Skip to content
Reactor logo Reactor logo Reactor

Search is only available in production builds. Try building and previewing the site to test it out locally.

Configuration

Reactor uses a single Reactor.toml at your project root. The unified reactor-server binary loads it at boot and fans configuration out to each enabled capability. Omit a [section] entirely to disable that capability.

Loading priority

Section titled “Loading priority”

Configuration merges in this order (highest wins):

  1. Environment variablesREACTOR_* with __ for nesting
  2. Reactor.toml — project file (or --config <path>)
  3. CLI flags--bind, --admin-token
Terminal window
# Examples
REACTOR_SERVER__BIND="0.0.0.0:9000"
REACTOR_AUTH__DATA_KEY="base64-key"
REACTOR_DATABASE__URL="postgres://..."
REACTOR_AUTH__JWT_ISSUER="my-issuer"

Complete example

Section titled “Complete example”
# Reactor.toml — full reference example


[project]
name = "my-app"
id = "019213f5-0000-7000-8000-000000000001"
ref = "myprojectref12345678"   # optional; derived from id if omitted
env = "production"             # production | preview | dev


[server]
bind = "0.0.0.0:8000"
request_timeout_secs = 30


[database]
url = "postgres://reactor:reactor@localhost:5432/reactor"
pool_max = 20
acquire_timeout_secs = 5


[tracing]
filter = "info,reactor_auth=debug,reactor_data=debug"
fmt = "json"                   # json | pretty


[admin]
token = "your-secure-admin-token"
allow_remote = false           # restrict /_admin/* to 127.0.0.1 when false


[vault]
backend = "embedded"           # embedded | openbao
path = ".reactor/vault"
master_key = "env:REACTOR_VAULT_MASTER_KEY"

[project]

Section titled “[project]”

Project identity. Immutable after creation.

KeyTypeDefaultDescription
namestring"reactor"Human-readable project name
idstringnil UUIDImmutable project UUID
refstringderived20-char URL-safe subdomain identifier
envstring"production"Deployment environment

Subdomain format on Reactor.cloud: {ref}.reactor.cloud

[server]

Section titled “[server]”

HTTP server settings for the unified binary.

KeyTypeDefaultDescription
bindsocket0.0.0.0:8000Listen address
request_timeout_secsu6430Global request timeout

[database]

Section titled “[database]”

Shared PostgreSQL pool used by all capabilities.

KeyTypeDefaultDescription
urlstringrequiredPostgreSQL connection URL
pool_maxu3220Maximum pool connections
acquire_timeout_secsu645Connection acquire timeout

[tracing]

Section titled “[tracing]”

Unified tracing for all capabilities.

KeyTypeDefaultDescription
filterstring"info"tracing filter directive
fmtstring"json"Log format: json or pretty

[admin]

Section titled “[admin]”

Admin and deploy surface (/_admin/*).

KeyTypeDefaultDescription
tokenstringrequiredBearer token for admin endpoints
allow_remoteboolfalseAllow admin access from non-loopback
[admin]
token = "dev-token"
allow_remote = false

[vault]

Section titled “[vault]”

Secrets management. Optional — defaults to embedded file vault.

KeyTypeDefaultDescription
backendstring"embedded"embedded or openbao
pathpath.reactor/vaultEmbedded vault storage path
master_keystringenv32-byte hex key or env:VAR_NAME
addressstringOpenBao server URL
namespacestringOpenBao namespace
kv_mountstring"secret"KV mount path
transit_mountstring"transit"Transit mount path
auth_methodstring"token"token or approle
tokenstringOpenBao token
role_idstringAppRole role ID
secret_id_filepathAppRole secret ID file
cache_ttl_secsu64300Secret cache TTL

Use vault: prefix in config values to reference vault secrets:

[functions]
data_key = "vault:functions/data_key"

[auth]

Section titled “[auth]”

Identity capability. Required — there is no anonymous mode.

KeyTypeDefaultDescription
data_keystringrequiredBase64 AES-256-GCM key (32 bytes)
jwt_issuerstring"reactor-auth"JWT iss claim
jwt_audiencestring"reactor"JWT aud claim
access_ttl_secsu643600Access token lifetime
refresh_ttl_secsu642592000Refresh token lifetime (30 days)
public_urlstringrequiredPublic URL for email links

[auth.smtp]

Section titled “[auth.smtp]”

Optional email delivery for verification and magic links.

KeyTypeDefaultDescription
hoststringrequiredSMTP hostname
portu16587SMTP port
userstringSMTP username
passwordstringSMTP password
fromstringrequiredFrom address
tlsstring"starttls"starttls, tls, or none

[data]

Section titled “[data]”

PostgREST-style data API with RLS.

KeyTypeDefaultDescription
migrations_dirpathUser schema migrations directory
run_migrationsbooltrueAuto-run migrations on boot
user_schemastring"public"PostgreSQL schema for user tables
max_embed_depthu85Max ?select embed depth
max_limitu321000Maximum page size
default_limitu32100Default page size

[storage]

Section titled “[storage]”

Object storage with signed URLs.

KeyTypeDefaultDescription
backendstring"fs"fs or s3
fs_base_pathstringLocal path (required for fs)
s3_bucketstringS3 bucket (required for s3)
s3_regionstringAWS region
s3_endpointstringCustom endpoint (MinIO, R2)
signing_secretstringrequiredHMAC secret for signed URLs
signed_url_expiry_secsu643600Signed URL TTL
max_upload_sizeu64104857600Max upload size (100 MB)
[storage]
backend = "fs"
fs_base_path = "./.reactor/blobs"
signing_secret = "your-hmac-secret"

[functions]

Section titled “[functions]”

Serverless functions (WASM, Bun, Lambda).

KeyTypeDefaultDescription
workdirstring.reactor/functionsBundle and runtime directory
data_keystringrequiredEncryption key for function env secrets
runtimesarray["wasm"]Enabled runtimes
invoke_default_timeout_msu6430000Default invoke timeout
invoke_max_timeout_msu64300000Maximum invoke timeout
bundle_max_bytesu6452428800Max bundle size (50 MiB)
bun_binstring"bun"Path to Bun binary
bun_idle_ttl_secsu64300Bun warm instance idle TTL
bun_max_instances_per_fnu328Max warm Bun instances per function
lambda_regionstringAWS Lambda region
lambda_role_arnstringLambda execution role
lambda_bundle_s3_bucketstringS3 bucket for Lambda bundles

[jobs]

Section titled “[jobs]”

Scheduled and event-driven background jobs.

KeyTypeDefaultDescription
worker_countusize4Concurrent worker tasks
scheduler_interval_msu641000Scheduler poll interval
default_timeout_msu64600000Default job timeout (10 min)
max_timeout_msu643600000Maximum job timeout (1 hour)
webhook_secretstringrequiredWebhook token encryption secret
max_org_concurrent_runsu3250Max concurrent runs per org
max_payload_bytesu641048576Max job payload (1 MiB)

[sites]

Section titled “[sites]”

Static sites and SSR hosting.

KeyTypeDefaultDescription
workdirstring.reactor/sitesSite bundle directory
bundle_max_bytesu64524288000Max bundle size (500 MiB)
isr_enabledbooltrueEnable ISR
isr_default_revalidate_secsu6460Default ISR revalidation period
preview_subdomainstring"preview"Preview deployment prefix
revalidation_secretstringISR invalidation secret
default_org_slugstring"reactor"Default org for deployments

[ai]

Section titled “[ai]”

LLM gateway capability.

KeyTypeDescription
openrouter_api_keystringOpenRouter API key
aws_access_key_idstringBedrock access key
aws_secret_access_keystringBedrock secret key
aws_session_tokenstringSTS session token (optional)
aws_bedrock_regionstringBedrock region
azure_foundry_endpointstringAzure AI Foundry endpoint
azure_foundry_api_keystringAzure Foundry API key
registry_overlaypathLocal model registry overlay
registry_urlstringRemote registry overlay URL
default_aliasstringDefault model alias

[connect]

Section titled “[connect]”

Third-party data connectors (Airbyte-style sync).

KeyTypeDefaultDescription
data_keystringrequiredCredential encryption key
jobs_urlstringhttp://localhost:8000/jobs/v1Jobs API URL
data_urlstringhttp://localhost:8000/data/v1Data API URL
storage_urlstringhttp://localhost:8000/storage/v1Storage API URL
refresh_interval_secsu64300Token refresh interval
sandbox_ttl_secsu6486400Sandbox schema TTL
max_concurrent_syncsu3210Max concurrent syncs per org

[analytics]

Section titled “[analytics]”

Product analytics ingestion and querying.

KeyTypeDescription
internal_secretstringService-to-service auth
geo_db_pathpathMaxMind GeoLite2 database
honor_dntboolRespect Do Not Track headers
max_properties_bytesusizeMax event property size
quota_per_org_monthlyu64Monthly event quota
retention_daysu32Event retention period
batch_interval_msu64Batch flush interval
sample_ratef64Global sampling rate (0.0–1.0)

[cloud]

Section titled “[cloud]”

Multi-tenant control plane routing (C6@fly shared cluster).

KeyTypeDefaultDescription
base_domainstring"reactor.local"Tenant subdomain base
backend_targetstring"localhost:8000"Upstream target
tls_modestring"none"TLS mode for routes
providerstringsingle_node or shared_cluster
multi_tenantboolfalseEnable host-based tenant routing
tenant_cache_ttl_secsu64300Tenant resolution cache TTL

[cloud.shared_pool]

Section titled “[cloud.shared_pool]”
KeyTypeDefaultDescription
max_active_tenantsusize5000Tenant adapter cache size
idle_timeout_secsu64600Idle tenant eviction timeout
cold_load_concurrencyusize16Parallel cold tenant loads
per_tenant_pool_sizeu325DB connections per tenant
shared_postgres_urlstringShared cluster Postgres URL

[cloud.realtime] / [cloud.pubsub]

Section titled “[cloud.realtime] / [cloud.pubsub]”
KeyTypeDefaultDescription
backendstring"in_process"in_process or nats
nats.serversarrayNATS server URLs
nats.credentials_filepathNATS credentials

[cloud.quotas.free]

Section titled “[cloud.quotas.free]”
KeyTypeDefault
requests_per_minuteu321000
concurrent_functionsu3210
db_connectionsu325
storage_gbu321
bandwidth_gb_per_monthu325

Validation

Section titled “Validation”

reactor-server validates at boot and exits with structured errors:

Exit codeCause
1Migration failure
2Missing required config
3Port bind failure
4Auth signing key derivation failure

Run a dry check:

Terminal window
reactor-server doctor
# or
curl -H "Authorization: Bearer $TOKEN" http://localhost:8000/_admin/doctor
Section titled “Related”