diff --git a/packages/documentation/src/partials/auth-variables.mdx b/packages/documentation/src/partials/auth-variables.mdx
index 8803b4a59a..399f5b38c5 100644
--- a/packages/documentation/src/partials/auth-variables.mdx
+++ b/packages/documentation/src/partials/auth-variables.mdx
@@ -4,14 +4,14 @@ import { LinkOut } from '@interledger/docs-design-system'
-| Variable | Helm value name | Default | Description |
-| ------------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------ | ---------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
-| `AUTH_DATABASE_URL` | `auth.postgresql.host`,
`auth.postgresql.port`,
`auth.postgresql.username`,
`auth.postgresql.database`,
`auth.postgresql.password` | `postgresql://postgres:password@localhost:5432/auth_development` | The URL of the Postgres database storing your Open Payments grant data. For Helm, these components are provided individually. |
-| `AUTH_SERVER_URL` | `auth.server.domain` | _undefined_ | The public endpoint for your Rafiki instance’s public Open Payments routes. |
-| `COOKIE_KEY` | `auth.cookieKey` | _undefined_ | The koa KeyGrip key that is used to sign cookies for an interaction session. |
-| `IDENTITY_SERVER_URL` | `auth.identityServer.domain` | _undefined_ | The URL of your IdP's server, used by the authorization server to inform an Open Payments client of where to redirect the end-user to start interactions. |
-| `IDENTITY_SERVER_SECRET` | `auth.identityServer.secret` | _undefined_ | A shared secret between the authorization server and the IdP server; the authorization server will use the secret to secure its IdP-related endpoints.
When the IdP server sends requests to the authorization server, the IdP server must provide the secret via an [`x-idp-secret`](/integration/requirements/open-payments/idp#x-idp-secret-header) header. |
-| `REDIS_URL` | `auth.redis.host`,
`auth.redis.port` | `redis://127.0.0.1:6379` | The connection URL for Redis. For Helm, these components are provided individually. |
+| Variable | Helm value name | Default | Description |
+| ------------------------ | --------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
+| `AUTH_DATABASE_URL` | `config.auth.databaseUrl.value` or `config.auth.databaseUrl.secretKeyRef` | `postgresql://postgres:password@localhost:5432/auth_development` | The URL of the Postgres database storing your Open Payments grant data. Can be provided as a value or secret reference. |
+| `AUTH_SERVER_URL` | `config.auth.authServerUrl` | _undefined_ | The public endpoint for your Rafiki instance's public Open Payments routes. |
+| `COOKIE_KEY` | `config.auth.cookieKey.value` or `config.auth.cookieKey.secretKeyRef` | _undefined_ | The koa KeyGrip key that is used to sign cookies for an interaction session. |
+| `IDENTITY_SERVER_URL` | `config.auth.identityServer.domain` | _undefined_ | The URL of your IdP's server, used by the authorization server to inform an Open Payments client of where to redirect the end-user to start interactions. |
+| `IDENTITY_SERVER_SECRET` | `config.auth.identityServer.serverSecret.value` or `config.auth.identityServer.serverSecret.secretKeyRef` | _undefined_ | A shared secret between the authorization server and the IdP server; the authorization server will use the secret to secure its IdP-related endpoints.
When the IdP server sends requests to the authorization server, the IdP server must provide the secret via an [`x-idp-secret`](/integration/requirements/open-payments/idp#x-idp-secret-header) header. |
+| `REDIS_URL` | `config.auth.redisUrl.value` or `config.auth.redisUrl.secretKeyRef` | `redis://127.0.0.1:6379` | The connection URL for Redis. Can be provided as a value or secret reference. |
@@ -19,9 +19,9 @@ import { LinkOut } from '@interledger/docs-design-system'
-| Variable | Helm value name | Default | Description |
-| ------------- | ----------------- | ------- | ----------------------------------------------------------------------------------------------------------------------------------------------------- |
-| `TRUST_PROXY` | `auth.trustProxy` | `false` | Must be set to `true` when running Rafiki behind a proxy. When `true`, the `X-Forwarded-Proto` header is used to determine if connections are secure. |
+| Variable | Helm value name | Default | Description |
+| ------------- | ------------------------ | ------- | ----------------------------------------------------------------------------------------------------------------------------------------------------- |
+| `TRUST_PROXY` | `config.auth.trustProxy` | `false` | Must be set to `true` when running Rafiki behind a proxy. When `true`, the `X-Forwarded-Proto` header is used to determine if connections are secure. |
@@ -29,28 +29,30 @@ import { LinkOut } from '@interledger/docs-design-system'
-| Variable | Helm value name | Default | Description |
-| --------------------------------- | ----------------------------------- | ------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
-| `ACCESS_TOKEN_DELETION_DAYS` | `auth.accessToken.deletionDays` | `30` | The days until expired and/or revoked access tokens are deleted. |
-| `ACCESS_TOKEN_EXPIRY_SECONDS` | `auth.accessToken.expirySeconds` | `600` (10 minutes) | The expiry time, in seconds, for access tokens. |
-| `ADMIN_API_SIGNATURE_VERSION` | `auth.adminApi.signatureVersion` | `1` | The version of the request signing algorithm used to generate signatures. |
-| `ADMIN_API_SIGNATURE_TTL_SECONDS` | `auth.adminAPI.signatureTtlSeconds` | `30` | The TTL, in seconds, for which a request’s signature will be valid. |
-| `ADMIN_PORT` | `auth.port.admin` | `3003` | The port of your Rafiki Auth Admin API server. |
-| `AUTH_PORT` | `auth.port.auth` | `3006` | The port of your Open Payments authorization server. |
-| `DATABASE_CLEANUP_WORKERS` | `auth.workers.cleanup` | `1` | The number of workers processing expired or revoked access tokens. |
-| `ENABLE_MANUAL_MIGRATIONS` | `auth.enableManualMigrations` | `false` | When `true`, you must run the auth Postgres database manually with the command `npm run knex – migrate:latest –envproduction` |
-| `INCOMING_PAYMENT_INTERACTION` | `auth.interaction.incomingPayment` | `false` | When `true`, incoming Open Payments grant requests are interactive |
-| `INTERACTION_EXPIRY_SECONDS` | `auth.interactionExpirySeconds` | `600` (10 minutes) | The time, in seconds, for which a user can interact with a grant request before the request expires. |
-| `INTERACTION_PORT` | `auth.port.interaction` | `3009` | The port number of your Open Payments interaction-related APIs. |
-| `INTROSPECTION_PORT` | `auth.port.introspection` | `3007` | The port of your Open Payments access token introspection server. |
-| `SERVICE_API_PORT` | `auth.port.serviceAPIPort` | `3011` | The port to expose the internal service api. |
-| `LIST_ALL_ACCESS_INTERACTION` | `auth.interaction.listAll` | `true` | When `true`, grant requests that include a `list-all` action will require interaction. In these requests, the client asks to list resources that it did not create. |
-| `LOG_LEVEL` | `auth.logLevel` | `info` | Pino log level |
-| `NODE_ENV` | `auth.nodeEnv` | `development` | The type of node environment: `development`, `test`, or `production`. |
-| `QUOTE_INTERACTION` | `auth.interaction.quote` | `false` | When `true`, quote grants are interactive. |
-| `REDIS_TLS_CA_FILE_PATH` | `auth.redis.tlsCaFile` | `''` | Redis TLS config |
-| `REDIS_TLS_CERT_FILE_PATH` | `auth.redis.tlsCertFile` | `''` | Redis TLS config |
-| `REDIS_TLS_KEY_FILE_PATH` | `auth.redis.tlsKeyFile` | `''` | Redis TLS config |
-| `WAIT_SECONDS` | `auth.grant.waitSeconds` | `5` | The wait time, in seconds, included in a grant request response (`grant.continue`). |
+| Variable | Helm value name | Default | Description |
+| --------------------------------- | ----------------------------------------- | ------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| `ACCESS_TOKEN_DELETION_DAYS` | `config.auth.accessToken.deletionDays` | `30` | The days until expired and/or revoked access tokens are deleted. |
+| `ACCESS_TOKEN_EXPIRY_SECONDS` | `config.auth.accessToken.expirySeconds` | `600` (10 minutes) | The expiry time, in seconds, for access tokens. |
+| `ADMIN_API_SIGNATURE_VERSION` | _undefined_ | `1` | The version of the request signing algorithm used to generate signatures. |
+| `ADMIN_API_SIGNATURE_TTL_SECONDS` | _undefined_ | `30` | The time to live (TTL), in seconds, for which a request's signature will be valid. |
+| `ADMIN_PORT` | `config.auth.port.admin` | `3003` | The port of your Rafiki Auth Admin API server. |
+| `AUTH_PORT` | `config.auth.port.auth` | `3006` | The port of your Open Payments authorization server. |
+| `DATABASE_CLEANUP_WORKERS` | `config.auth.workers.cleanup` | `1` | The number of workers processing expired or revoked access tokens. |
+| `ENABLE_MANUAL_MIGRATIONS` | _undefined_ | `false` | When `true`, you must run the auth Postgres database manually with the command `npm run knex – migrate:latest –envproduction` |
+| `INCOMING_PAYMENT_INTERACTION` | `config.auth.interaction.incomingPayment` | `false` | When `true`, incoming Open Payments grant requests are interactive |
+| `INTERACTION_EXPIRY_SECONDS` | _undefined_ | `600` (10 minutes) | The time, in seconds, for which a user can interact with a grant request before the request expires. |
+| `INTERACTION_PORT` | _undefined_ | `3009` | The port number of your Open Payments interaction-related APIs. |
+| `INTROSPECTION_PORT` | `config.auth.port.introspection` | `3007` | The port of your Open Payments access token introspection server. |
+| `SERVICE_API_PORT` | _undefined_ | `3011` | The port to expose the internal service api. |
+| `LIST_ALL_ACCESS_INTERACTION` | _undefined_ | `true` | When `true`, grant requests that include a `list-all` action will require interaction. In these requests, the client asks to list resources that it did not create. |
+| `LOG_LEVEL` | `config.auth.logLevel` | `info` | Pino log level |
+| `NODE_ENV` | `config.auth.nodeEnv` | `development` | The type of node environment: `development`, `test`, or `production`. |
+| `QUOTE_INTERACTION` | `config.auth.interaction.quote` | `false` | When `true`, quote grants are interactive. |
+| `REDIS_TLS_CA_FILE_PATH` | _undefined_ | `''` | Redis TLS config |
+| `REDIS_TLS_CERT_FILE_PATH` | _undefined_ | `''` | Redis TLS config |
+| `REDIS_TLS_KEY_FILE_PATH` | _undefined_ | `''` | Redis TLS config |
+| `WAIT_SECONDS` | `config.auth.grant.waitSeconds` | `5` | The wait time, in seconds, included in a grant request response (`grant.continue`). |
+| `ADMIN_API_SECRET` | _undefined_ | _undefined_ | The secret for the auth admin API authentication. |
+| `INTERACTION_COOKIE_SAME_SITE` | `config.auth.interaction.cookieSameSite` | _undefined_ | The SameSite attribute for interaction cookies. Valid values: `lax`, `none`. |
diff --git a/packages/documentation/src/partials/backend-variables.mdx b/packages/documentation/src/partials/backend-variables.mdx
index 29bdd4a86c..72540a1f8b 100644
--- a/packages/documentation/src/partials/backend-variables.mdx
+++ b/packages/documentation/src/partials/backend-variables.mdx
@@ -4,20 +4,19 @@ import { LinkOut } from '@interledger/docs-design-system'
-| Variable | Helm value name | Default | Description |
-| ------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------- |
-| `AUTH_SERVER_GRANT_URL` | `backend.serviceUrls.AUTH_SERVER_GRANT_URL` | _undefined_ | The endpoint on your Open Payments authorization server to grant a request. |
-| `AUTH_SERVER_INTROSPECTION_URL` | `backend.serviceUrls.AUTH_SERVER_INTROSPECTION_URL` | _undefined_ | The endpoint on your Open Payments authorization server to introspect an access token. |
-| `DATABASE_URL` | `backend.postgresql.host`,
`backend.postgresql.port`,
`backend.postgresql.username`,
`backend.postgresql.database`,
`backend.postgresql.password` | `postgresql://postgres:password@localhost:5432/development` | The Postgres database URL of the database storing your resource data. For Helm, these components are provided individually. |
-| `EXCHANGE_RATES_URL` | `backend.serviceUrls.EXCHANGE_RATES_URL` | _undefined_ | The endpoint your Rafiki instance uses to request exchange rates. |
-| `ILP_ADDRESS` | `backend.ilp.address` | _undefined_ | The ILP address of your Rafiki instance. |
-| `ILP_CONNECTOR_URL` | `backend.ilp.connectorUrl` | _undefined_ | The ILP connector address where ILP packets are received. |
-| `KEY_ID` | `backend.key.id` | _undefined_ | Your Rafiki instance’s client key ID. |
-| `OPEN_PAYMENTS_URL` | `backend.serviceUrls.OPEN_PAYMENTS_URL` | _undefined_ | The public endpoint of your Open Payments resource server. |
-| `REDIS_URL` | `backend.redis.host`,
`backend.redis.port` | `redis://127.0.0.1:6379` | The Redis URL of the database handling ILP packet data. For Helm, these components are provided individually. |
-| `USE_TIGERBEETLE` | `backend.use.tigerbeetle` | `true` | When `true`, a TigerBeetle database is used for accounting. When `false`, a Postgres database is used. |
-| `WEBHOOK_URL` | `backend.serviceUrls.WEBHOOK_URL` | _undefined_ | Your endpoint that consumes webhook events. |
-| `AUTH_SERVICE_API_URL` | `backend.serviceUrls.AUTH_SERVICE_API_URL` | _undefined_ | The service-to-service api endpoint on your Open Payments authorization server. |
+| Variable | Helm value name | Default | Description |
+| ------------------------------- | ------------------------------------------------------------------------------- | ----------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------- |
+| `AUTH_SERVER_GRANT_URL` | `config.backend.auth.grantUrl` | _undefined_ | The endpoint on your Open Payments authorization server to grant a request. |
+| `AUTH_SERVER_INTROSPECTION_URL` | `config.backend.auth.introspectionUrl` | _undefined_ | The endpoint on your Open Payments authorization server to introspect an access token. |
+| `DATABASE_URL` | `config.backend.databaseUrl.value` or `config.backend.databaseUrl.secretKeyRef` | `postgresql://postgres:password@localhost:5432/development` | The Postgres database URL of the database storing your resource data. Can be provided as a value or secret reference. |
+| `EXCHANGE_RATES_URL` | `config.backend.rates.url` | _undefined_ | The endpoint your Rafiki instance uses to request exchange rates. |
+| `ILP_ADDRESS` | `config.backend.ilp.address` | _undefined_ | The ILP address of your Rafiki instance. |
+| `ILP_CONNECTOR_URL` | `config.backend.ilp.connector` | _undefined_ | The ILP connector address where ILP packets are received. |
+| `KEY_ID` | `config.backend.key.id` | _undefined_ | Your Rafiki instance's client key ID. |
+| `OPEN_PAYMENTS_URL` | `config.backend.ilp.host` | _undefined_ | The public endpoint of your Open Payments resource server. |
+| `REDIS_URL` | `config.backend.redisUrl.value` or `config.backend.redisUrl.secretKeyRef` | `redis://127.0.0.1:6379` | The Redis URL of the database handling ILP packet data. Can be provided as a value or secret reference. |
+| `USE_TIGERBEETLE` | `config.backend.useTigerbeetle` | `false` | When `true`, a TigerBeetle database is used for accounting. When `false`, a Postgres database is used. |
+| `WEBHOOK_URL` | `config.backend.webhook.url` | _undefined_ | Your endpoint that consumes webhook events. |
@@ -25,10 +24,10 @@ import { LinkOut } from '@interledger/docs-design-system'
-| Variable | Helm value name | Default | Description |
-| --------------- | ----------------------- | ----------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
-| `INSTANCE_NAME` | `backend.instance.name` | _undefined_ | Your Rafiki instance's name used to communicate for auto-peering and/or [telemetry](/overview/concepts/telemetry). Required when auto-peering and/or telemetry is enabled |
-| `TRUST_PROXY` | `backend.trustProxy` | `false` | Must be set to `true` when running Rafiki behind a proxy. When `true`, the `X-Forwarded-Proto` header is used to determine if connections are secure. |
+| Variable | Helm value name | Default | Description |
+| --------------- | ----------------------------- | ----------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| `INSTANCE_NAME` | `config.backend.instanceName` | _undefined_ | Your Rafiki instance's name used to communicate for auto-peering and/or [telemetry](/overview/concepts/telemetry). Required when auto-peering and/or telemetry is enabled |
+| `TRUST_PROXY` | `config.backend.trustProxy` | `false` | Must be set to `true` when running Rafiki behind a proxy. When `true`, the `X-Forwarded-Proto` header is used to determine if connections are secure. |
@@ -36,62 +35,61 @@ import { LinkOut } from '@interledger/docs-design-system'
-| Variable | Helm value name | Default | Description |
-| ----------------------------------------------------- | -------------------------------------------------------- | --------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
-| `ADMIN_PORT` | `backend.port.admin` | `3001` | The port of your Backend Auth API server. |
-| `ADMIN_API_SIGNATURE_TTL_SECONDS` | _undefined_ | `30` | The TTL, in seconds, for which a request’s signature will be valid. |
-| `API_SECRET` | _undefined_ | _undefined_ | N/A |
-| `API_SIGNATURE_VERSION` | _undefined_ | `1` | The version of the request signing algorithm used to generate signatures. |
-| `AUTO_PEERING_SERVER_PORT` | `backend.autoPeering.serverPort` | `3005` | If auto-peering is enabled, the server will use this port. |
-| `CONNECTOR_PORT` | `backend.port.connector` | `3002` | The port of the ILP connector for sending packets via ILP over HTTP. |
-| `ENABLE_AUTO_PEERING` | `backend.enable.autoPeering` | `false` | When `true`, auto-peering is enabled. |
-| `ENABLE_MANUAL_MIGRATIONS` | `backend.enableManualMigrations` | `false` | When `true`, you must run the database manually with the command `npm run knex – migrate:latest –env production` |
-| `ENABLE_SPSP_PAYMENT_POINTERS` | `backend.enable.spspPaymentPointers` | `true` | When `true`, the SPSP route is enabled. |
-| `ENABLE_TELEMETRY` | _undefined_ | `false` | Enables the telemetry service on Rafiki. |
-| `ENABLE_TELEMETRY_TRACES` | _undefined_ | `false` | N/A |
-| `EXCHANGE_RATES_LIFETIME` | `backend.lifetime.exchangeRate` | `15_000` | The time, in milliseconds, the exchange rates you provide via the `EXCHANGE_RATES_URL` are valid. |
-| `GRAPHQL_IDEMPOTENCY_KEY_LOCK_MS` | `backend.idempotency.keyLockMs` | `2000` | The TTL, in milliseconds, for `idempotencyKey` concurrency lock on GraphQL mutations on the Backend Admin API. |
-| `GRAPHQL_IDEMPOTENCY_KEY_TTL_MS` | `backend.idempotency.keyTTL` | `86400000` (24 hours) | The TTL, in milliseconds, for `idempotencyKey` on GraphQL mutations on the Backend Admin API. |
-| `INCOMING_PAYMENT_CREATED_POLL_FREQUENCY_MS` | _undefined_ | `1000` | N/A |
-| `INCOMING_PAYMENT_CREATED_POLL_TIMEOUT_MS` | _undefined_ | `10000` | N/A |
-| `INCOMING_PAYMENT_EXPIRY_MAX_MS` | `backend.incomingPayment.expiryMaxMs` | `2592000000` (30 days) | The maximum into the future, in milliseconds, incoming payments expiry can be set to on creation. |
-| `INCOMING_PAYMENT_WORKER_IDLE` | `backend.workerIdle` | `200` | The time, in milliseconds, that `INCOMING_PAYMENT_WORKERS` will wait until checking an empty incoming payment request queue again. |
-| `INCOMING_PAYMENT_WORKERS` | `backend.workers.incomingPayment` | `1` | The number of workers processing incoming payment requests. |
-| `LOG_LEVEL` | `backend.logLevel` | `info` | Pino log level |
-| `MAX_OUTGOING_PAYMENT_RETRY_ATTEMPTS` | _undefined_ | `5` | Specifies how many times an outgoing payment is retried before failing completely |
-| `NODE_ENVIRONMENT` | `backend.nodeEnv` | `development` | The type of node environment: `development`, `test`, or `production`. |
-| `OPEN_PAYMENTS_PORT` | `backend.port.openPayments` | `3003` | The port of your Open Payments resource server. |
-| `OPEN_TELEMETRY_COLLECTOR_URLS` | _undefined_ | \*undefined | N/A |
-| `OPEN_TELEMETRY_EXPORT_INTERVAL` | _undefined_ | `15000` | N/A |
-| `OPEN_TELEMETRY_TRACE_COLLECTOR_URLS` | _undefined_ | _undefined_ | N/A |
-| `OUTGOING_PAYMENT_WORKER_IDLE` | `backend.workerIdle` | `200` | The time, in milliseconds, that `OUTGOING_PAYMENT_WORKERS` wait until they check an empty outgoing payment request queue again. |
-| `OUTGOING_PAYMENT_WORKERS` | `backend.workers.outgoingPayment` | `4` | The number of workers processing outgoing payment requests. |
-| `POLL_INCOMING_PAYMENT_CREATED_WEBHOOK` | _undefined_ | `false` | N/A |
-| `PRIVATE_KEY_FILE` | `backend.key.file` | _undefined_ | The path to your Rafiki instance’s client private key. |
-| `QUOTE_LIFESPAN` | `backend.lifetime.quote` | `5 * 60_000` (5 minutes) | The time, in milliseconds, an Open Payments quote is valid for. |
-| `REDIS_TLS_CA_FILE_PATH` | `backend.redis.tlsCaFile` | `''` | Redis TLS config |
-| `REDIS_TLS_CERT_FILE_PATH` | `backend.redis.tlsCertFile` | `''` | Redis TLS config |
-| `REDIS_TLS_KEY_FILE_PATH` | `backend.redis.tlsKeyFile` | `''` | Redis TLS config |
-| `SIGNATURE_SECRET` | `backend.quoteSignatureSecret` | _undefined_ | The secret to generate request header signatures for webhook event requests. |
-| `SIGNATURE_VERSION` | `backend.signatureVersion` | `1` | The version number to generate request header signatures for webhook events. |
-| `SLIPPAGE` | `backend.ilp.slippage` | `0.01` (1%) | The accepted ILP rate fluctuation. |
-| `STREAM_SECRET` | `backend.ilp.streamSecret` | _undefined_ | The seed secret to generate shared STREAM secrets. |
-| `TELEMETRY_EXCHANGE_RATES_LIFETIME` | _undefined_ | `86_400_000` | N/A |
-| `TELEMETRY_EXCHANGE_RATES_URL` | _undefined_ | `https://telemetry-exchange-rates.s3.amazonaws.com/exchange-rates-usd.json` | The endpoint Rafiki will query for exchange rates. Used as a fallback if/when [exchange rates](/integration/requirements/exchange-rates) aren’t provided. |
-| `TIGERBEETLE_CLUSTER_ID` | _undefined_ | `0` | The TigerBeetle cluster ID picked by the system that starts the TigerBeetle cluster to create a TigerBeetle client. |
-| `TIGERBEETLE_REPLICA_ADDRESSES` | _undefined_ | `3004` | TigerBeetle replica addresses for all replicas in the cluster. The addresses are comma-separated IP addresses/ports, to create a TigerBeetle client. |
-| `TIGERBEETLE_REPLICA_ADDRESSES.SPLIT` | _undefined_ | `3004` | N/A |
-| `TIGERBEETLE_TWO_PHASE_TIMEOUT_SECONDS` | _undefined_ | `5` | N/A |
-| `WALLET_ADDRESS_DEACTIVATION_PAYMENT_GRACE_PERIOD_MS` | `backend.walletAddress.deactivationPaymentGratePeriodMs` | `86400000` (24 hours) | The time into the future, in milliseconds, to set expiration of Open Payments incoming payments when deactivating a wallet address. |
-| `WALLET_ADDRESS_LOOKUP_TIMEOUT_MS` | `backend.walletAddress.lookupTimeoutMs` | `1500` | The time, in milliseconds, you have to create a missing wallet address before timeout. |
-| `WALLET_ADDRESS_POLLING_FREQUENCY_MS` | `backend.walletAddress.pollingFrequencyMs` | `100` | The frequency of polling while waiting for you to create a missing wallet address. |
-| `WALLET_ADDRESS_URL` | `backend.serviceUrls.WALLET_ADDRESS_URL` | `http://127.0.0.1:3001/.well-known/pay` | Your Rafiki instance’s internal wallet address. |
-| `WALLET_ADDRESS_WORKER_IDLE` | `backend.workerIdle` | `200` | The time, in milliseconds, that `WALLET_ADDRESS_WORKERS` wait until checking the empty wallet address request queue again. |
-| `WALLET_ADDRESS_WORKERS` | `backend.workers.walletAddress | `1` | The number of workers processing wallet address requests. |
-| `WEBHOOK_MAX_RETRY` | `backend.webhookMaxRetry` | `10` | The maximum number of times your Rafiki instance’s backend retries sending a certain webhook event to your configured `WEBHOOK_URL`. |
-| `WEBHOOK_TIMEOUT` | `backend.lifetime.webhook` | `2000` (2 seconds) | The time, in milliseconds, that your Rafiki instance will wait for a `200` response from your webhook endpoint. If a `200` response is not received, Rafiki will time out and try to send the webhook event again. |
-| `WEBHOOK_WORKER_IDLE` | `backend.workerIdle` | `200` | The time, in milliseconds, that `WEBHOOK_WORKERS` will wait until they check the empty webhook event queue again. |
-| `WEBHOOK_WORKERS` | `backend.workers.webhook` | `1` | The number of workers processing webhook events. |
-| `WITHDRAWAL_THROTTLE_DELAY` | `backend.withdrawalThrottleDelay` | _undefined_ | The delay in liquidity withdrawal processing. |
+| Variable | Helm value name | Default | Description |
+| ----------------------------------------------------- | ----------------------------------------------------------------------------------------------------- | --------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| `ADMIN_PORT` | `config.backend.port.admin` | `3001` | The port of your Backend Auth API server. |
+| `ADMIN_API_SIGNATURE_TTL_SECONDS` | _undefined_ | `30` | The time to live (TTL), in seconds, for which a request's signature will be valid. |
+| `API_SECRET` | _undefined_ | _undefined_ | N/A |
+| `API_SIGNATURE_VERSION` | _undefined_ | `1` | The version of the request signing algorithm used to generate signatures. |
+| `AUTO_PEERING_SERVER_PORT` | `config.backend.port.autoPeering` | `3005` | If auto-peering is enabled, the server will use this port. |
+| `CONNECTOR_PORT` | `config.backend.port.connector` | `3002` | The port of the ILP connector for sending packets via ILP over HTTP. |
+| `ENABLE_AUTO_PEERING` | `config.backend.autoPeering.enabled` | `false` | When `true`, auto-peering is enabled. |
+| `ENABLE_MANUAL_MIGRATIONS` | _undefined_ | `false` | When `true`, you must run the database manually with the command `npm run knex – migrate:latest –env production` |
+| `ENABLE_SPSP_PAYMENT_POINTERS` | _undefined_ | `true` | When `true`, the SPSP route is enabled. |
+| `ENABLE_TELEMETRY` | `config.backend.telemetry.enabled` | `false` | Enables the telemetry service on Rafiki. |
+| `ENABLE_TELEMETRY_TRACES` | _undefined_ | `false` | N/A |
+| `EXCHANGE_RATES_LIFETIME` | _undefined_ | `15000` | The time, in milliseconds, the exchange rates you provide via the `EXCHANGE_RATES_URL` are valid. |
+| `GRAPHQL_IDEMPOTENCY_KEY_LOCK_MS` | _undefined_ | `2000` | The time to live (TTL), in milliseconds, for `idempotencyKey` concurrency lock on GraphQL mutations on the Backend Admin API. |
+| `GRAPHQL_IDEMPOTENCY_KEY_TTL_MS` | _undefined_ | `86400000` (24 hours) | The time to live (TTL), in milliseconds, for `idempotencyKey` on GraphQL mutations on the Backend Admin API. |
+| `INCOMING_PAYMENT_CREATED_POLL_FREQUENCY_MS` | _undefined_ | `1000` | N/A |
+| `INCOMING_PAYMENT_CREATED_POLL_TIMEOUT_MS` | _undefined_ | `10000` | N/A |
+| `INCOMING_PAYMENT_EXPIRY_MAX_MS` | _undefined_ | `2592000000` (30 days) | The maximum into the future, in milliseconds, incoming payments expiry can be set to on creation. |
+| `INCOMING_PAYMENT_WORKER_IDLE` | _undefined_ | `200` | The time, in milliseconds, that `INCOMING_PAYMENT_WORKERS` will wait until checking an empty incoming payment request queue again. |
+| `INCOMING_PAYMENT_WORKERS` | _undefined_ | `1` | The number of workers processing incoming payment requests. |
+| `LOG_LEVEL` | `config.backend.logLevel` | `info` | Pino log level |
+| `MAX_OUTGOING_PAYMENT_RETRY_ATTEMPTS` | _undefined_ | `5` | Specifies how many times an outgoing payment is retried before failing completely. |
+| `NODE_ENV` | `config.backend.nodeEnv` | `development` | The type of node environment: `development`, `test`, or `production`. |
+| `OPEN_PAYMENTS_PORT` | `config.backend.port.openPayments` | `3000` | The port of your Open Payments resource server. |
+| `OPEN_TELEMETRY_COLLECTOR_URLS` | _undefined_ | \*undefined | N/A |
+| `OPEN_TELEMETRY_EXPORT_INTERVAL` | _undefined_ | `15000` | N/A |
+| `OPEN_TELEMETRY_TRACE_COLLECTOR_URLS` | _undefined_ | _undefined_ | N/A |
+| `OUTGOING_PAYMENT_WORKER_IDLE` | _undefined_ | `10` | The time, in milliseconds, that `OUTGOING_PAYMENT_WORKERS` wait until they check an empty outgoing payment request queue again. |
+| `OUTGOING_PAYMENT_WORKERS` | _undefined_ | `1` | The number of workers processing outgoing payment requests. |
+| `POLL_INCOMING_PAYMENT_CREATED_WEBHOOK` | _undefined_ | `false` | N/A |
+| `QUOTE_LIFESPAN` | _undefined_ | `300000` (5 minutes) | The time, in milliseconds, an Open Payments quote is valid for. |
+| `REDIS_TLS_CA_FILE_PATH` | _undefined_ | `''` | Redis TLS config |
+| `REDIS_TLS_CERT_FILE_PATH` | _undefined_ | `''` | Redis TLS config |
+| `REDIS_TLS_KEY_FILE_PATH` | _undefined_ | `''` | Redis TLS config |
+| `SIGNATURE_SECRET` | `config.backend.webhookSignatureSecret.value` or `config.backend.webhookSignatureSecret.secretKeyRef` | _undefined_ | The secret to generate request header signatures for webhook event requests. |
+| `SIGNATURE_VERSION` | _undefined_ | `1` | The version number to generate request header signatures for webhook events. |
+| `SLIPPAGE` | `config.backend.slippage` | `0.01` (1%) | The accepted ILP rate fluctuation. |
+| `TELEMETRY_EXCHANGE_RATES_LIFETIME` | _undefined_ | `86400000` (24 hours) | Lifetime for telemetry exchange rates in milliseconds. |
+| `TELEMETRY_EXCHANGE_RATES_URL` | _undefined_ | `https://telemetry-exchange-rates.s3.amazonaws.com/exchange-rates-usd.json` | The endpoint Rafiki will query for exchange rates. Used as a fallback if/when [exchange rates](/integration/requirements/exchange-rates) aren’t provided. |
+| `TIGERBEETLE_CLUSTER_ID` | _undefined_ | `0` | The TigerBeetle cluster ID picked by the system that starts the TigerBeetle cluster to create a TigerBeetle client. |
+| `TIGERBEETLE_REPLICA_ADDRESSES` | _undefined_ | `3004` | TigerBeetle replica addresses for all replicas in the cluster. The addresses are comma-separated IP addresses/ports, to create a TigerBeetle client. |
+| `TIGERBEETLE_TWO_PHASE_TIMEOUT_SECONDS` | _undefined_ | `5` | Two-phase timeout for TigerBeetle in seconds. |
+| `WALLET_ADDRESS_DEACTIVATION_PAYMENT_GRACE_PERIOD_MS` | _undefined_ | `86400000` (24 hours) | The time into the future, in milliseconds, to set expiration of Open Payments incoming payments when deactivating a wallet address. |
+| `WALLET_ADDRESS_LOOKUP_TIMEOUT_MS` | _undefined_ | `1500` | The time, in milliseconds, you have to create a missing wallet address before timeout. |
+| `WALLET_ADDRESS_POLLING_FREQUENCY_MS` | _undefined_ | `100` | The frequency of polling while waiting for you to create a missing wallet address. |
+| `WALLET_ADDRESS_REDIRECT_HTML_PAGE` | `config.backend.walletAddressRedirectHtmlPage` | _undefined_ | Custom HTML page for wallet address redirects. |
+| `WALLET_ADDRESS_URL` | `config.backend.ilp.host` | `http://127.0.0.1:3001/.well-known/pay` | Your Rafiki instance's internal wallet address. |
+| `WALLET_ADDRESS_WORKER_IDLE` | _undefined_ | `200` | The time, in milliseconds, that `WALLET_ADDRESS_WORKERS` wait until checking the empty wallet address request queue again. |
+| `WALLET_ADDRESS_WORKERS` | _undefined_ | `1` | The number of workers processing wallet address requests. |
+| `WEBHOOK_MAX_RETRY` | _undefined_ | `10` | The maximum number of times your Rafiki instance's backend retries sending a certain webhook event to your configured `WEBHOOK_URL`. |
+| `WEBHOOK_TIMEOUT` | `config.backend.webhook.timeout` | `2000` (2 seconds) | The time, in milliseconds, that your Rafiki instance will wait for a `200` response from your webhook endpoint. If a `200` response isn't received, Rafiki will time out and try to send the webhook event again. |
+| `WEBHOOK_WORKER_IDLE` | _undefined_ | `200` | The time, in milliseconds, that `WEBHOOK_WORKERS` will wait until they check the empty webhook event queue again. |
+| `WEBHOOK_WORKERS` | _undefined_ | `1` | The number of workers processing webhook events. |
+| `WITHDRAWAL_THROTTLE_DELAY` | `config.backend.withdrawalThrottleDelay` | _undefined_ | The delay in liquidity withdrawal processing, in milliseconds. |
+| `LIVENET` | `config.backend.telemetry.livenet` | `false` | When `true`, enables livenet mode for production deployments. |
diff --git a/packages/documentation/src/partials/frontend-variables.mdx b/packages/documentation/src/partials/frontend-variables.mdx
index 6d39c11b15..18eceb05ed 100644
--- a/packages/documentation/src/partials/frontend-variables.mdx
+++ b/packages/documentation/src/partials/frontend-variables.mdx
@@ -4,11 +4,10 @@ import { LinkOut } from '@interledger/docs-design-system'
-| Variable | Helm value name | Default | Description |
-| ------------------- | ---------------------------------------- | ----------- | -------------------------------------------- |
-| `GRAPHQL_URL` | `frontend.serviceUrls.GRAPHQL_URL` | _undefined_ | URL for Rafiki’s GraphQL Auth Admin API |
-| `OPEN_PAYMENTS_URL` | `frontend.serviceUrls.OPEN_PAYMENTS_URL` | _undefined_ | Your Open Payments API endpoint |
-| `PORT` | `frontend.port` | _undefined_ | Port from which to host the Rafiki Remix app |
+| Variable | Helm value name | Default | Description |
+| ------------------- | ----------------------------------------------- | ----------- | ---------------------------------------- |
+| `GRAPHQL_URL` | `config.frontend.serviceUrls.GRAPHQL_URL` | _undefined_ | URL for Rafiki's GraphQL Auth Admin API. |
+| `OPEN_PAYMENTS_URL` | `config.frontend.serviceUrls.OPEN_PAYMENTS_URL` | _undefined_ | Your Open Payments API endpoint. |
@@ -18,11 +17,11 @@ The following variables are required only when `AUTH_ENABLED` is set to `true`.
-| Variable | Helm value name | Default | Description |
-| ----------------------------- | ------------------------------------ | ----------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
-| `KRATOS_ADMIN_URL` | `frontend.kratos.adminUrl` | _undefined_ | The admin endpoint/container address for Kratos |
-| `KRATOS_CONTAINER_PUBLIC_URL` | `frontend.kratos.containerPublicUrl` | _undefined_ | The URL for you to access the Kratos Docker container from within the Docker network. This is used for backend calls to Kratos. |
-| `KRATOS_BROWSER_PUBLIC_URL` | `frontend.kratos.browserPublicUrl` | _undefined_ | The URL for you to access the Kratos Docker container from a browser outside of the Docker network. This is used for calls from a browser (what you see in the Rafiki Admin UI) to the Kratos server on the backend. |
+| Variable | Helm value name | Default | Description |
+| ----------------------------- | --------------- | ----------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| `KRATOS_ADMIN_URL` | _undefined_ | _undefined_ | The admin endpoint/container address for Kratos. |
+| `KRATOS_BROWSER_PUBLIC_URL` | _undefined_ | _undefined_ | The URL to access the Kratos Docker container from a browser outside the Docker network. This is used for calls from a browser (what you see in the Rafiki Admin UI) to the Kratos server on the backend. |
+| `KRATOS_CONTAINER_PUBLIC_URL` | _undefined_ | _undefined_ | The URL to access the Kratos Docker container from in the Docker network. This is used for backend calls to Kratos. |
@@ -30,13 +29,14 @@ The following variables are required only when `AUTH_ENABLED` is set to `true`.
-| Variable | Helm value name | Default | Description |
-| -------------------------------- | -------------------------------------- | ------------ | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
-| `AUTH_ENABLED` | `frontend.authEnabled` | `true` | When `true`, only authenticated users can be granted access to Rafiki Admin by an administrator |
-| `SIGNATURE_SECRET` | `frontend.quoteSignatureSecret` | _undefined_ | The signature secret used to authenticate requests to the Backend Admin API. |
-| `SIGNATURE_VERSION` | `frontend.signatureVersion` | `1` | The signature version number used to authenticate requests to the Backend Admin API. |
-| `ENABLE_INSECURE_MESSAGE_COOKIE` | `frontend.enableInsecureMessageCookie` | `true` | When set to `true`, `t`, or `1`, cookie will be transmitted over insecure HTTP connection. Insecure message cookies are required for flash messages to work over HTTP. |
-| `NODE_ENV` | `frontend.nodeEnv` | `production` | The type of node environment: `development`, `test`, or `production`. |
-| `LOG_LEVEL` | `frontend.logLevel` | `info` | Pino log level |
+| Variable | Helm value name | Default | Description |
+| -------------------------------- | -------------------------------- | ----------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| `AUTH_ENABLED` | `config.frontend.kratos.enabled` | `true` | When `true`, only authenticated users can be granted access to Rafiki Admin by an administrator. |
+| `ENABLE_INSECURE_MESSAGE_COOKIE` | _undefined_ | _undefined_ | When set to `true`, `t`, or `1`, cookie will be transmitted over insecure HTTP connection. Insecure message cookies are required for flash messages to work over HTTP. |
+| `LOG_LEVEL` | `config.frontend.logLevel` | `info` | Pino log level. |
+| `NODE_ENV` | `config.frontend.nodeEnv` | _undefined_ | The type of node environment: `development`, `test`, or `production`. |
+| `PORT` | `config.frontend.port` | `3010` | Port from which to host the Rafiki Remix app. |
+| `SIGNATURE_SECRET` | _undefined_ | _undefined_ | The signature secret used to authenticate requests to the Backend Admin API. |
+| `SIGNATURE_VERSION` | _undefined_ | _undefined_ | The signature version number used to authenticate requests to the Backend Admin API. |