# Gateway Environment Variables ## Core Gateway Configuration
CLI ParameterEnvironment VariableDefault ValuePurpose
-d, --debugKEEPER_GATEWAY_LOG_LEVELinfoSets logging level. Valid values: debug, info, warning, error, critical
--verboseKEEPER_GATEWAY_VERBOSEEnable verbose logging
--log-fileKEEPER_GATEWAY_LOG_FILEGenerated based on timestampSpecifies the log file path
--log-folderKEEPER_GATEWAY_LOG_FOLDER~/.keeper/logs or /var/log/keeper-gateway for serviceSpecifies the log folder location
--config-file, -cGATEWAY_CONFIG_PATH~/.keeper/gateway-config.jsonPath to the gateway configuration file
N/AGATEWAY_CONFIGNoneBase64 encoded configuration string
--aws-kms-secret-nameAWS_KMS_SECRET_NAMENoneAWS KMS secret name for configuration
N/AVERIFY_SSLTRUEWhether to verify SSL certificates
N/AKRELAY_SERVERAuto-detected from configOverride the TURN/STUN relay server
N/AINSECURE_DEBUGFalseShow passwords in logs
--show-cmdsKEEPER_GATEWAY_SHOW_CMDSFalseShow commands being executed
--max-workers, -wKEEPER_GATEWAY_MAX_WORKERS1 for process pool, 10 for thread poolNumber of worker processes/threads
--log-to-stdoutKEEPER_GATEWAY_LOG_TO_STDOUTFalseOutput logs to stdout instead of file
N/AGUACD_HOST127.0.0.1Host for guacd service
N/AGUACD_PORT4822Port for guacd service
N/AGUACD_PATHpyguacd (Windows) or /opt/keeper/sbin/guacd (Linux)Path to guacd executable
--tunnel-only-use-turnKEEPER_GATEWAY_TUNNEL_ONLY_USE_TURNFalseForce use of TURN relay only
N/ARECORDING_PATH/recording_pipesPath for session recordings (removed after session ends)
N/ATYPE_SCRIPT_RECORDING_PATH/recording_pipesPath for typescript recordings (removed after session ends)
N/AKEEPER_GATEWAY_CVE_SECURITY_CHECKSfalseEnable CVE security checks during initialization
N/AKEEPER_GATEWAY_USE_GUACRfalseUse Guacamole recording (guacr) instead of standard
## Connection Timeout Variables (Gateway)
Environment VariableDefault ValuePurpose
KEEPER_GATEWAY_SET_LOCAL_DESCRIPTION_TIMEOUT15sTime to set local description in WebRTC
KEEPER_GATEWAY_OPEN_CONNECTION_TIMEOUT60sTime to wait for connection establishment
KEEPER_GATEWAY_CREATE_ANSWER_TIMEOUT30sTime to create peer ICE answer
KEEPER_GATEWAY_READ_TIMEOUT15sTime to wait for data from data channel
KEEPER_GATEWAY_NON_PARED_READ_TIMEOUT5sTime to wait for data before paring
KEEPER_GATEWAY_CLOSE_CONNECTION_TIMEOUT5sTime to wait for connection closure
KEEPER_GATEWAY_TEST_CONNECTION_TIMEOUT5sTime to wait for test connection
KEEPER_GATEWAY_ABRUPT_DISCONNECTION_TIMEOUT3sTime to detect abrupt disconnection
KEEPER_GATEWAY_FORCE_CLOSE_TIMEOUT6sTime to force close connection
KEEPER_GATEWAY_RUST_CLEANUP_TIMEOUT5sTime for Rust cleanup operations
KEEPER_GATEWAY_ACCEPT_OFFER_TIMEOUTcalculatedTime to accept WebRTC offer (create_answer + set_local_description + 10)
KEEPER_GATEWAY_RECORDINGS_PATH_TIMEOUT20sTime to create recording path
KEEPER_GATEWAY_GUACD_RECEIVE_TIMEOUT15sTime to receive from Guacamole daemon
KEEPER_GATEWAY_DATA_CHANNEL_TIMEOUT5sTime for data channel send
KEEPER_GATEWAY_CONNECTION_ESTABLISHMENT_TIMEOUT15sTime to establish connection
KEEPER_GATEWAY_JIT_ACCOUNT_CREATION_TIMEOUT90sTime for JIT ephemeral user creation
KEEPER_GATEWAY_RECORDINGS_PATH_EPHEMERAL_TIMEOUT60sTime for ephemeral recording path setup
## Rust WebRTC Module (pam-rustwebrtc) Variables ### Backend I/O Configuration
Environment VariableDefault ValuePurpose
KEEPER_GATEWAY_BACKEND_FLUSH_TIMEOUT_MS50msMaximum time to wait for backend flush() to complete
KEEPER_GATEWAY_MAX_FLUSH_FAILURES5Number of consecutive flush failures before closing connection
KEEPER_GATEWAY_CHANNEL_SHUTDOWN_GRACE_MS100msGrace period before signaling channels to exit during tube close
### Channel Cleanup Timeouts
Environment VariableDefault ValuePurpose
KEEPER_GATEWAY_DATA_CHANNEL_CLOSE_TIMEOUT_SECS3sTimeout for data channel close operation
KEEPER_GATEWAY_PEER_CONNECTION_CLOSE_TIMEOUT_SECS5sTimeout for peer connection close operation
KEEPER_GATEWAY_DISCONNECT_TO_EOF_DELAY_MS100msDelay between disconnect message and EOF in Drop cleanup
### ICE / Connection Establishment
Environment VariableDefaultPurpose
KEEPER_GATEWAY_ICE_GATHER_TIMEOUT_SECS30sICE gathering timeout for initial connection
KEEPER_GATEWAY_ICE_RESTART_ANSWER_TIMEOUT_SECS10sTimeout waiting for ICE restart answer from remote peer
KEEPER_GATEWAY_ICE_DISCONNECTED_WAIT_SECS2sWait time after ICE disconnected before triggering restart
### Activity Monitoring
Environment VariableDefault ValuePurpose
KEEPER_GATEWAY_ACTIVITY_TIMEOUT_SECS120sInactivity duration before considering ICE restart
KEEPER_GATEWAY_STALE_TUBE_SWEEP_INTERVAL_SECS300sHow often stale tube sweeper runs
### Concurrency / Scale
Environment VariableDefault ValuePurpose
KEEPER_GATEWAY_MAX_CONCURRENT_CREATES100Maximum concurrent tube creations allowed
### Router / HTTP Timeouts
Environment VariableDefault ValuePurpose
KEEPER_GATEWAY_ROUTER_HTTP_TIMEOUT_SECS5sHTTP timeout for router API calls
KEEPER_GATEWAY_TUBE_CREATION_TIMEOUT_SECS15sTotal timeout for tube creation
KEEPER_GATEWAY_ROUTER_CIRCUIT_BREAKER_COOLDOWN_SECS60sCircuit breaker cooldown after router failures
KEEPER_GATEWAY_ROUTER_CIRCUIT_BREAKER_THRESHOLD3Number of consecutive router failures before opening circuit breaker
### WebRTC Logging
Environment VariableDefault ValuePurpose
KEEPER_GATEWAY_INCLUDE_WEBRTC_LOGSfalseInclude WebRTC library logs (very verbose). Set to "1" or "true" to enable
KPAM_ROUTER_HOSTDerived from KSM configRouter hostname override
## Health Check Variables
Environment VariableDefault ValuePurpose
KEEPER_GATEWAY_HEALTH_CHECK_ENABLEDfalseEnable health check server
KEEPER_GATEWAY_HEALTH_CHECK_HOST127.0.0.1Health check server bind address
KEEPER_GATEWAY_HEALTH_CHECK_PORT8099Health check server port
KEEPER_GATEWAY_HEALTH_CHECK_USE_SSLfalseEnable SSL for health check
KEEPER_GATEWAY_HEALTH_CHECK_SSL_CERTNonePath to SSL certificate
KEEPER_GATEWAY_SSL_KEYNonePath to SSL private key
KEEPER_GATEWAY_HEALTH_CHECK_AUTH_TOKENNoneAuthentication token for health check API
## Resource Management Variables
Environment VariableDefault ValuePurpose
Environment VariableDefaultPurpose
KEEPER_GATEWAY_RESOURCE_CHECK_ENABLEDtrueEnable resource checking to prevent starvation
KEEPER_GATEWAY_MIN_HEADROOM_PERCENT15Minimum memory headroom percentage to maintain
KEEPER_GATEWAY_CHECK_RBI_CAPACITYtrueCheck if RBI session can fit in available resources
KEEPER_GATEWAY_HTTP_RAM_MB800RAM requirement for RBI/HTTP connections (MB)
KEEPER_GATEWAY_RDP_RAM_MB75RAM requirement for RDP connections (MB)
KEEPER_GATEWAY_VNC_RAM_MB65RAM requirement for VNC connections (MB)
KEEPER_GATEWAY_SSH_RAM_MB70RAM requirement for SSH connections (MB)
KEEPER_GATEWAY_MYSQL_RAM_MB35RAM requirement for MySQL connections (MB)
KEEPER_GATEWAY_POSTGRESQL_RAM_MB35RAM requirement for PostgreSQL connections (MB)
KEEPER_GATEWAY_SQLSERVER_RAM_MB35RAM requirement for SQL Server connections (MB)
KEEPER_GATEWAY_KUBERNETES_RAM_MB70RAM requirement for Kubernetes connections (MB)
KEEPER_GATEWAY_TELNET_RAM_MB50RAM requirement for Telnet connections (MB)
KEEPER_GATEWAY_TUNNEL_RAM_MB35RAM requirement for tunnel/port forwarding (MB)
## RBI (Remote Browser Isolation) Variables
Environment VariableDefault ValuePurpose
KEEPER_RBI_PROFILE_STORAGE_PATH/opt/keeper/gateway/rbi-profilesDirectory for browser session persistence profiles
## AI / Threat Detection Variables
Environment VariableDefault ValuePurpose
KEEPER_GATEWAY_AI_LLM_PROVIDERopenai-genericAI LLM provider (aws-bedrock, anthropic, google-ai, vertex-ai, openai, azure-openai, openai-generic)
KEEPER_GATEWAY_AI_MODELNone (required)AI model name/identifier
KEEPER_GATEWAY_AI_API_KEYNone (required)API key for AI provider
KEEPER_GATEWAY_AI_BASE_URLNone (optional)Base URL for AI provider API
KEEPER_GATEWAY_AI_API_VERSIONNone (required for Azure)API version for Azure OpenAI
KEEPER_GATEWAY_AI_RISK_LEVEL_SOURCENoneSource for risk level classification
RISK_CLASSIFIER_MODEL_DIRNoneDirectory containing risk classifier model
KEEPER_GATEWAY_SENTRY_API_KEYNoneAPI key for Sentry threat detection
KEEPER_GATEWAY_SENTRY_BASE_URLNoneBase URL for Sentry service
KEEPER_GATEWAY_SENTRY_MODELNoneModel identifier for Sentry
### AWS Bedrock Variables
Environment VariableDefault ValuePurpose
AWS_REGIONNone (required)AWS region for Bedrock
AWS_PROFILENone (optional)AWS profile for credentials
AWS_ACCESS_KEY_IDNone (optional)AWS access key
AWS_SECRET_ACCESS_KEYNone (optional)AWS secret access key
AWS_SESSION_TOKENNone (optional)AWS session token
### Alternative API Keys (Provider-Specific)
Environment VariableProviderPurpose
OPENAI_API_KEYOpenAIAlternative to KEEPER_GATEWAY_AI_API_KEY
ANTHROPIC_API_KEYAnthropicAlternative to KEEPER_GATEWAY_AI_API_KEY
AZURE_OPENAI_API_KEYAzure OpenAIAlternative to KEEPER_GATEWAY_AI_API_KEY
GOOGLE_API_KEYGoogle AIAlternative to KEEPER_GATEWAY_AI_API_KEY
## KDNRM Module Variables ### Logging Configuration
Environment VariableDefault ValuePurpose
LOG_ENGINE"default"Specifies the logging engine to use
LOG_SHOW_STACKTRACEFALSEWhen TRUE, displays full Python stack traces in logs
LOG_SHOW_LINE_NOFALSEWhen TRUE, shows line numbers in log output
LOG_TO_FILENoneFile path where logs should be written
LOG_USAGE_SEC0Memory usage logging interval in seconds (0 = disabled)
### Local Secrets Manager Configuration
Environment VariableDefault ValuePurpose
USE_LOCAL_SMFALSEWhen TRUE, uses local SQLite database instead of KSM server
LOCAL_KSM_DEBUGFALSEEnables debug logging for local secrets manager
LOCAL_SM_DB_FILENonePath to specific SQLite database file for local secrets
LOCAL_SM_DIRHOME or USERPROFILEDirectory where local SQLite database will be stored
LOCAL_KSM_FALLBACK_SMFALSEWhen TRUE, falls back to real KSM server if local DB fails
KSM_CONFIGNonePath to KSM configuration file
### Discovery and DAG Configuration
Environment VariableDefault ValuePurpose
USE_LOCAL_DAGFALSEWhen TRUE, uses local DAG/discovery database instead of remote
LOCAL_DAG_DIRHOME or USERPROFILEDirectory for local DAG database storage
LOCAL_DAG_DEBUGFALSEEnables debug logging for local DAG
DAG_DEBUG_LEVEL0Debug verbosity level (0-5) for discovery DAG
DAG_RENDERNoneWhen TRUE, renders discovery graph visualizations
DUMP_DISCOVERY_JSONFALSEWhen TRUE, exports discovery results to JSON file
RULE_DEBUGFALSEEnables debug logging for rule engine evaluations
### Gateway Configuration
Environment VariableDefault ValuePurpose
GATEWAY_USERGateway.GATEWAY_USER constantUser for gateway connections (falls back to USER/USERNAME)
KEEPER_GATEWAY_SAAS_PLUGIN_DIRprovider.saas_plugins_dirDirectory for custom SaaS plugins
KEEPER_GATEWAY_SERVICE_LOG_FINER_LEVEL0Increase the amount of debug information shown when mapping users to services. Increasing the number shows more information. Current max is 3.
## Keeper DAG Module Variables ### Debug & Development
Environment VariableDefault ValuePurpose
GS_DEBUG_LEVEL0Increase debug level; higher numbers produce more debug output
GS_IS_DEVFalseDevelopment mode flag. When True, shows vertex names when adding edges
GS_CONN_DEBUGFalseEnable GraphSync connection-level debug logging
### Router & Server Connection
Environment VariableDefault ValuePurpose
ROUTER_HOSTConfigured hostname from configOverride the FQDN of the krouter
KROUTER_URLDerived from ROUTER_HOSTFull URL to the krouter; overrides ROUTER_HOST when set
USE_SSLTRUEDetermine if connection to krouter should use SSL/TLS
### Local Database Connection
Environment VariableDefault ValuePurpose
LOCAL_DAG_DB_FILE'local_dag.db'Database filename for local DAG connections
### Transaction & Logging
Environment VariableDefault ValuePurpose
GS_LOG_TRANSFalseEnable transaction logging for web service calls
GS_LOG_TRANS_DIR"." (current directory)Directory path where transaction log files will be created
## Discovery Common Module Variables
Environment VariableDefault ValuePurpose
PROCESS_GS_DEBUG_LEVELNoneControls debug logging level for process graph service
USE_KSMFALSEWhen TRUE, uses KSM connection instead of local connection
GRAPH_DIRHOME, then PROFILENAME, then "."Directory where graph visualization files are rendered
## Service-Specific Environment Variables ### Windows Service
VariablePurpose
ProgramDataUsed to determine various Windows service paths
SystemRootUsed for Windows system paths
COMPUTERNAMEUsed for Windows hostname
### Legacy Timeout Variables (Deprecated - Use KEEPER\_GATEWAY\_ Prefix Instead)
Environment VariableDefault ValuePurpose
SET_LOCAL_DESCRIPTION15s(Deprecated) Use KEEPER_GATEWAY_SET_LOCAL_DESCRIPTION_TIMEOUT
OPEN_CONNECTION_TIMEOUT_SEC30s(Deprecated) Use KEEPER_GATEWAY_OPEN_CONNECTION_TIMEOUT
CREATE_ANSWER_TIMEOUT_SEC30s(Deprecated) Use KEEPER_GATEWAY_CREATE_ANSWER_TIMEOUT
READ_TIMEOUT_SEC5s(Deprecated) Use KEEPER_GATEWAY_READ_TIMEOUT
NON_PARED_READ_TIMEOUT_SEC5s(Deprecated) Use KEEPER_GATEWAY_NON_PARED_READ_TIMEOUT
CLOSE_CONNECTION_TIMEOUT_SEC5s(Deprecated) Use KEEPER_GATEWAY_CLOSE_CONNECTION_TIMEOUT
TEST_CONNECTION_TIMEOUT_SEC5s(Deprecated) Use KEEPER_GATEWAY_TEST_CONNECTION_TIMEOUT
ACCEPT_OFFER_TIMEOUT_SECcalculated(Deprecated) Use KEEPER_GATEWAY_ACCEPT_OFFER_TIMEOUT
RECORDINGS_PATH_TIMEOUT_SEC20s(Deprecated) Use KEEPER_GATEWAY_RECORDINGS_PATH_TIMEOUT

--- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.keeper.io/keeperpam/privileged-access-manager/getting-started/gateways/gateway-environment-variables.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.