level logging.formatpretty or jsonprettyLog format logging.filtertracing filter string or null nullAdvanced module-level log filter logging.backtraceboolean falseEmit backtraces logging.file_pathfile path or null nullLog file path
Field Type / values Default Meaning livestream.rtmp_portport 1935RTMP ingest port livestream.public_rtmp_hoststring ""Public RTMP host returned to publishers livestream.gop_cache_sizeinteger 2Number of GOPs cached per stream livestream.stream_timeout_secondsseconds 300Pull-stream idle timeout livestream.cleanup_check_interval_secondsseconds 60Cleanup check interval livestream.pull_max_retriesinteger 10Maximum pull-stream retries livestream.pull_initial_backoff_msmilliseconds 1000Initial pull retry backoff livestream.pull_max_backoff_msmilliseconds 30000Maximum pull retry backoff livestream.max_flv_tag_size_bytesbytes 10485760Maximum accepted FLV tag size livestream.gop_cache_max_memory_mbMB 100GOP cache memory limit livestream.hls_memory_max_mbMB 0In-memory HLS storage limit; 0 uses the built-in default livestream.hls_storage_backendmemory, file, shared_file, or ossmemoryHLS segment storage backend livestream.hls_storage_pathpath ""HLS file path for the file / shared_file backend livestream.hls_oss.endpointstring ""S3/OSS endpoint for the oss backend; required when oss is enabled livestream.hls_oss.access_key_idsecret string ""Access key ID for the oss backend; required when oss is enabled livestream.hls_oss.secret_access_keysecret string ""Secret access key for the oss backend; required when oss is enabled livestream.hls_oss.bucketstring ""Bucket for the oss backend; required when oss is enabled livestream.hls_oss.regionstring or null nullRegion for the oss backend livestream.hls_oss.base_pathstring hls/Object key prefix inside the bucket livestream.flv_max_connection_duration_secondsseconds 86400Maximum HTTP-FLV connection duration livestream.flv_write_timeout_secondsseconds 30HTTP-FLV write timeout
Field Type / values Default Meaning file_storage.default_backendbackend name disabledFallback backend used by product features file_storage.chat_attachments_backendbackend name or empty ""Backend for chat attachments; empty inherits default_backend file_storage.user_avatars_backendbackend name or empty ""Backend for user avatars; empty inherits default_backend file_storage.media_covers_backendbackend name or empty ""Backend for media covers; empty inherits default_backend file_storage.room_covers_backendbackend name or empty ""Backend for room covers; empty inherits default_backend file_storage.playlist_covers_backendbackend name or empty ""Backend for playlist covers; empty inherits default_backend file_storage.upload_token_secretsecret string ""Signing secret for file upload/read tokens; empty value derives from jwt.secret at startup file_storage.unreferenced_object_retention_secondsseconds 86400Grace period before uploaded objects with no active product reference are cleaned; 0 disables orphan cleanup file_storage.backends.<name>.typedisabled, database, or s3disabledRegistered backend implementation type file_storage.backends.<name>.database.compressionnone, lz4, or zstdzstdCompression algorithm used by type: "database" backends for persisted file_blob_parts segments file_storage.backends.<name>.database.compression_min_size_bytesbytes 4096Minimum original payload size before compression is attempted file_storage.backends.<name>.database.compression_min_savings_percent0 to 10010Minimum saved percentage required before compressed bytes are stored file_storage.backends.<name>.s3.*S3 config default S3 fields S3-compatible settings for backends with type: "s3"; public_base_url is required for readable file URLs after upload or ownership proof validation
Upload sessions use a server-provided part plan: clients first request FileUploadPlan with empty parts, hash every planned part with SHA-256, then submit FileUploadManifestPart[]. SyncTV computes content_manifest_sha256 from the canonical manifest and uses it for instant-upload object lookup and unfinished resumable-session lookup. Database backends persist fixed file_blob_parts segments and serve HTTP Range requests directly from those segments, decompressing only the parts that overlap the requested byte range. S3 backends use native multipart uploads with presigned part URLs, sign x-amz-checksum-sha256 into each part URL, and validate object identity from the recorded part manifest at completion without reading GB-scale objects back from S3. Duplicate objects return upload_required=false with an ownership proof challenge; readable URLs are signed after proof validation and business-reference persistence.
Disable file storage:
default_backend : " disabled "
Store file bytes in PostgreSQL:
default_backend : " database "
chat_attachments_backend : " database "
user_avatars_backend : " database "
media_covers_backend : " database "
room_covers_backend : " database "
playlist_covers_backend : " database "
upload_token_secret_file : " /run/secrets/file_upload_token_secret "
Use S3-compatible object storage:
default_backend : " s3_public "
chat_attachments_backend : " s3_public "
user_avatars_backend : " s3_public "
media_covers_backend : " s3_public "
room_covers_backend : " s3_public "
playlist_covers_backend : " s3_public "
upload_token_secret_file : " /run/secrets/file_upload_token_secret "
endpoint : " https://s3.example.com "
access_key_id_file : " /run/secrets/file_storage_s3_access_key_id "
secret_access_key_file : " /run/secrets/file_storage_s3_secret_access_key "
public_base_url : " https://cdn.example.com/files "
upload_expires_seconds : 900
Field Type / values Default Meaning webauthn.enabledboolean falseEnable passkey endpoints webauthn.rp_iddomain ""WebAuthn relying-party ID webauthn.rp_originorigin ""Primary WebAuthn origin webauthn.rp_namestring SyncTVAuthenticator display name webauthn.allowed_originsorigin array []Additional accepted origins webauthn.allow_subdomainsboolean falseAllow subdomains of configured origins webauthn.allow_any_portboolean falseIgnore origin ports webauthn.timeout_secondsseconds 300Challenge timeout email.smtp_hoststring ""SMTP host email.smtp_portport 587SMTP port email.smtp_usernamestring ""SMTP username email.smtp_passwordsecret string ""SMTP password email.from_emailemail address ""Sender email address email.from_namestring SyncTVSender display name email.use_tlsboolean trueUse TLS for SMTP
Field Type / values Default Meaning media_providers.alist.request_timeout_secondsseconds 30Local Alist provider request timeout media_providers.alist.connect_timeout_secondsseconds 10Local Alist provider connection timeout media_providers.bilibili.request_timeout_secondsseconds 30Local Bilibili provider request timeout media_providers.bilibili.connect_timeout_secondsseconds 10Local Bilibili provider connection timeout media_providers.emby.request_timeout_secondsseconds 30Local Emby/Jellyfin provider request timeout media_providers.emby.connect_timeout_secondsseconds 10Local Emby/Jellyfin provider connection timeout webrtc.modesignaling_only or peer_to_peerpeer_to_peerWebRTC operating mode webrtc.enable_builtin_stunboolean trueEnable built-in STUN webrtc.stun_portport 3478STUN port webrtc.stun_hostIP/listen address 0.0.0.0STUN listen address webrtc.stun_external_addrstring ""STUN external address announced to clients webrtc.filter_private_ice_candidatesboolean trueFilter private ICE candidates
Field Type / values Default Meaning connection_limits.max_per_userinteger 20Maximum connections per user connection_limits.max_per_roominteger 2000Maximum connections per room connection_limits.max_totalinteger 100000Maximum service-wide connections connection_limits.idle_timeout_secondsseconds 300Idle connection timeout connection_limits.max_duration_secondsseconds 86400Maximum connection lifetime connection_limits.ws_message_rate_limit_per_secondper-second count 50WebSocket message rate per connection bootstrap.create_root_userboolean falseCreate the initial root user automatically bootstrap.root_usernamestring rootInitial root username bootstrap.root_passwordsecret string ""Initial root password cluster.enabledboolean falseEnable cluster mode cluster.secretsecret string ""Authentication secret for internal cluster gRPC cluster.secret_filefile path or empty ""File containing the internal cluster request authentication secret cluster.critical_channel_capacityinteger 10000High-priority cluster event queue capacity cluster.publish_channel_capacityinteger 100000Normal cluster publish queue capacity cluster.discovery_moderedis, static, or k8s_dnsredisNode discovery mode cluster.leader_election_moderedis or k8s_leaseredisLeader election mode cluster.peersstring array []Static peer addresses cluster.catchup_window_secsseconds 300Redis Stream catch-up replay window cluster.stream_max_lengthinteger 100000Approximate Redis Stream maximum length
Field Type / values Default Meaning password_complexity.min_lengthinteger 8Minimum password length password_complexity.require_uppercaseboolean trueRequire uppercase letters password_complexity.require_lowercaseboolean trueRequire lowercase letters password_complexity.require_digitboolean trueRequire digits password_complexity.require_specialboolean falseRequire special characters password_complexity.max_repeated_charsinteger 3Maximum repeated consecutive characters; 0 disables this check password_complexity.zxcvbn_enabledboolean falseEnable zxcvbn entropy scoring for account passwords password_complexity.zxcvbn_min_scoreinteger 0-4 3Minimum zxcvbn score when enabled buffer_sizes.websocket_outboundinteger 256Per-connection WebSocket outbound queue size buffer_sizes.audit_bufferinteger 10000Audit event buffer capacity cache.l1_capacityinteger 5000L1 in-memory cache capacity cache.l1_ttl_secondsseconds 300L1 in-memory cache TTL cache.l2_ttl_secondsseconds 300Redis L2 cache TTL cache.username_cache_capacityinteger 10000Username cache capacity cache.username_cache_ttl_secondsseconds 3600Username cache TTL cache.permission_cache_capacityinteger 20000Permission cache capacity cache.permission_cache_ttl_secondsseconds 300Permission cache TTL proxy_slice_cache.enabledboolean trueEnable proxy slice cache at startup proxy_slice_cache.slice_size_bytesinteger 2097152Individual Range slice size proxy_slice_cache.max_cache_size_bytesinteger 536870912Maximum total slice cache capacity proxy_slice_cache.segment_ttl_secondsseconds 300Fresh slice TTL proxy_slice_cache.stale_max_age_secondsseconds 60Time expired slices may be served as stale proxy_slice_cache.stale_while_revalidateboolean trueRefresh expired hits in the background proxy_slice_cache.file_backend_enabledboolean falseEnable file backend for proxy slice cache proxy_slice_cache.file_cache_dirpath ""Proxy slice cache file directory proxy_slice_cache.eviction_interval_secondsseconds 60Background eviction check interval proxy_slice_cache.watermark_ratiofloat 0.875Target usage ratio after eviction
Field Type / values Default Meaning messaging_rate_limits.chat_per_secondinteger 10Maximum chat messages per window messaging_rate_limits.window_secondsseconds 1Chat rate-limit window
Field Type / values Default Meaning request_rate_limits.auth_max_requestsinteger 5Maximum authentication requests per window request_rate_limits.auth_window_secondsseconds 60Authentication request window request_rate_limits.write_max_requestsinteger 120Maximum write requests per window request_rate_limits.write_window_secondsseconds 60Write request window request_rate_limits.read_max_requestsinteger 600Maximum read requests per window request_rate_limits.read_window_secondsseconds 60Read request window request_rate_limits.media_max_requestsinteger 120Maximum media requests per window request_rate_limits.media_window_secondsseconds 60Media request window request_rate_limits.admin_max_requestsinteger 180Maximum admin requests per window request_rate_limits.admin_window_secondsseconds 60Admin request window request_rate_limits.streaming_max_requestsinteger 1200Maximum streaming requests per window request_rate_limits.streaming_window_secondsseconds 60Streaming request window request_rate_limits.websocket_max_requestsinteger 60Maximum WebSocket connection attempts per window request_rate_limits.websocket_window_secondsseconds 60WebSocket connection window