Skip to content
QSign QSign Docs

Configuration reference

All configuration is environment-driven; there are no hardcoded secrets. Settings live in three env files (backend, frontend, db) plus an optional esign.env for the signing service. This page lists the variables grouped by purpose and marks each Required or Optional. Optional integrations are disabled simply by leaving their variables unset.

Security: treat every value here as sensitive. Restrict the env files to chmod 600, keep them out of version control, and rotate SECRET_KEY / BACKEND_LOGIN_PASSWORD_KEY / DB credentials on a schedule.

Backend (config/backend.env)

Section titled “Backend (config/backend.env)”

Core (Required)

Section titled “Core (Required)”
VariablePurpose
SECRET_KEYDjango cryptographic secret (session/CSRF/JWT signing). Use 50+ random chars. The platform fails to start without it.
DEBUGFalse in production.
DJANGO_SETTINGS_MODULESettings module (e.g. quoqo_dr.settings.base).
ALLOWED_HOSTSComma-separated hostnames the backend will serve (e.g. sign.example.com).
SERVER_BASE_URLPublic base URL of the backend API (used in email links). e.g. https://sign.example.com/backend.
FRONTEND_URLPublic base URL of the web app, e.g. https://sign.example.com.
BACKEND_LOGIN_PASSWORD_KEYKey used to decode the login password transport encoding. Must exactly equal the frontend’s REACT_APP_LOGIN_PASSWORD_KEY, or logins fail.

Database — MySQL (Required)

Section titled “Database — MySQL (Required)”
VariablePurpose
DB_HOST / DB_PORTMySQL host/port (db / 3306 in the bundled stack).
DB_NAMEDatabase name.
qsign_DB_NAMEQSign schema name (typically the same DB).
DB_USER / DB_PASSWORDMySQL credentials (match config/db.env).

Cache / Search (Required)

Section titled “Cache / Search (Required)”
VariablePurpose
REDIS_SERVER_URLRedis URL, e.g. redis://redis:6379. Powers the cache, API throttle counter, and task broker.
SOLR_BASE_URLSolr base URL, e.g. http://solr:8983/solr/.
SOLR_CORESolr core name (e.g. qsign).

Document storage (Required — choose local or cloud)

Section titled “Document storage (Required — choose local or cloud)”
VariablePurpose
LOCAL_STORAGE_PATHFilesystem path inside the container for document storage (default local mode), e.g. /app/secure_storage/qsigncontainer.
STORAGE_SERVER_URLURL the backend serves authenticated downloads from, e.g. https://sign.example.com/backend/contract/storage.
AZURE_STORAGE_ACCOUNT, AZURE_STORAGE_KEY_NAME, AZURE_CONTAINER_NAME(Optional) Use Azure Blob Storage instead of local disk. Leave unset for local.

Email (Recommended — required for invitations/reminders)

Section titled “Email (Recommended — required for invitations/reminders)”

QSign sends transactional email via an HTTP email API. Configure at least one:

VariablePurpose
RESEND_API_KEYResend API key.
ZEPTOMAIL_TOKENZeptomail API key (primary path when set).
DEFAULT_FROM_EMAILFrom-address (must be a domain verified with your provider).

The backend’s mail helper tries the primary provider and falls back to the secondary on failure. If you require SMTP instead of an HTTP API, request the SMTP build option from Quoqo. Without email, signing invitations and reminders cannot be delivered.

Notifications / cron

Section titled “Notifications / cron”
VariablePurpose
NOTIFICATION_HOUR, NOTIFICATION_MINUTETime-of-day for the daily reminder cron.
TIME_ZONETimezone for timestamps (default UTC). Set to your operating timezone.

Optional integrations (backend)

Section titled “Optional integrations (backend)”

Aadhaar eSign (India only)

Section titled “Aadhaar eSign (India only)”

Enable only if you offer Aadhaar-based signing. Requires a registered Protean/NSDL ASP.

VariablePurpose
response_url_esignCallback URL the gateway returns the signed response to.
AADHAR_SIGNATURE_PRICE_ID*Plan price identifiers (only relevant if billing is enabled).
AADHAR_WIDTH, AADHAR_HEIGHTRendered Aadhaar signature dimensions.

The Aadhaar gateway hosts are allow-listed in the platform. The ASP ID, gateway URLs, and the signing certificate are configured on the e-signature service (see below).

DSC signing

Section titled “DSC signing”

Enable for PKI/X.509 signing. Configure the certificate on the e-signature service. RFC-3161 timestamping is optional (set a TSA URL to enable trusted timestamps).

Billing — Stripe / Razorpay (Optional; usually OFF on-prem)

Section titled “Billing — Stripe / Razorpay (Optional; usually OFF on-prem)”

For a flat-licensed on-prem deployment you typically do not enable billing; plans and quotas are provisioned directly (setup_core_pro_plans / setup_api_plans / super-admin console). If you do integrate billing:

VariablePurpose
STRIPE_BEARER_ID (+ _US)Stripe secret API key(s).
STRIPE_PUBLISHABLE_KEYStripe publishable key (also needed on the frontend).
STRIPE_SIGNUP_WEBHOOK_SECRET, STRIPE_RENEWAL_WEBHOOK_SECRETWebhook signing secrets.
RAZORPAY_KEY_ID, RAZORPAY_KEY_SECRETRazorpay credentials (alternative gateway).

AI features (Optional)

Section titled “AI features (Optional)”
VariablePurpose
GROQ_API_KEY, GROQ_MODELLLM provider for document chat/summary (low-latency path).
AZURE_OPENAI_ENDPOINT, AZURE_OPENAI_KEY, AZURE_OPENAI_ENGINE_4o_largeAzure OpenAI alternative.
OPENROUTER_URL, OPENROUTER_URL_TOKENGeneric LLM router alternative.

SMS (Optional — Twilio)

Section titled “SMS (Optional — Twilio)”
VariablePurpose
ACCOUNT_SID, AUTH_TOKEN, MESSAGING_SERVICE_SIDTwilio credentials for SMS reminders.

Single sign-on (Optional)

Section titled “Single sign-on (Optional)”
VariablePurpose
GOOGLE_CLIENT_IDGoogle OAuth client (also set on the frontend).
MICROSOFT_CLIENT_ID, MICROSOFT_PROVIDER_AUTHENTICATION_SECRETMicrosoft/Entra SSO.
Section titled “Antivirus (Recommended)”

The bundled clamav service scans uploads before processing. Point the backend’s AV endpoint at it (request the exact variable name for your build from Quoqo; the stack ships ClamAV on clamav:3310). If unset, uploads are not AV-scanned.

Error monitoring (Optional)

Section titled “Error monitoring (Optional)”
VariablePurpose
SENTRY_DSNYour Sentry DSN. If unset, error reporting is silently disabled (no external calls).
SENTRY_ENVIRONMENT, SENTRY_RELEASE, SENTRY_TRACES_SAMPLE_RATE, SENTRY_SEND_PIITuning; keep SENTRY_SEND_PII=false unless required.

Signature/stamp rendering (Optional tuning)

Section titled “Signature/stamp rendering (Optional tuning)”

SIGNATURE_WIDTH/HEIGHT, STAMP_WIDTH/HEIGHT, SEAL_WIDTH/HEIGHT, PHOTO_WIDTH/HEIGHT control rendered element sizes. AUTOMAGIC_DOCUSIGN_STYLE, AUTOMAGIC_EXPLICIT_ANCHORS, AUTOMAGIC_NATURAL_ANCHORS toggle automatic signature-placement strategies. Sensible defaults apply if unset.

Limits (Optional)

Section titled “Limits (Optional)”

TOTAL_CONTRACTS_PER_COMPANY and TOTAL_CONTAINER_SPACE_MB cap documents and storage per company/tenant.

Variables you can ignore

Section titled “Variables you can ignore”

Some variables are legacy/cloud-host artifacts and are not needed for an on-prem Docker deployment, e.g. SCM_DO_BUILD_DURING_DEPLOYMENT, WEBSITES_*, WEBSITE_HTTPLOGGING_RETENTION_DAYS, and the LEGACY_* URLs/Solr cores (only used by the deprecated legacy modules). Leave them unset unless Quoqo advises otherwise.

Frontend (config/frontend.env)

Section titled “Frontend (config/frontend.env)”

Frontend REACT_APP_* values are read at build/serve time. If your delivered frontend image bakes these at build time, Quoqo will build it with your values; otherwise they are supplied at container start. Confirm the delivery model with Quoqo.

Required

Section titled “Required”
VariablePurpose
REACT_APP_BACKEND_BASE_URLBackend API base, e.g. https://sign.example.com/backend.
REACT_APP_FRONT_END_BASE_URLThe web app’s own base URL.
REACT_APP_LOGIN_PASSWORD_KEYMust equal the backend BACKEND_LOGIN_PASSWORD_KEY.

Optional (match the backend integrations you enabled)

Section titled “Optional (match the backend integrations you enabled)”
VariablePurpose
REACT_APP_GOOGLE_CLIENT_ID, REACT_APP_MICROSOFT_CLIENT_IDSSO buttons.
REACT_APP_STRIPE_PUBLISHABLE_KEY, REACT_APP_STRIPE_*Billing UI (only if billing enabled).
REACT_APP_AADHAR_*Aadhaar eSign signer flow (client id/secret, auth URL, signature URL, tenant/subscription). India only.
REACT_APP_response_url_esignE-sign callback URL used by the signer UI.
REACT_APP_VERSIONFree-form build label.

If an optional REACT_APP_* value is genuinely unused, set it to a harmless placeholder rather than leaving it undefined — some screens parse these at load time. Quoqo’s delivered build handles this for you; ask if unsure.

E-signature service (secrets/esign.env) — only if Aadhaar/DSC enabled

Section titled “E-signature service (secrets/esign.env) — only if Aadhaar/DSC enabled”
VariablePurpose
ASP_IDYour Aadhaar eSign ASP identifier.
ESIGN_PROD_URL, ESIGN_UAT_URLGateway endpoints (production / test).
ESIGN_RESPONSE_URLWhere the gateway posts the signed response.
P12_FILE, P12_ALIAS, P12_PASSWORDThe signing certificate (PKCS#12) path/alias/password, mounted read-only into the container.
TZService timezone.

Database (config/db.env)

Section titled “Database (config/db.env)”
VariablePurpose
MYSQL_DATABASEInitial database name (match DB_NAME).
MYSQL_USER / MYSQL_PASSWORDApp DB user (match DB_USER/DB_PASSWORD).
MYSQL_ROOT_PASSWORDMySQL root password (admin/backup use).

Minimal vs full configuration

Section titled “Minimal vs full configuration”
  • Minimal viable install (core e-signing only): the Required sections above + an email provider. Everything else unset.
  • Add Aadhaar: ASP credentials + cert on the esign service + the REACT_APP_AADHAR_* frontend values.
  • Add DSC: signing certificate on the esign service (+ optional TSA URL).
  • Add SSO / AI / SMS / billing / cloud storage / monitoring: set the corresponding optional groups on both backend and frontend as noted.