Langflow Environment Variables and Configuration Options: Complete Deployment Guide

Langflow deployments are customized through 30+ LANGFLOW_* environment variables parsed by Pydantic BaseSettings in src/lfx/src/lfx/services/settings/base.py, controlling database connections, authentication, logging, security policies, and component discovery.

The langflow-ai/langflow repository exposes a comprehensive configuration system that allows operators to tailor every aspect of the platform without modifying source code. These settings are read at startup by the Pydantic-based settings service and injected into the dependency-injection container, ensuring a single source of truth across the FastAPI backend and CLI components. Whether you are running local development instances or production Kubernetes clusters, understanding these environment variables is essential for secure and performant deployments.

Core Runtime and Authentication Settings

Developer Mode and API Keys

The LANGFLOW_DEV variable enables developer mode, which activates extra debug information and call-site logging as implemented in src/lfx/src/lfx/settings.py.

Authentication is primarily controlled by LANGFLOW_API_KEY, defined in src/lfx/src/lfx/cli/common.py at line 110. This token secures the HTTP API endpoints. The LANGFLOW_API_KEY_SOURCE variable (located in src/lfx/src/lfx/services/settings/auth.py at line 67) determines whether the key is read from the database (db) or directly from the environment (env).

For local development convenience, LANGFLOW_AUTO_LOGIN automatically authenticates users as a superuser on first visit when set to true, as documented in docs/Support/troubleshooting.mdx. However, LANGFLOW_SKIP_AUTH_AUTO_LOGIN can override this behavior to enforce API-key authentication even when auto-login is enabled.

Database Configuration

Database connectivity is configured through LANGFLOW_DATABASE_URL, which accepts any SQLAlchemy connection string (PostgreSQL, SQLite, MySQL) and is processed in src/lfx/src/lfx/services/settings/base.py at line 484. For testing and CI pipelines, LANGFLOW_USE_NOOP_DATABASE (line 147 in the same file) enables an in-memory dummy database that requires no external dependencies.

Monitoring is supported via LANGFLOW_PROMETHEUS_PORT, which exposes metrics endpoints as configured in src/backend/base/langflow/main.py at line 497.

Logging and Observability

Langflow provides granular control over logging through eight dedicated environment variables defined in src/lfx/src/lfx/log/logger.py:

• LANGFLOW_LOG_LEVEL – Sets the global verbosity (debug, info, warning, error) at line 335 in src/backend/base/langflow/main.py
• LANGFLOW_LOG_RETRIEVER_BUFFER_SIZE – Controls the in-memory buffer size for the retriever logger at line 140
• LANGFLOW_LOG_FILE – Specifies the file path for persistent logs at line 236
• LANGFLOW_LOG_ENV – Defines environment-specific prefixes for log files at line 240
• LANGFLOW_LOG_FORMAT – Accepts custom Python formatter strings (e.g., %(asctime)s %(levelname)s) at line 244
• LANGFLOW_PRETTY_LOGS – When true, enables colorized and human-readable console output at line 285

Security and SSRF Protection

Security policies are enforced through variables defined in src/lfx/src/lfx/utils/ssrf_protection.py. The LANGFLOW_SSRF_PROTECTION_ENABLED toggle (line 16) activates Server-Side Request Forgery protection for the API Request component. When enabled, LANGFLOW_SSRF_ALLOWED_HOSTS (line 18) accepts a comma-separated whitelist of hostnames, IPs, or CIDR ranges that the platform is permitted to access.

Webhook security is controlled by LANGFLOW_WEBHOOK_AUTH_ENABLE, documented in docs/Flows/webhook.mdx at lines 93-95. When enabled, webhook endpoints require a valid x-api-key header.

Component Discovery and Feature Flags

Custom component loading is handled by LANGFLOW_COMPONENTS_PATH, which accepts one or more directories separated by colons (:). This variable is processed in src/lfx/src/lfx/services/settings/base.py at lines 561-563, automatically registering any Component subclass found in Python files within those paths.

Experimental features use the LANGFLOW_FEATURE_* prefix pattern, implemented in src/lfx/src/lfx/services/settings/feature_flags.py at line 8. For example, LANGFLOW_FEATURE_NEW_UI would activate a hypothetical new interface.

Additional operational variables include:

• LANGFLOW_OBJECT_STORAGE_BUCKET_NAME – Configures the S3/GCS bucket for the Write File component (src/lfx/src/lfx/components/files_and_knowledge/save_file.py line 608)
• LANGFLOW_AGENTIC_EXPERIENCE – Toggles the agentic execution engine (default true) at line 439 in src/lfx/src/lfx/services/settings/base.py
• LANGFLOW_CORS_ORIGINS – Defines allowed origins for cross-origin requests at line 143 in src/backend/base/langflow/main.py
• LANGFLOW_LANGCHAIN_CACHE – Selects the LangChain cache backend (in_memory, redis) at line 101 in src/lfx/src/lfx/interface/utils.py

How Langflow Loads Configuration

Langflow uses Pydantic's BaseSettings with model_config = SettingsConfigDict(env_prefix="LANGFLOW_") in src/lfx/src/lfx/services/settings/base.py. All environment variables beginning with LANGFLOW_ are automatically mapped to attributes of the Settings object. This object is instantiated during CLI startup and injected into the dependency-injection container via get_settings_service, ensuring consistent configuration access across the application.

The architecture follows this flow: operating system environment variables are read by Pydantic, validated against the Settings model, and then consumed by the database layer, logging subsystems, and FastAPI application core.

Practical Configuration Examples

Local Development with .env Files

Create a .env file in the project root for local development:

LANGFLOW_DEV=true
LANGFLOW_API_KEY=sk_test_abcdef123456
LANGFLOW_DATABASE_URL=postgresql://user:pass@localhost:5432/langflow
LANGFLOW_LOG_LEVEL=debug
LANGFLOW_SSRF_PROTECTION_ENABLED=true
LANGFLOW_SSRF_ALLOWED_HOSTS=127.0.0.1,10.0.0.0/8
LANGFLOW_COMPONENTS_PATH=./custom_components
LANGFLOW_AUTO_LOGIN=false
LANGFLOW_PRETTY_LOGS=true

The CLI automatically loads this file via python-dotenv when starting langflow serve, as implemented in src/lfx/src/lfx/cli/commands.py.

Docker and Kubernetes Deployment

Override variables at runtime in containerized environments:

docker run -e LANGFLOW_DATABASE_URL=sqlite:///data/langflow.db \
           -e LANGFLOW_LOG_LEVEL=info \
           -e LANGFLOW_API_KEY=$MY_LANGFLOW_API_KEY \
           -e LANGFLOW_CORS_ORIGINS=https://app.example.com \
           langflowai/langflow:latest

Runtime Python Access

Access configuration programmatically through the settings service:

import os
from lfx.services.settings import get_settings_service

settings = get_settings_service()
print("Database:", settings.LANGFLOW_DATABASE_URL)

# Fallback to os.getenv for optional overrides

log_level = os.getenv("LANGFLOW_LOG_LEVEL", "error")

Enabling SSRF Protection

Configure SSRF protection to restrict outbound requests from the API Request component:

LANGFLOW_SSRF_PROTECTION_ENABLED=true
LANGFLOW_SSRF_ALLOWED_HOSTS=api.example.com,10.0.0.0/8,192.168.1.0/24

The protection logic in src/lfx/src/lfx/utils/ssrf_protection.py will raise an error if components attempt to reach hosts outside this whitelist.

Summary

• Pydantic-based configuration in src/lfx/src/lfx/services/settings/base.py automatically parses all LANGFLOW_* environment variables at startup.
• Database connectivity is controlled via LANGFLOW_DATABASE_URL with support for PostgreSQL, SQLite, and MySQL, plus a noop mode for CI.
• Security features include LANGFLOW_API_KEY for authentication, LANGFLOW_SSRF_PROTECTION_ENABLED for request filtering, and LANGFLOW_WEBHOOK_AUTH_ENABLE for webhook verification.
• Component discovery uses LANGFLOW_COMPONENTS_PATH to auto-register custom Python components from external directories.
• Logging granularity spans from global log levels to custom formatting and colorized output through dedicated environment variables.

Frequently Asked Questions

How do I set a custom database URL for Langflow?

Set the LANGFLOW_DATABASE_URL environment variable to any valid SQLAlchemy connection string. For PostgreSQL, use postgresql://user:password@host:port/database. For local file-based storage, use sqlite:///path/to/database.db. This is processed in src/lfx/src/lfx/services/settings/base.py at line 484.

What is the difference between LANGFLOW_API_KEY and LANGFLOW_AUTO_LOGIN?

LANGFLOW_API_KEY defines the secret token required to authenticate API requests, configured in src/lfx/src/lfx/cli/common.py. LANGFLOW_AUTO_LOGIN is a convenience flag for development that automatically creates a superuser session on first browser visit without requiring credentials. When deploying to production, set LANGFLOW_AUTO_LOGIN=false and provide a strong LANGFLOW_API_KEY.

How do I enable SSRF protection in Langflow?

Set LANGFLOW_SSRF_PROTECTION_ENABLED=true and define LANGFLOW_SSRF_ALLOWED_HOSTS with a comma-separated list of approved hostnames, IP addresses, or CIDR ranges. This prevents malicious flows from making unauthorized outbound requests to internal networks. The validation logic resides in src/lfx/src/lfx/utils/ssrf_protection.py.

Can I load custom components from external directories?

Yes. Set LANGFLOW_COMPONENTS_PATH to one or more directory paths separated by colons (e.g., /opt/components:/home/user/flows). Langflow will scan these directories for Python files containing Component subclasses and auto-register them at startup. This is handled in src/lfx/src/lfx/services/settings/base.py at lines 561-563.

{
  "mcpServers": {
    "instagit": {
      "command": "npx",
      "args": ["-y", "instagit@latest"]
    }
  }
}