# Configuration
Version: 1.1.1
Last Updated: January 23, 2026
Environment Variables (Backend)
CORE_DB_URL/CORE_DB_URL_PROXY— PostgreSQL connection (use proxy for local verification; TLS may requirerejectUnauthorized:falsein scripts).JWT_PRIVATE_KEY,JWT_PUBLIC_KEY— Access/refresh token signing/verification (RS256).LICENSE_PUBLIC_KEY— Public key embedded in clients for license token verification.ACCESS_TOKEN_TTL_SECONDS— Default 900 (15 minutes).REFRESH_TOKEN_TTL_DAYS— Default 30–90 days.LICENSE_TOKEN_TTL_DAYS— Default 30–90 days (aligned with plan period).MAX_OFFLINE_DAYS— Default 30; enforced alongside JWT exp.RATE_LIMIT_AUTH_LOGIN— Requests per minute for/auth/login.RATE_LIMIT_DEVICE_START/RATE_LIMIT_DEVICE_POLL— Throttle device flow abuse.RENPY_LICENSE_RENEWAL_LIMIT— Max renewals per day (default 1) to prevent spam.
File Locations
- Client credentials:
%USERPROFILE%/.branchpy/auth.json(refresh + license tokens, device_id, last_online). - Public key bundle: shipped with clients; update with app/extension releases when rotating keys.
Database Constraints
- Migration 024:
idx_website_users_email_lowerunique index (case-insensitive email). Required for identity bridge; verify before production.
Defaults & Security
- Access tokens never written to disk.
- Refresh tokens hashed in
auth_sessions. - License token contains no PII (user_id only) to allow offline verification without leakage.
- Use HTTPS for all remote endpoints; daemon is localhost-only (no auth header).
Operational Notes
- Ren’Py claim endpoint is idempotent; safe to retry.
- When rotating keys, release new public key to clients before private key rotation to avoid verification failures.
- Device flow requires polling interval from
/auth/device/start; honorintervalto avoid rate limits.