Skip to main content
This page details environment variable changes required for the v5.4.0 to v5.5.0 upgrade. For the full migration context, see the Migration Overview.

Authentication variables (all affected services)

The following changes apply to 14 of 19 platform services as part of the authentication mechanism change from oauth2 to jwt-public-key.

Variables to remove

Remove these variables from your Helm values, environment configs, or deployment manifests:
# Opaque-token introspection (removed entirely)
SPRING_SECURITY_OAUTH2_RESOURCE_SERVER_OPAQUE_TOKEN_INTROSPECTION_URI:  # REMOVE
SPRING_SECURITY_OAUTH2_RESOURCE_SERVER_OPAQUE_TOKEN_CLIENT_ID:          # REMOVE
SPRING_SECURITY_OAUTH2_RESOURCE_SERVER_OPAQUE_TOKEN_CLIENT_SECRET:      # REMOVE

# Legacy OAuth2 client variables
SECURITY_OAUTH2_REALM:                                                   # REMOVE
SECURITY_OAUTH2_CLIENT_CLIENT_ID:                                        # REMOVE
SECURITY_OAUTH2_CLIENT_CLIENT_SECRET:                                    # REMOVE
SECURITY_OAUTH2_SERVICE_ACCOUNT_ADMIN_CLIENT_ID:                         # REMOVE
SECURITY_OAUTH2_SERVICE_ACCOUNT_ADMIN_CLIENT_SECRET:                     # REMOVE

Variables to update

SECURITY_TYPE: "oauth2"

# Service account client ID (example for admin service)
SPRING_SECURITY_OAUTH2_CLIENT_REGISTRATION_MAINIDENTITY_CLIENT_ID: "${security.oauth2.service-account.admin.client-id}"
SPRING_SECURITY_OAUTH2_CLIENT_REGISTRATION_MAINIDENTITY_CLIENT_SECRET: "${security.oauth2.service-account.admin.client-secret}"

# Token URI using main realm
SPRING_SECURITY_OAUTH2_CLIENT_PROVIDER_MAINAUTHPROVIDER_TOKEN_URI: "${security.oauth2.base-server-url}/realms/${security.oauth2.realm}/protocol/openid-connect/token"

New platform-wide variables

The following new environment variables are available across multiple services:
Environment VariableDescriptionDefault ValueComponent
KAFKA_MESSAGE_MAX_BYTESMaximum Kafka producer message size in bytes52428800 (50 MB)process-engine, admin, application-manager, integration-designer, events-gateway, email-gateway, notification-plugin, document-plugin
REDIS_TTLRedis cache time-to-live in milliseconds5000000admin, application-manager, cms-core, integration-designer, task-management-plugin, notification-plugin
KAFKA_OAUTH_CLIENT_IDOAuth client ID for Kafka SASL authenticationkafkaevents-gateway, email-gateway, notification-plugin, document-plugin
LOGGING_LEVEL_APPApplication-specific logging levelINFOMost services (12/19)
LOGGING_LEVEL_OAUTH2_EXCOAuth2 autoconfiguration exception logging levelOFFMost services (12/19)
LOGGG_LEVEL_MONGO_DRIVERMongoDB driver logging levelINFOadmin, application-manager, cms-core

Document plugin

Environment VariableDescriptionDefault Value
MULTIPART_MAX_ENTITY_SIZEMaximum size for multipart uploads at server level52428800 (50 MB)

Email gateway

New in 5.5.0 — The email gateway service supports IMAP polling for email triggers. The following variables control polling behavior and load balancing.
Environment VariableDescriptionDefault Value
EMAIL_GATEWAY_IMAP_CONNECTION_TIMEOUTIMAP server connection timeout in milliseconds10000
EMAIL_GATEWAY_IMAP_MAX_CONCURRENT_POLLSMaximum number of concurrent IMAP polling operations30
EMAIL_GATEWAY_IMAP_MAX_MESSAGES_PER_POLLMaximum messages to fetch per polling cycle50
EMAIL_GATEWAY_IMAP_POLLING_INTERVALInterval between IMAP polling cycles in seconds30
EMAIL_GATEWAY_IMAP_READ_TIMEOUTIMAP read timeout in milliseconds30000
EMAIL_GATEWAY_MASTER_ELECTION_CRONCron expression for master election checks*/5 * * * * *
EMAIL_GATEWAY_MASTER_ELECTION_TTLMaster election TTL in seconds15
EMAIL_GATEWAY_MAX_EMAILS_PER_INSTANCEMaximum email accounts per service instance for load balancing100
EMAIL_GATEWAY_REBALANCING_CRONCron expression for email account rebalancing*/30 * * * * *
EMAIL_GATEWAY_STALE_TIMEOUT_SECONDSTimeout in seconds before marking an instance as stale90

Additional resources

Last modified on February 27, 2026