# Environment Variables > Note: This list was generated by an AI Agent from a limited code search of the repository and may be incomplete. > > For the full code search results, see: https://github.com/hashicorp/vault/search?q=VAULT_&type=code. | Environment Variable | Purpose (short) | |-------------------------------------------|-------------------------------------------------------------------------| | `VAULT_ADDR` | Client/server address (API target) | | `VAULT_AGENT_ADDR` | Agent address (deprecated usage/const) | | `VAULT_ALLOW_PENDING_REMOVAL_MOUNTS` | Allow Pending Removal builtins to be mounted | | `VAULT_CACERT_BYTES` | CA certificate bytes provided via env | | `VAULT_CACERT` | CA certificate file for TLS verification | | `VAULT_CAPATH` | CA path for TLS verification | | `VAULT_CLI_NO_COLOR` | Toggle colored CLI output | | `VAULT_CLIENT_CERT` | Client TLS certificate path | | `VAULT_CLIENT_KEY` | Client TLS key path | | `VAULT_CLIENT_TIMEOUT` | Client timeout configuration | | `VAULT_CLUSTER_ADDR` | Cluster address for inter-node comms | | `VAULT_CLUSTER_INTERFACE` | Interface name used to derive VAULT_CLUSTER_ADDR | | `VAULT_DETAILED` | Output detailed CLI information | | `VAULT_DEV_LISTEN_ADDRESS` | Dev-mode listen address (entrypoint default) | | `VAULT_DEV_ROOT_TOKEN_ID` | Dev-mode root token ID (used by entrypoint) | | `VAULT_DISABLE_FILE_PERMISSIONS_CHECK` | Disable strict file permission checks (OpenShift/UBI entrypoint) | | `VAULT_DISABLE_LOCAL_AUTH_MOUNT_ENTITIES` | Disable entities for local auth mounts via env | | `VAULT_DISABLE_REDIRECTS` | Disable HTTP redirects for client | | `VAULT_DISABLE_RSA_DRBG` | Disable RSA DRBG path in cryptoutil (feature flag) | | `VAULT_ENABLE_RATE_LIMIT_AUDIT_LOGGING` | Enable audit logging for rate-limited rejections | | `VAULT_EXPERIMENTS` | Comma-separated experiments enabled on startup | | `VAULT_FORMAT` | CLI output format | | `VAULT_HEADERS` | Additional headers for API client | | `VAULT_HTTP_PROXY` | HTTP proxy configuration for client | | `VAULT_LDAP_PASSWORD` | LDAP password fallback for CLI LDAP credential provider | | `VAULT_LICENSE_CI` | CI license helper for tests | | `VAULT_LICENSE_PATH` | Path to enterprise license file | | `VAULT_LICENSE` | Provide enterprise license blob | | `VAULT_LOCAL_CONFIG` | Pass Vault JSON config via env (entrypoint writes to config dir) | | `VAULT_LOG_FORMAT` | Control logger format (standard/json) | | `VAULT_LOG_LEVEL` | Logging level for Vault | | `VAULT_MAX_RETRIES` | Max retries for client operations | | `VAULT_MESSAGE_TYPE` | Serialization format for forwarded requests (json/json_compress/proto3) | | `VAULT_MFA` | MFA selection for client | | `VAULT_MYSQL_PASSWORD` | MySQL password override for physical MySQL backend | | `VAULT_MYSQL_USERNAME` | MySQL username override for physical MySQL backend | | `VAULT_NAMESPACE` | Default namespace header for client requests | | `VAULT_PLUGIN_AUTOMTLS_ENABLED` | Enable plugin AutoMTLS (plugin helper) | | `VAULT_PLUGIN_METADATA_MODE` | Control plugin metadata bootstrapping mode | | `VAULT_PLUGIN_TMPDIR` | Folder for Unix sockets for containerized plugins | | `VAULT_POSTUNSEAL_FUNC_CONCURRENCY` | Concurrency for post-unseal functions (sets worker count) | | `VAULT_PROXY_ADDR` | Proxy address configuration | | `VAULT_RAFT_DISABLE_MAP_POPULATE` | Disable MAP_POPULATE behaviour on Linux | | `VAULT_RAFT_FREELIST_SYNC` | BoltDB freelist sync toggle | | `VAULT_RAFT_FREELIST_TYPE` | BoltDB freelist type (array/map) | | `VAULT_RAFT_INITIAL_MMAP_SIZE` | Initial mmap size for Bolt DB | | `VAULT_RAFT_MAX_BATCH_ENTRIES` | Override Raft max batch entries | | `VAULT_RAFT_MAX_BATCH_SIZE_BYTES` | Override Raft max batch size bytes | | `VAULT_RAFT_NODE_ID` | Raft node ID from environment | | `VAULT_RAFT_PATH` | Raft data path from environment | | `VAULT_RAFT_RETRY_JOIN_AS_NON_VOTER` | Join Raft as non-voter via env | | `VAULT_RATE_LIMIT` | Configure client-side or server rate limiting | | `VAULT_REDIRECT_ADDR` | API redirect address (can be set directly) | | `VAULT_REDIRECT_INTERFACE` | Interface name used to derive VAULT_REDIRECT_ADDR | | `VAULT_SKIP_LOGGING_LEASE_EXPIRATIONS` | Toggle logging of lease expirations | | `VAULT_SKIP_VERIFY` | Skip TLS verification (insecure) | | `VAULT_SRV_LOOKUP` | Enable SRV DNS lookup behavior | | `VAULT_TLS_SERVER_NAME` | TLS server name for verification | | `VAULT_TOKEN` | Default Vault token for client auth | | `VAULT_UNWRAP_TOKEN` | Pass unwrap tokens to plugin (plugin helper) | | `VAULT_WRAP_TTL` | Default wrap TTL for client operations |